Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Use default cookie decoder instead of bare native #13037

Merged
merged 6 commits into from
Nov 21, 2024

Conversation

kkarikos
Copy link
Contributor

@kkarikos kkarikos commented Nov 21, 2024

SvelteKit currently depends on cookie@0.6.0 which has known security vulnerability. User can create an override if they do not need to keep the backward compatibility.

cookie@0.6.0 wraps the passed decoder in try..catch but the new version does not. If user overrides the cookie library, cookies.get and cookies.getAll throw if called with a cookie value that contains malformed content.

In both cases (cookie@0.6.0 and higher) the default decode implementation of cookie library has performance optimization to skip calling decodeURIComponent if the string does not contain "%".

Removing the passing of default decoder: decodeURIComponent does not harm but helps both cases.


Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

  • Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

SvelteKit currently depends on cookie@0.6.0 which has known
security vulnerability. User can create an override if they do
not need to keep the backward compatibility.

cookie@0.6.0 wraps the passed decoder in try..catch but the new
version does not. When overriding, the `cookies.get` will throw
if passed in cookie contains malformed content.

In both cases the default `decode` of `cookie` library also
has small performance optimization so removing the passing of
decodeURIComponent should be win already.
Copy link

changeset-bot bot commented Nov 21, 2024

🦋 Changeset detected

Latest commit: 9403593

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

Co-authored-by: Simon H <5968653+dummdidumm@users.noreply.github.com>
@benmccann benmccann merged commit 1358ccc into sveltejs:main Nov 21, 2024
14 checks passed
@github-actions github-actions bot mentioned this pull request Nov 21, 2024
@kkarikos kkarikos deleted the fix-cookie-parse-default-encoder branch November 22, 2024 07:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants