fix(cookie): prevent unbounded chunked cookie count

pi0 · pi0 · commit 399257cb406f · 2026-03-21T01:08:40.000+01:00
diff --git a/src/utils/cookie.ts b/src/utils/cookie.ts
@@ -241,11 +241,19 @@ function _getDistinctCookieKey(name: string, options: Partial<SetCookie>) {
   return [name, options.domain || "", options.path || "/"].join(";");
 }
 
+// Maximum number of chunks allowed for chunked cookies.
+// 100 chunks × ~4KB = ~400KB, far beyond any practical cookie size.
+const MAX_CHUNKED_COOKIE_COUNT = 100;
+
 function getChunkedCookieCount(cookie: string | undefined): number {
   if (!cookie?.startsWith(CHUNKED_COOKIE)) {
     return Number.NaN;
   }
-  return Number.parseInt(cookie.slice(CHUNKED_COOKIE.length));
+  const count = Number.parseInt(cookie.slice(CHUNKED_COOKIE.length));
+  if (Number.isNaN(count) || count < 0 || count > MAX_CHUNKED_COOKIE_COUNT) {
+    return Number.NaN;
+  }
+  return count;
 }
 
 function chunkCookieName(name: string, chunkNumber: number): string {
diff --git a/test/cookies.test.ts b/test/cookies.test.ts
@@ -4,6 +4,7 @@ import {
   setCookie,
   getChunkedCookie,
   setChunkedCookie,
+  deleteChunkedCookie,
 } from "../src/utils/cookie.ts";
 import { describeMatrix } from "./_setup.ts";
 
@@ -153,6 +154,42 @@ describeMatrix("cookies", (t, { it, expect, describe }) => {
       });
     });
 
+    describe("chunked cookie DoS protection", () => {
+      it("setChunkedCookie ignores excessively large chunk count from request cookie", async () => {
+        t.app.get("/", (event) => {
+          // This should NOT loop 999999 times
+          setChunkedCookie(event, "session", "newvalue", {
+            chunkMaxLength: 5,
+          });
+          return "200";
+        });
+        const result = await t.fetch("/", {
+          headers: {
+            Cookie: "session=__chunked__999999",
+          },
+        });
+        expect(await result.text()).toBe("200");
+        // Should only have the new cookie set, no massive cleanup
+        expect(result.headers.getSetCookie().length).toBeLessThan(10);
+      });
+
+      it("deleteChunkedCookie ignores excessively large chunk count from request cookie", async () => {
+        t.app.get("/", (event) => {
+          // This should NOT loop 999999 times
+          deleteChunkedCookie(event, "session");
+          return "200";
+        });
+        const result = await t.fetch("/", {
+          headers: {
+            Cookie: "session=__chunked__999999",
+          },
+        });
+        expect(await result.text()).toBe("200");
+        // Should only delete the main cookie, not 999999 chunks
+        expect(result.headers.getSetCookie().length).toBeLessThan(10);
+      });
+    });
+
     describe("setChunkedCookie", () => {
       it("can set-cookie with setChunkedCookie", async () => {
         t.app.get("/", (event) => {

Original file line number	Diff line number	Diff line change
`@@ -241,11 +241,19 @@ function _getDistinctCookieKey(name: string, options: Partial<SetCookie>) {`
`241`	`241`	`return [name, options.domain \|\| "", options.path \|\| "/"].join(";");`
`242`	`242`	`}`
`243`	`243`
	`244`	`+// Maximum number of chunks allowed for chunked cookies.`
	`245`	`+// 100 chunks × ~4KB = ~400KB, far beyond any practical cookie size.`
	`246`	`+const MAX_CHUNKED_COOKIE_COUNT = 100;`
	`247`	`+`
`244`	`248`	`function getChunkedCookieCount(cookie: string \| undefined): number {`
`245`	`249`	`if (!cookie?.startsWith(CHUNKED_COOKIE)) {`
`246`	`250`	`return Number.NaN;`
`247`	`251`	`}`
`248`		`- return Number.parseInt(cookie.slice(CHUNKED_COOKIE.length));`
	`252`	`+ const count = Number.parseInt(cookie.slice(CHUNKED_COOKIE.length));`
	`253`	`+ if (Number.isNaN(count) \|\| count < 0 \|\| count > MAX_CHUNKED_COOKIE_COUNT) {`
	`254`	`+ return Number.NaN;`
	`255`	`+ }`
	`256`	`+ return count;`
`249`	`257`	`}`
`250`	`258`
`251`	`259`	`function chunkCookieName(name: string, chunkNumber: number): string {`