feat(std/http): Validate cookie path value (#8457)

author: Yasser A.Idrissi <spookyframework@gmail.com> 2020-11-22 15:34:31 +0100
committer: GitHub <noreply@github.com> 2020-11-22 15:34:31 +0100
commit: 2c00f6c5482e024745378b61b654d9b524ab6f08 (patch)
tree: 25c866c4a8300d1e00b2b2b4f73c51660b133625 /std/http/cookie.ts
parent: 14877f7fe21573e1ed0ce696a107543bbba995b2 (diff)
1 files changed, 22 insertions, 0 deletions
diff --git a/std/http/cookie.ts b/std/http/cookie.ts
index 90f33ae98..fb0c2dee0 100644
--- a/std/http/cookie.ts
+++ b/std/http/cookie.ts
@@ -70,6 +70,7 @@ function toString(cookie: Cookie): string {
     out.push(`SameSite=${cookie.sameSite}`);
   }
   if (cookie.path) {
+    validatePath(cookie.path);
     out.push(`Path=${cookie.path}`);
   }
   if (cookie.expires) {
@@ -93,6 +94,27 @@ function validateCookieName(name: string | undefined | null): void {
 }
 
 /**
+ * Validate Path Value.
+ * @see https://tools.ietf.org/html/rfc6265#section-4.1.2.4
+ * @param path Path value.
+ */
+function validatePath(path: string | null): void {
+  if (path == null) {
+    return;
+  }
+  for (let i = 0; i < path.length; i++) {
+    const c = path.charAt(i);
+    if (
+      c < String.fromCharCode(0x20) || c > String.fromCharCode(0x7E) || c == ";"
+    ) {
+      throw new Error(
+        path + ": Invalid cookie path char '" + c + "'",
+      );
+    }
+  }
+}
+
+/**
  * Parse the cookies of the Server Request
  * @param req An object which has a `headers` property
  */
author	Yasser A.Idrissi <spookyframework@gmail.com>	2020-11-22 15:34:31 +0100
committer	GitHub <noreply@github.com>	2020-11-22 15:34:31 +0100
commit	2c00f6c5482e024745378b61b654d9b524ab6f08 (patch)
tree	25c866c4a8300d1e00b2b2b4f73c51660b133625 /std/http/cookie.ts
parent	14877f7fe21573e1ed0ce696a107543bbba995b2 (diff)