feat(std/http): Validate cookie path value (#8457)

2 files changed, 45 insertions, 0 deletions

diff --git a/std/http/cookie.ts b/std/http/cookie.ts
index 90f33ae98..fb0c2dee0 100644
--- a/std/http/cookie.ts
+++ b/std/http/cookie.ts
@@ -70,6 +70,7 @@ function toString(cookie: Cookie): string {
     out.push(`SameSite=${cookie.sameSite}`);
   }
   if (cookie.path) {
+    validatePath(cookie.path);
     out.push(`Path=${cookie.path}`);
   }
   if (cookie.expires) {
@@ -93,6 +94,27 @@ function validateCookieName(name: string | undefined | null): void {
 }
 
 /**
+ * Validate Path Value.
+ * @see https://tools.ietf.org/html/rfc6265#section-4.1.2.4
+ * @param path Path value.
+ */
+function validatePath(path: string | null): void {
+  if (path == null) {
+    return;
+  }
+  for (let i = 0; i < path.length; i++) {
+    const c = path.charAt(i);
+    if (
+      c < String.fromCharCode(0x20) || c > String.fromCharCode(0x7E) || c == ";"
+    ) {
+      throw new Error(
+        path + ": Invalid cookie path char '" + c + "'",
+      );
+    }
+  }
+}
+
+/**
  * Parse the cookies of the Server Request
  * @param req An object which has a `headers` property
  */
diff --git a/std/http/cookie_test.ts b/std/http/cookie_test.ts
index 0f42a9381..bc45b2996 100644
--- a/std/http/cookie_test.ts
+++ b/std/http/cookie_test.ts
@@ -66,6 +66,29 @@ Deno.test({
 });
 
 Deno.test({
+  name: "Cookie Path Validation",
+  fn(): void {
+    const res: Response = {};
+    const path = "/;domain=sub.domain.com";
+    res.headers = new Headers();
+    assertThrows(
+      (): void => {
+        setCookie(res, {
+          name: "Space",
+          value: "Cat",
+          httpOnly: true,
+          secure: true,
+          path,
+          maxAge: 3,
+        });
+      },
+      Error,
+      path + ": Invalid cookie path char ';'",
+    );
+  },
+});
+
+Deno.test({
   name: "Cookie Delete",
   fn(): void {
     const res: Response = {};