From 02d80381b83955d7bebce72c97aedb9928a2597f Mon Sep 17 00:00:00 2001 From: uzlopak Date: Thu, 29 Feb 2024 04:06:01 +0100 Subject: [PATCH 1/2] cookies: improve validateCookieValue --- benchmarks/cookies/validate-cookie-value.mjs | 16 ++++ lib/web/cookies/util.js | 29 ++++++-- test/cookie/cookies.js | 4 +- test/cookie/validate-cookie-value.js | 78 ++++++++++++++++++++ 4 files changed, 117 insertions(+), 10 deletions(-) create mode 100644 benchmarks/cookies/validate-cookie-value.mjs create mode 100644 test/cookie/validate-cookie-value.js diff --git a/benchmarks/cookies/validate-cookie-value.mjs b/benchmarks/cookies/validate-cookie-value.mjs new file mode 100644 index 00000000000..a10db83b4c1 --- /dev/null +++ b/benchmarks/cookies/validate-cookie-value.mjs @@ -0,0 +1,16 @@ +import { bench, group, run } from 'mitata' +import { validateCookieValue } from '../../lib/web/cookies/util.js' + +const valid = 'Cat' +const wrappedValid = `"${valid}"` + +group('validateCookieValue', () => { + bench(`valid: ${valid}`, () => { + return validateCookieValue(valid) + }) + bench(`valid: ${wrappedValid}`, () => { + return validateCookieValue(wrappedValid) + }) +}) + +await run() diff --git a/lib/web/cookies/util.js b/lib/web/cookies/util.js index b043054d1ce..51ed2b5434c 100644 --- a/lib/web/cookies/util.js +++ b/lib/web/cookies/util.js @@ -69,18 +69,30 @@ function validateCookieName (name) { * @param {string} value */ function validateCookieValue (value) { - for (const char of value) { - const code = char.charCodeAt(0) + let len = value.length + let i = 0 + + // if the value is wrapped in DQUOTE + if (value[0] === '"') { + if (len === 1 || value[len - 1] !== '"') { + throw new Error('Invalid cookie value') + } + --len + ++i + } + + while (i < len) { + const code = value.charCodeAt(i++) if ( code < 0x21 || // exclude CTLs (0-31) - code === 0x22 || - code === 0x2C || - code === 0x3B || - code === 0x5C || - code > 0x7E // non-ascii + code > 0x7E || // non-ascii and DEL (127) + code === 0x22 || // " + code === 0x2C || // , + code === 0x3B || // ; + code === 0x5C // \ ) { - throw new Error('Invalid header value') + throw new Error('Invalid cookie value') } } } @@ -286,6 +298,7 @@ function getHeadersList (headers) { module.exports = { isCTLExcludingHtab, validateCookiePath, + validateCookieValue, toIMFDate, stringify, getHeadersList diff --git a/test/cookie/cookies.js b/test/cookie/cookies.js index 4185559466b..711f26a0351 100644 --- a/test/cookie/cookies.js +++ b/test/cookie/cookies.js @@ -116,7 +116,7 @@ test('Cookie Value Validation', () => { } ) }, - new Error('Invalid header value'), + new Error('Invalid cookie value'), "RFC2616 cookie 'Space'" ) }) @@ -128,7 +128,7 @@ test('Cookie Value Validation', () => { value: 'United Kingdom' }) }, - new Error('Invalid header value'), + new Error('Invalid cookie value'), "RFC2616 cookie 'location' cannot contain character ' '" ) }) diff --git a/test/cookie/validate-cookie-value.js b/test/cookie/validate-cookie-value.js new file mode 100644 index 00000000000..453d7f96930 --- /dev/null +++ b/test/cookie/validate-cookie-value.js @@ -0,0 +1,78 @@ +'use strict' + +const { test, describe } = require('node:test') +const { throws, strictEqual } = require('node:assert') + +const { + validateCookieValue +} = require('../../lib/web/cookies/util') + +describe('validateCookieValue', () => { + test('should throw for CTLs', () => { + throws(() => validateCookieValue('\x00'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x01'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x02'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x03'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x04'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x05'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x06'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x07'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x08'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x09'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x0A'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x0B'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x0C'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x0D'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x0E'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x0F'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x10'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x11'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x12'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x13'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x14'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x15'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x16'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x17'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x18'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x19'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x1A'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x1B'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x1C'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x1D'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x1E'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x1F'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('\x7F'), new Error('Invalid cookie value')) + }) + + test('should throw for ; character', () => { + throws(() => validateCookieValue(';'), new Error('Invalid cookie value')) + }) + + test('should throw for " character', () => { + throws(() => validateCookieValue('"'), new Error('Invalid cookie value')) + }) + + test('should throw for " character', () => { + throws(() => validateCookieValue(','), new Error('Invalid cookie value')) + }) + + test('should throw for \\ character', () => { + throws(() => validateCookieValue('\\'), new Error('Invalid cookie value')) + }) + + test('should pass for a printable character', t => { + strictEqual(validateCookieValue('A'), undefined) + strictEqual(validateCookieValue('Z'), undefined) + strictEqual(validateCookieValue('a'), undefined) + strictEqual(validateCookieValue('z'), undefined) + strictEqual(validateCookieValue('!'), undefined) + strictEqual(validateCookieValue('='), undefined) + }) + + test('should handle strings wrapped in DQUOTE', t => { + strictEqual(validateCookieValue('""'), undefined) + strictEqual(validateCookieValue('"helloworld"'), undefined) + throws(() => validateCookieValue('"'), new Error('Invalid cookie value')) + throws(() => validateCookieValue('"""'), new Error('Invalid cookie value')) + }) +}) From 372e0b22994793e1dd0571796014db7ff98e2c5f Mon Sep 17 00:00:00 2001 From: Aras Abbasi Date: Thu, 29 Feb 2024 04:18:58 +0100 Subject: [PATCH 2/2] Apply suggestions from code review --- test/cookie/validate-cookie-value.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/cookie/validate-cookie-value.js b/test/cookie/validate-cookie-value.js index 453d7f96930..7511121fb08 100644 --- a/test/cookie/validate-cookie-value.js +++ b/test/cookie/validate-cookie-value.js @@ -52,7 +52,7 @@ describe('validateCookieValue', () => { throws(() => validateCookieValue('"'), new Error('Invalid cookie value')) }) - test('should throw for " character', () => { + test('should throw for , character', () => { throws(() => validateCookieValue(','), new Error('Invalid cookie value')) })