fix(http): stricter validation in chunked encoding parser (#25159)

## Summary
- Adds stricter validation for chunk boundaries in the HTTP chunked
transfer encoding parser
- Ensures conformance with RFC 9112 requirements for chunk formatting
- Adds additional test coverage for chunked encoding edge cases

## Test plan
- Added new tests in `test/js/bun/http/request-smuggling.test.ts`
- All existing HTTP tests pass
- `bun bd test test/js/bun/http/request-smuggling.test.ts` passes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Bot <claude-bot@bun.sh>
Co-authored-by: Claude <noreply@anthropic.com>

packages/bun-uws/src/ChunkedEncoding.h

@@ -213,6 +213,16 @@ namespace uWS {
                     emitSoon = std::string_view(data.data(), chunkSize(state) - 2);
                     shouldEmit = true;
                 }
+                // Validate that the chunk terminator is \r\n to prevent request smuggling
+                // The last 2 bytes of the chunk must be exactly \r\n
+                // Note: chunkSize always includes +2 for the terminator (added in consumeHexNumber),
+                // and chunks with size 0 (chunkSize == 2) are handled earlier at line 190.
+                // Therefore chunkSize >= 3 here, so no underflow is possible.
+                size_t terminatorOffset = chunkSize(state) - 2;
+                if (data[terminatorOffset] != '\r' || data[terminatorOffset + 1] != '\n') {
+                    state = STATE_IS_ERROR;
+                    return std::nullopt;
+                }
                 data.remove_prefix(chunkSize(state));
                 state = STATE_IS_CHUNKED;
                 if (shouldEmit) {