Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: narrow the validation of cookies to match RFC6265 #167

Merged
merged 6 commits into from
Oct 1, 2024
Merged

fix: narrow the validation of cookies to match RFC6265 #167

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
b45a9ed
fix: narrow the validation cookies to match RFC6265
bewinsnw Jul 17, 2024
adf50e4
chore: removing some extra spaces
bewinsnw Jul 17, 2024
23187ce
chore: reorder regexp per review comment
bewinsnw Jul 17, 2024
3963475
chore: document the meaning of CHAR
bewinsnw Jul 18, 2024
32046d4
chore: missing whitespace after comment block
bewinsnw Jul 18, 2024
22e5f22
chore: trailing space
bewinsnw Jul 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 52 additions & 9 deletions index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,57 @@ exports.serialize = serialize;
var __toString = Object.prototype.toString

/**
* RegExp to match field-content in RFC 7230 sec 3.2
* RegExp to match cookie-name in RFC 6265 sec 4.1.1
* This refers out to the obsoleted definition of token in RFC 2616 sec 2.2
* which has been replaced by the token definition in RFC 7230 appendix B.
*
* field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
* field-vchar = VCHAR / obs-text
* obs-text = %x80-FF
* cookie-name = token
* token = 1*tchar
* tchar = "!" / "#" / "$" / "%" / "&" / "'" /
* "*" / "+" / "-" / "." / "^" / "_" /
* "`" / "|" / "~" / DIGIT / ALPHA
*/

var fieldContentRegExp = /^[\u0009\u0020-\u007e\u0080-\u00ff]+$/;
var cookieNameRegExp = /^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/;

/**
* RegExp to match cookie-value in RFC 6265 sec 4.1.1
*
* cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
* cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
* ; US-ASCII characters excluding CTLs,
* ; whitespace DQUOTE, comma, semicolon,
* ; and backslash
*/

var cookieValueRegExp = /^("?)[\u0021\u0023-\u002B\u002D-\u003A\u003C-\u005B\u005D-\u007E]*\1$/;

/**
* RegExp to match domain-value in RFC 6265 sec 4.1.1
*
* domain-value = <subdomain>
* ; defined in [RFC1034], Section 3.5, as
* ; enhanced by [RFC1123], Section 2.1
* <subdomain> = <label> | <subdomain> "." <label>
* <label> = <let-dig> [ [ <ldh-str> ] <let-dig> ]
* Labels must be 63 characters or less.
* 'let-dig' not 'letter' in the first char, per RFC1123
* <ldh-str> = <let-dig-hyp> | <let-dig-hyp> <ldh-str>
* <let-dig-hyp> = <let-dig> | "-"
* <let-dig> = <letter> | <digit>
* <letter> = any one of the 52 alphabetic characters A through Z in
* upper case and a through z in lower case
* <digit> = any one of the ten digits 0 through 9
*/
bewinsnw marked this conversation as resolved.
Show resolved Hide resolved
var domainValueRegExp = /^([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)([.][a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)*$/i;

/**
* RegExp to match path-value in RFC 6265 sec 4.1.1
*
* path-value = <any CHAR except CTLs or ";">
bewinsnw marked this conversation as resolved.
Show resolved Hide resolved
*/

var pathValueRegExp = /^[\u0020-\u003A\u003D-\u007E]*$/;

/**
* Parse a cookie header.
Expand Down Expand Up @@ -116,13 +159,13 @@ function serialize(name, val, options) {
throw new TypeError('option encode is invalid');
}

if (!fieldContentRegExp.test(name)) {
if (!cookieNameRegExp.test(name)) {
throw new TypeError('argument name is invalid');
}

var value = enc(val);

if (value && !fieldContentRegExp.test(value)) {
if (value && !cookieValueRegExp.test(value)) {
throw new TypeError('argument val is invalid');
}

Expand All @@ -139,15 +182,15 @@ function serialize(name, val, options) {
}

if (opt.domain) {
if (!fieldContentRegExp.test(opt.domain)) {
if (!domainValueRegExp.test(opt.domain)) {
throw new TypeError('option domain is invalid');
}

str += '; Domain=' + opt.domain;
}

if (opt.path) {
if (!fieldContentRegExp.test(opt.path)) {
if (!pathValueRegExp.test(opt.path)) {
throw new TypeError('option path is invalid');
}

Expand Down
4 changes: 4 additions & 0 deletions test/serialize.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ describe('cookie.serialize(name, value)', function () {
it('should throw for invalid name', function () {
assert.throws(cookie.serialize.bind(cookie, 'foo\n', 'bar'), /argument name is invalid/)
assert.throws(cookie.serialize.bind(cookie, 'foo\u280a', 'bar'), /argument name is invalid/)
assert.throws(cookie.serialize.bind(cookie, 'foo bar', 'bar'), /argument name is invalid/)
})
})

Expand Down Expand Up @@ -52,6 +53,9 @@ describe('cookie.serialize(name, value, options)', function () {
assert.throws(cookie.serialize.bind(cookie, 'foo', '+ \n', {
encode: function (v) { return v }
}), /argument val is invalid/)
assert.throws(cookie.serialize.bind(cookie, 'foo', 'foo bar', {
encode: function (v) { return v }
}), /argument val is invalid/)
})
})

Expand Down
Loading