Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(std/http): Add Cookie value validation #8471

Merged
merged 9 commits into from
Dec 1, 2020
Merged

feat(std/http): Add Cookie value validation #8471

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
df57a4f
feat(std/http): Add cookie value validation
getspooky Nov 23, 2020
7cdd28a
test(std/http): Testing cookie value validation
getspooky Nov 23, 2020
35d5068
Merge remote-tracking branch 'upstream/master' into cookie-value-vali…
getspooky Nov 23, 2020
3e049a3
fix(std/http): Linting & fromating cookie file
getspooky Nov 23, 2020
69a56c7
Merge branch 'master' into cookie-value-validation
bartlomieju Nov 28, 2020
3e8b1cb
refactor(std/http): Display cookie name in validateCookieValue
getspooky Nov 28, 2020
a17acf7
test(std/http): Check if cookie name exists
getspooky Nov 28, 2020
75f9ea9
fix(std/http): Linting & formatting cookie file
getspooky Nov 28, 2020
c7c4be3
Merge branch 'cookie-value-validation' of https://github.com/getspook…
getspooky Nov 30, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions std/http/cookie.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ function toString(cookie: Cookie): string {
}
const out: string[] = [];
validateCookieName(cookie.name);
validateCookieValue(cookie.value);
out.push(`${cookie.name}=${cookie.value}`);

// Fallback for invalid Set-Cookie
Expand Down Expand Up @@ -114,6 +115,31 @@ function validatePath(path: string | null): void {
}
}

/**
*Validate Cookie Value.
* @see https://tools.ietf.org/html/rfc6265#section-4.1
* @param value Cookie value.
*/
function validateCookieValue(value: string | null): void {
if (value == null) return;
for (let i = 0; i < value.length; i++) {
const c = value.charAt(i);
if (
c < String.fromCharCode(0x21) || c == String.fromCharCode(0x22) ||
c == String.fromCharCode(0x2c) || c == String.fromCharCode(0x3b) ||
c == String.fromCharCode(0x5c) || c == String.fromCharCode(0x7f)
) {
throw new Error("RFC2616 cookie value cannot have '" + c + "'");
getspooky marked this conversation as resolved.
Show resolved Hide resolved
}
if (c > String.fromCharCode(0x80)) {
throw new Error(
"RFC2616 cookie value can only have US-ASCII chars" +
c.charCodeAt(0).toString(16),
);
}
getspooky marked this conversation as resolved.
Show resolved Hide resolved
}
}

/**
* Parse the cookies of the Server Request
* @param req An object which has a `headers` property
Expand Down
38 changes: 38 additions & 0 deletions std/http/cookie_test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,44 @@ Deno.test({
},
});

Deno.test({
name: "Cookie Value Validation",
fn(): void {
const res: Response = {};
const tokens = [
"1f\tWa",
"\t",
"1f Wa",
"1f;Wa",
'"1fWa',
"1f\\Wa",
'1f"Wa',
'"',
"1fWa\u0005",
"1f\u0091Wa",
];
res.headers = new Headers();
tokens.forEach((value) => {
assertThrows(
(): void => {
setCookie(
res,
{
name: "Space",
value,
httpOnly: true,
secure: true,
maxAge: 3,
},
);
},
Error,
"RFC2616 cookie value",
);
});
},
});

Deno.test({
name: "Cookie Path Validation",
fn(): void {
Expand Down