Resolution for Cookie Security issue, cookie accepts cookie name, pat…

…h, and domain with out of bounds characters until version 0.6.0 (PR #5976) # Description closes security alert #80 ## Impact The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. ## Patches Upgrade to 0.7.0, which updates the validation for name, path, and domain. ## Workarounds Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input. ## References jshttp/cookie#167
inmanta · Oct 9, 2024 · 7bd13fb · 7bd13fb
1 parent 10a512f
commit 7bd13fb
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 27 deletions.
diff --git a/changelogs/unreleased/80-security-cookie.yml b/changelogs/unreleased/80-security-cookie.yml
@@ -0,0 +1,3 @@
+change-type: patch
+description: Resolution for Cookie Security issue, cookie accepts cookie name, path, and domain with out of bounds characters until version 0.6.0
+destination-branches: [master]
diff --git a/package.json b/package.json
@@ -188,29 +188,30 @@
     "xml-formatter": "^3.6.2"
   },
   "resolutions": {
-    "micromatch": "^4.0.8",
-    "webpack": "^5.94.0",
-    "path-to-regexp@0.1.7": "0.1.10",
-    "path-to-regexp@^6.2.0": "8.0.0",
-    "dompurify": "^2.5.4",
-    "json5": "^2.2.2",
-    "terser-webpack-plugin": "^1.4.5",
-    "prismjs": "^1.25.0",
-    "trim": "^0.0.3",
-    "glob-parent": "^5.1.2",
     "ansi-regex": "^5.0.1",
-    "nth-check": "^2.0.1",
+    "async": "^3.2.2",
     "browserslist": "^4.16.5",
+    "cookie": "^0.7.0",
+    "dompurify": "^2.5.4",
+    "follow-redirects": "^1.15.4",
+    "glob-parent": "^5.1.2",
     "json-schema": "^0.4.0",
-    "node-forge": "^1.0.0",
+    "json5": "^2.2.2",
+    "loader-utils": "2.0.4 || 1.4.2",
+    "micromatch": "^4.0.8",
     "minimist": "^1.2.6",
+    "node-forge": "^1.0.0",
+    "nth-check": "^2.0.1",
+    "path-to-regexp@^6.2.0": "8.0.0",
+    "path-to-regexp@0.1.7": "0.1.10",
+    "prismjs": "^1.25.0",
     "simple-git": "^3.5.0",
-    "async": "^3.2.2",
+    "terser-webpack-plugin": "^1.4.5",
     "terser": "^5.14.2",
-    "loader-utils": "2.0.4 || 1.4.2",
-    "word-wrap": "^1.2.4",
-    "follow-redirects": "^1.15.4",
+    "trim": "^0.0.3",
     "undici": "^5",
+    "webpack": "^5.94.0",
+    "word-wrap": "^1.2.4",
     "ws": "^8.17.1"
   },
   "madge": {

diff --git a/yarn.lock b/yarn.lock
@@ -5088,17 +5088,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"cookie@npm:0.6.0":
-  version: 0.6.0
-  resolution: "cookie@npm:0.6.0"
-  checksum: 10/c1f8f2ea7d443b9331680598b0ae4e6af18a618c37606d1bbdc75bec8361cce09fe93e727059a673f2ba24467131a9fb5a4eec76bb1b149c1b3e1ccb268dc583
-  languageName: node
-  linkType: hard
-
-"cookie@npm:^0.5.0":
-  version: 0.5.0
-  resolution: "cookie@npm:0.5.0"
-  checksum: 10/aae7911ddc5f444a9025fbd979ad1b5d60191011339bce48e555cb83343d0f98b865ff5c4d71fecdfb8555a5cafdc65632f6fce172f32aaf6936830a883a0380
+"cookie@npm:^0.7.0":
+  version: 0.7.2
+  resolution: "cookie@npm:0.7.2"
+  checksum: 10/24b286c556420d4ba4e9bc09120c9d3db7d28ace2bd0f8ccee82422ce42322f73c8312441271e5eefafbead725980e5996cc02766dbb89a90ac7f5636ede608f
   languageName: node
   linkType: hard