fix malformed cookie parsing (#210)

artemredkin · web-flow · commit 0fbfdcc9f013 · 2020-05-13T18:31:36.000+01:00
diff --git a/Sources/AsyncHTTPClient/HTTPClient+HTTPCookie.swift b/Sources/AsyncHTTPClient/HTTPClient+HTTPCookie.swift
@@ -61,6 +61,10 @@ extension HTTPClient {
             self.name = nameAndValue[0]
             self.value = nameAndValue[1]
 
+            guard !self.name.isEmpty else {
+                return nil
+            }
+
             self.path = "/"
             self.domain = defaultDomain
             self.expires = nil
@@ -70,6 +74,8 @@ extension HTTPClient {
 
             for component in components[1...] {
                 switch self.parseComponent(component) {
+                case (nil, nil):
+                    continue
                 case ("path", .some(let value)):
                     self.path = value
                 case ("domain", .some(let value)):
@@ -114,14 +120,16 @@ extension HTTPClient {
             self.secure = secure
         }
 
-        func parseComponent(_ component: String) -> (String, String?) {
+        func parseComponent(_ component: String) -> (String?, String?) {
             let nameAndValue = component.split(separator: "=", maxSplits: 1).map {
                 $0.trimmingCharacters(in: .whitespaces)
             }
             if nameAndValue.count == 2 {
                 return (nameAndValue[0].lowercased(), nameAndValue[1])
+            } else if nameAndValue.count == 1 {
+                return (nameAndValue[0].lowercased(), nil)
             }
-            return (nameAndValue[0].lowercased(), nil)
+            return (nil, nil)
         }
     }
 }
diff --git a/Tests/AsyncHTTPClientTests/HTTPClientCookieTests+XCTest.swift b/Tests/AsyncHTTPClientTests/HTTPClientCookieTests+XCTest.swift
@@ -29,6 +29,7 @@ extension HTTPClientCookieTests {
             ("testEmptyValueCookie", testEmptyValueCookie),
             ("testCookieDefaults", testCookieDefaults),
             ("testCookieInit", testCookieInit),
+            ("testMalformedCookies", testMalformedCookies),
         ]
     }
 }
diff --git a/Tests/AsyncHTTPClientTests/HTTPClientCookieTests.swift b/Tests/AsyncHTTPClientTests/HTTPClientCookieTests.swift
@@ -67,4 +67,19 @@ class HTTPClientCookieTests: XCTestCase {
         XCTAssertTrue(c.httpOnly)
         XCTAssertTrue(c.secure)
     }
+
+    func testMalformedCookies() {
+        XCTAssertNil(HTTPClient.Cookie(header: "", defaultDomain: "exampe.org"))
+        XCTAssertNil(HTTPClient.Cookie(header: ";;", defaultDomain: "exampe.org"))
+        XCTAssertNil(HTTPClient.Cookie(header: "name;;", defaultDomain: "exampe.org"))
+        XCTAssertNotNil(HTTPClient.Cookie(header: "name=;;", defaultDomain: "exampe.org"))
+        XCTAssertNotNil(HTTPClient.Cookie(header: "name=value;;", defaultDomain: "exampe.org"))
+        XCTAssertNotNil(HTTPClient.Cookie(header: "name=value;x;", defaultDomain: "exampe.org"))
+        XCTAssertNotNil(HTTPClient.Cookie(header: "name=value;x=;", defaultDomain: "exampe.org"))
+        XCTAssertNotNil(HTTPClient.Cookie(header: "name=value;;x=;", defaultDomain: "exampe.org"))
+        XCTAssertNil(HTTPClient.Cookie(header: ";key=value", defaultDomain: "exampe.org"))
+        XCTAssertNil(HTTPClient.Cookie(header: "key;key=value", defaultDomain: "exampe.org"))
+        XCTAssertNil(HTTPClient.Cookie(header: "=;", defaultDomain: "exampe.org"))
+        XCTAssertNil(HTTPClient.Cookie(header: "=value;", defaultDomain: "exampe.org"))
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -61,6 +61,10 @@ extension HTTPClient {`
`61`	`61`	`self.name = nameAndValue[0]`
`62`	`62`	`self.value = nameAndValue[1]`
`63`	`63`
	`64`	`+ guard !self.name.isEmpty else {`
	`65`	`+ return nil`
	`66`	`+ }`
	`67`	`+`
`64`	`68`	`self.path = "/"`
`65`	`69`	`self.domain = defaultDomain`
`66`	`70`	`self.expires = nil`
`@@ -70,6 +74,8 @@ extension HTTPClient {`
`70`	`74`
`71`	`75`	`for component in components[1...] {`
`72`	`76`	`switch self.parseComponent(component) {`
	`77`	`+ case (nil, nil):`
	`78`	`+ continue`
`73`	`79`	`case ("path", .some(let value)):`
`74`	`80`	`self.path = value`
`75`	`81`	`case ("domain", .some(let value)):`
`@@ -114,14 +120,16 @@ extension HTTPClient {`
`114`	`120`	`self.secure = secure`
`115`	`121`	`}`
`116`	`122`
`117`		`- func parseComponent(_ component: String) -> (String, String?) {`
	`123`	`+ func parseComponent(_ component: String) -> (String?, String?) {`
`118`	`124`	`let nameAndValue = component.split(separator: "=", maxSplits: 1).map {`
`119`	`125`	`$0.trimmingCharacters(in: .whitespaces)`
`120`	`126`	`}`
`121`	`127`	`if nameAndValue.count == 2 {`
`122`	`128`	`return (nameAndValue[0].lowercased(), nameAndValue[1])`
	`129`	`+ } else if nameAndValue.count == 1 {`
	`130`	`+ return (nameAndValue[0].lowercased(), nil)`
`123`	`131`	`}`
`124`		`- return (nameAndValue[0].lowercased(), nil)`
	`132`	`+ return (nil, nil)`
`125`	`133`	`}`
`126`	`134`	`}`
`127`	`135`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ extension HTTPClientCookieTests {`
`29`	`29`	`("testEmptyValueCookie", testEmptyValueCookie),`
`30`	`30`	`("testCookieDefaults", testCookieDefaults),`
`31`	`31`	`("testCookieInit", testCookieInit),`
	`32`	`+ ("testMalformedCookies", testMalformedCookies),`
`32`	`33`	`]`
`33`	`34`	`}`
`34`	`35`	`}`