From 87955d8ea0876c7aec8ff0329592432b564ea817 Mon Sep 17 00:00:00 2001 From: Kalle Karikoski Date: Thu, 21 Nov 2024 08:28:36 +0200 Subject: [PATCH 1/6] fix: Use default cookie decoder instead of bare native SvelteKit currently depends on cookie@0.6.0 which has known security vulnerability. User can create an override if they do not need to keep the backward compatibility. cookie@0.6.0 wraps the passed decoder in try..catch but the new version does not. When overriding, the `cookies.get` will throw if passed in cookie contains malformed content. In both cases the default `decode` of `cookie` library also has small performance optimization so removing the passing of decodeURIComponent should be win already. --- packages/kit/src/runtime/server/cookie.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/kit/src/runtime/server/cookie.js b/packages/kit/src/runtime/server/cookie.js index ddefa847a432..7c854056d383 100644 --- a/packages/kit/src/runtime/server/cookie.js +++ b/packages/kit/src/runtime/server/cookie.js @@ -67,8 +67,8 @@ export function get_cookies(request, url, trailing_slash) { return c.value; } - const decoder = opts?.decode || decodeURIComponent; - const req_cookies = parse(header, { decode: decoder }); + // `parse` uses default decoder if `opts.decode` is undefined + const req_cookies = parse(header, { decode: opts?.decode }); const cookie = req_cookies[name]; // the decoded string or undefined // in development, if the cookie was set during this session with `cookies.set`, @@ -95,8 +95,8 @@ export function get_cookies(request, url, trailing_slash) { * @param {import('cookie').CookieParseOptions} opts */ getAll(opts) { - const decoder = opts?.decode || decodeURIComponent; - const cookies = parse(header, { decode: decoder }); + // `parse` uses default decoder if `opts.decode` is undefined + const cookies = parse(header, { decode: opts?.decode }); for (const c of Object.values(new_cookies)) { if ( From b3e2ace63761aaae4c0a55e6f4e314041153437d Mon Sep 17 00:00:00 2001 From: Kalle Karikoski Date: Thu, 21 Nov 2024 09:15:10 +0200 Subject: [PATCH 2/6] add changeset --- .changeset/plenty-oranges-count.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/plenty-oranges-count.md diff --git a/.changeset/plenty-oranges-count.md b/.changeset/plenty-oranges-count.md new file mode 100644 index 000000000000..17a4ce036207 --- /dev/null +++ b/.changeset/plenty-oranges-count.md @@ -0,0 +1,5 @@ +--- +'@sveltejs/kit': minor +--- + +fix: do not override default cookie decoder From c88916b201f9c0cacaf4b82cc1b992318cb24116 Mon Sep 17 00:00:00 2001 From: kkarikos Date: Thu, 21 Nov 2024 11:21:54 +0200 Subject: [PATCH 3/6] Update .changeset/plenty-oranges-count.md Co-authored-by: Simon H <5968653+dummdidumm@users.noreply.github.com> --- .changeset/plenty-oranges-count.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changeset/plenty-oranges-count.md b/.changeset/plenty-oranges-count.md index 17a4ce036207..1ae55207c58b 100644 --- a/.changeset/plenty-oranges-count.md +++ b/.changeset/plenty-oranges-count.md @@ -1,5 +1,5 @@ --- -'@sveltejs/kit': minor +'@sveltejs/kit': patch --- fix: do not override default cookie decoder From 3c83ff7f387c3e4fe6068aa83b13f5750cbe2293 Mon Sep 17 00:00:00 2001 From: Ben McCann <322311+benmccann@users.noreply.github.com> Date: Thu, 21 Nov 2024 12:15:44 -0800 Subject: [PATCH 4/6] Update packages/kit/src/runtime/server/cookie.js --- packages/kit/src/runtime/server/cookie.js | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/kit/src/runtime/server/cookie.js b/packages/kit/src/runtime/server/cookie.js index 7c854056d383..772805f13d17 100644 --- a/packages/kit/src/runtime/server/cookie.js +++ b/packages/kit/src/runtime/server/cookie.js @@ -67,7 +67,6 @@ export function get_cookies(request, url, trailing_slash) { return c.value; } - // `parse` uses default decoder if `opts.decode` is undefined const req_cookies = parse(header, { decode: opts?.decode }); const cookie = req_cookies[name]; // the decoded string or undefined From 6fc4a6ef3fcf0433cbbd4fb9a3d54cd44ff7a417 Mon Sep 17 00:00:00 2001 From: Ben McCann <322311+benmccann@users.noreply.github.com> Date: Thu, 21 Nov 2024 12:16:01 -0800 Subject: [PATCH 5/6] Update packages/kit/src/runtime/server/cookie.js --- packages/kit/src/runtime/server/cookie.js | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/kit/src/runtime/server/cookie.js b/packages/kit/src/runtime/server/cookie.js index 772805f13d17..f4442872fbeb 100644 --- a/packages/kit/src/runtime/server/cookie.js +++ b/packages/kit/src/runtime/server/cookie.js @@ -94,7 +94,6 @@ export function get_cookies(request, url, trailing_slash) { * @param {import('cookie').CookieParseOptions} opts */ getAll(opts) { - // `parse` uses default decoder if `opts.decode` is undefined const cookies = parse(header, { decode: opts?.decode }); for (const c of Object.values(new_cookies)) { From 94035933ffec6094410da2b4853da7ff99d01fbf Mon Sep 17 00:00:00 2001 From: Ben McCann <322311+benmccann@users.noreply.github.com> Date: Thu, 21 Nov 2024 12:18:22 -0800 Subject: [PATCH 6/6] Update .changeset/plenty-oranges-count.md --- .changeset/plenty-oranges-count.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changeset/plenty-oranges-count.md b/.changeset/plenty-oranges-count.md index 1ae55207c58b..3031d3cc6f43 100644 --- a/.changeset/plenty-oranges-count.md +++ b/.changeset/plenty-oranges-count.md @@ -2,4 +2,4 @@ '@sveltejs/kit': patch --- -fix: do not override default cookie decoder +fix: do not override default cookie decoder to allow users to override the `cookie` library version