Skip to content

Commit

Permalink
fix: invalid cookie parsing
Browse files Browse the repository at this point in the history
  • Loading branch information
qgolsteyn committed Jun 9, 2024
1 parent c1549aa commit a533e8a
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 1 deletion.
58 changes: 58 additions & 0 deletions __tests__/cookies.unit.js
Original file line number Diff line number Diff line change
Expand Up @@ -299,6 +299,39 @@ describe('Cookie Tests:', function() {
})
}) // end it

/**
* There is no definitive standard on what the cookie value can contain.
* The most restrictive definition I could find comes from Safari which only supports
* the ASCII character set, excluding semi-colon, comma, backslash, and white space.
*
* The % character is also ambiguous, as it is used as part of the URL encoded scheme. For the purpose of this test, we will leave this character out.
*
* @see {@link https://stackoverflow.com/a/1969339 | This StackOverflow answer which provides more context regarding the cookie value}
*/
it('Parse cookie with the entire supported set of ASCII characters', async function() {
let asciiCharacterSet = ' !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~';

asciiCharacterSet =
asciiCharacterSet.replaceAll(' ', '')
.replaceAll(';', '')
.replaceAll(',', '')
.replaceAll('/', '')
.replaceAll('%', '');

let _event = Object.assign({},event,{
path: '/cookieParse',
multiValueHeaders: {
cookie: [`test=${asciiCharacterSet}`]
}
})
let result = await new Promise(r => api.run(_event,{},(e,res) => { r(res) }))
expect(JSON.parse(result.body)).toEqual({
cookies: {
test: asciiCharacterSet,
},
})
}) // end it

it('Parse & decode two cookies', async function() {
let _event = Object.assign({},event,{
path: '/cookieParse',
Expand Down Expand Up @@ -330,6 +363,31 @@ describe('Cookie Tests:', function() {
})
}) // end it

it('Parse & decode multiple cookies with the entire supported set of ASCII characters', async function() {
let asciiCharacterSet = ' !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~';

asciiCharacterSet =
asciiCharacterSet.replaceAll(' ', '')
.replaceAll(';', '')
.replaceAll(',', '')
.replaceAll('/', '')
.replaceAll('%', '');

let _event = Object.assign({},event,{
path: '/cookieParse',
multiValueHeaders: {
cookie: [`test=${asciiCharacterSet}; test2=${asciiCharacterSet}`]
}
})
let result = await new Promise(r => api.run(_event,{},(e,res) => { r(res) }))
expect(JSON.parse(result.body)).toEqual({
cookies: {
test: asciiCharacterSet,
test2: asciiCharacterSet,
},
})
}) // end it

}) // end parse tests

describe("Clear", function() {
Expand Down
2 changes: 1 addition & 1 deletion lib/request.js
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ class REQUEST {
this.cookies = cookies.reduce((acc, cookie) => {
cookie = cookie.trim().split('=');
return Object.assign(acc, {
[cookie[0]]: UTILS.parseBody(decodeURIComponent(cookie[1])),
[cookie[0]]: UTILS.parseBody(decodeURIComponent(cookie.slice(1).join('='))),
});
}, {});

Expand Down

0 comments on commit a533e8a

Please sign in to comment.