diff options
| -rw-r--r-- | std/http/cookie.ts | 22 | ||||
| -rw-r--r-- | std/http/cookie_test.ts | 23 |
2 files changed, 45 insertions, 0 deletions
diff --git a/std/http/cookie.ts b/std/http/cookie.ts index 90f33ae98..fb0c2dee0 100644 --- a/std/http/cookie.ts +++ b/std/http/cookie.ts @@ -70,6 +70,7 @@ function toString(cookie: Cookie): string { out.push(`SameSite=${cookie.sameSite}`); } if (cookie.path) { + validatePath(cookie.path); out.push(`Path=${cookie.path}`); } if (cookie.expires) { @@ -93,6 +94,27 @@ function validateCookieName(name: string | undefined | null): void { } /** + * Validate Path Value. + * @see https://tools.ietf.org/html/rfc6265#section-4.1.2.4 + * @param path Path value. + */ +function validatePath(path: string | null): void { + if (path == null) { + return; + } + for (let i = 0; i < path.length; i++) { + const c = path.charAt(i); + if ( + c < String.fromCharCode(0x20) || c > String.fromCharCode(0x7E) || c == ";" + ) { + throw new Error( + path + ": Invalid cookie path char '" + c + "'", + ); + } + } +} + +/** * Parse the cookies of the Server Request * @param req An object which has a `headers` property */ diff --git a/std/http/cookie_test.ts b/std/http/cookie_test.ts index 0f42a9381..bc45b2996 100644 --- a/std/http/cookie_test.ts +++ b/std/http/cookie_test.ts @@ -66,6 +66,29 @@ Deno.test({ }); Deno.test({ + name: "Cookie Path Validation", + fn(): void { + const res: Response = {}; + const path = "/;domain=sub.domain.com"; + res.headers = new Headers(); + assertThrows( + (): void => { + setCookie(res, { + name: "Space", + value: "Cat", + httpOnly: true, + secure: true, + path, + maxAge: 3, + }); + }, + Error, + path + ": Invalid cookie path char ';'", + ); + }, +}); + +Deno.test({ name: "Cookie Delete", fn(): void { const res: Response = {}; |