Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cookies: fix validateMaxAge allow negative numbers #2888

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

cookies: fix validateMaxAge allow negative numbers #2888

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 changes: 12 additions & 0 deletions benchmarks/cookies/validate-max-age.mjs
View file
Open in desktop
@@ -0,0 +1,12 @@
import { bench, group, run } from 'mitata'
import { validateCookieMaxAge } from '../../lib/web/cookies/util.js'

const valid = 2000

group('validateCookieMaxAge', () => {
bench(`valid: ${valid}`, () => {
return validateCookieMaxAge(valid)
})
})

await run()
14 changes: 13 additions & 1 deletion lib/web/cookies/util.js
View file
Open in desktop
Expand Up @@ -197,10 +197,21 @@ function toIMFDate (date) {
; In practice, both expires-av and max-age-av
; are limited to dates representable by the
; user agent.
*
* @see https://www.rfc-editor.org/rfc/rfc6265#section-4.1.1
*
* but:
* If delta-seconds is less than or equal to zero (0), let expiry-time be the
* earliest representable date and time. Otherwise, let the expiry-time be the
* current date and time plus delta-seconds seconds.
* @see https://www.rfc-editor.org/rfc/rfc6265#section-5.2.2
*
* Any integer value is valid.
*
* @param {number} maxAge
*/
function validateCookieMaxAge (maxAge) {
if (maxAge < 0) {
if (Number.isInteger(maxAge) === false) {
throw new Error('Invalid cookie max-age')
}
}
Expand Down Expand Up @@ -301,6 +312,7 @@ module.exports = {
validateCookieName,
validateCookiePath,
validateCookieValue,
validateCookieMaxAge,
toIMFDate,
stringify,
getHeadersList
Expand Down
6 changes: 5 additions & 1 deletion test/cookie/cookies.js
View file
Open in desktop
Expand Up @@ -255,7 +255,11 @@ test('Cookie Set', () => {
} catch {
error = true
}
assert.ok(error)
assert.strictEqual(error, false)
assert.equal(
headers.get('Set-Cookie'),
'Space=Cat; Secure; HttpOnly; Max-Age=-1'
)

headers = new Headers()
setCookie(headers, {
Expand Down
37 changes: 37 additions & 0 deletions test/cookie/validate-cookie-max-age.js
View file
Open in desktop
@@ -0,0 +1,37 @@
'use strict'

const { test, describe } = require('node:test')
const { throws, strictEqual } = require('node:assert')

const {
validateCookieMaxAge
} = require('../../lib/web/cookies/util')

describe('validateCookieMaxAge', () => {
test('0', () => {
strictEqual(validateCookieMaxAge(0), undefined)
strictEqual(validateCookieMaxAge(+0), undefined)
strictEqual(validateCookieMaxAge(-0), undefined)
})

test('float', () => {
throws(() => validateCookieMaxAge(3.15), Error('Invalid cookie max-age'))
})

test('integer value', () => {
strictEqual(validateCookieMaxAge(2), undefined)
strictEqual(validateCookieMaxAge(-2), undefined)
})

test('-Infinity', () => {
throws(() => validateCookieMaxAge(-Infinity), Error('Invalid cookie max-age'))
})

test('Infinity', () => {
throws(() => validateCookieMaxAge(Infinity), Error('Invalid cookie max-age'))
})

test('NaN', () => {
throws(() => validateCookieMaxAge(NaN), Error('Invalid cookie max-age'))
})
})