Merge pull request #39 from bmeck/fix/limit_cookie_parsing_length

fix: add a guard against maliciously-sized cookies
bmeck · Dec 13, 2022 · bd4b209 · bd4b209
2 parents 7d0d631 + eaa0002
commit bd4b209
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/cookiejar.js b/cookiejar.js
@@ -64,6 +64,11 @@
 
     var cookie_str_splitter = /[:](?=\s*[a-zA-Z0-9_\-]+\s*[=])/g;
     Cookie.prototype.parse = function parse(str, request_domain, request_path) {
+        if ( str.length > 32768 ) {
+            console.warn("Cookie too long for parsing (>32768 characters)");
+            return;
+        }
+
         if (this instanceof Cookie) {
             var parts = str.split(";").filter(function (value) {
                     return !!value;

diff --git a/tests/test.js b/tests/test.js
@@ -67,6 +67,10 @@ assert.equal(cookie.domain, ".test.com");
 assert.equal(cookie.path, "/");
 assert.deepEqual(cookie, new Cookie("a=1;domain=.test.com;path=/"));
 
+// ensure cookies that are too long are not parsed to avoid any issues with DoS inputs
+var too_long_cookie = new Cookie( "foo=" + "blah".repeat( 10000 ) );
+assert.equal(too_long_cookie, undefined);
+
 // Test request_path and request_domain
 test_jar2.setCookie(new Cookie("sub=4;path=/", "test.com"));
 var cookie = test_jar2.getCookie("sub", CookieAccessInfo("sub.test.com", "/"));