Merged PR 21247: Fix partial chunked cookies 70242

# Fix partial chunked cookies

MSRC # 70242: Fix exceptions and allocations when the cookie chunk count is not accurate

## Description

Browsers have limits on how long cookies can be, as low as 4kb. It's common for TempData and CookieAuth to get above that limit, so cookies are split into chunks with the following format:

MyCookie=chunks-3
MyCookieC1=(Base64EncodedData)
MyCookieC2=(Base64EncodedData)
MyCookieC3=(Base64EncodedData)

Fixes MSRC # 70242

## Customer Impact

A malicious client could send `MyCookie=chunks-2147483647` without the actual cookie chunks and cause large allocations, exceptions, and excess CPU utilization on the server when it tried to read or delete that many chunks.

This flaw comes from the original implementation in Microsoft.Owin, but is much worse in AspNetCore when adopted by TempData due to it automatically calling Delete if reading the cookie fails.

I'll backport this to 5.0, 3.1, 2.1, and Microsoft.Owin once reviewed.

## Regression?

- [ ] Yes
- [x] No

## Risk

- [ ] High
- [ ] Medium
- [x] Low

Easy to reproduce and test.

## Verification

- [x] Manual (required)
- [x] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [x] N/A

Author: Tratcher

src/Security/CookiePolicy/test/CookieChunkingTests.cs

@@ -129,7 +129,7 @@ public void GetLargeChunkedCookieWithMissingChunk_ThrowingDisabled_NotReassemble
         public void DeleteChunkedCookieWithOptions_AllDeleted()
         {
             HttpContext context = new DefaultHttpContext();
-            context.Request.Headers.Append("Cookie", "TestCookie=chunks-7");
+            context.Request.Headers.Append("Cookie", "TestCookie=chunks-7;TestCookieC1=1;TestCookieC2=2;TestCookieC3=3;TestCookieC4=4;TestCookieC5=5;TestCookieC6=6;TestCookieC7=7");
 
             new ChunkingCookieManager().DeleteCookie(context, "TestCookie", new CookieOptions() { Domain = "foo.com", Secure = true });
             var cookies = context.Response.Headers["Set-Cookie"];
@@ -147,7 +147,40 @@ public void DeleteChunkedCookieWithOptions_AllDeleted()
             }, cookies);
         }
 
+        [Fact]
+        public void DeleteChunkedCookieWithMissingRequestCookies_OnlyPresentCookiesDeleted()
+        {
+            HttpContext context = new DefaultHttpContext();
+            context.Request.Headers.Append("Cookie", "TestCookie=chunks-7;TestCookieC1=1;TestCookieC2=2");
+
+            new ChunkingCookieManager().DeleteCookie(context, "TestCookie", new CookieOptions() { Domain = "foo.com", Secure = true });
+            var cookies = context.Response.Headers["Set-Cookie"];
+            Assert.Equal(3, cookies.Count);
+            Assert.Equal(new[]
+            {
+                "TestCookie=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; secure",
+                "TestCookieC1=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; secure",
+                "TestCookieC2=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; secure",
+            }, cookies);
+        }
 
+        [Fact]
+        public void DeleteChunkedCookieWithMissingRequestCookies_StopsAtMissingChunk()
+        {
+            HttpContext context = new DefaultHttpContext();
+            // C3 is missing so we don't try to delete C4 either.
+            context.Request.Headers.Append("Cookie", "TestCookie=chunks-7;TestCookieC1=1;TestCookieC2=2;TestCookieC4=4");
+
+            new ChunkingCookieManager().DeleteCookie(context, "TestCookie", new CookieOptions() { Domain = "foo.com", Secure = true });
+            var cookies = context.Response.Headers["Set-Cookie"];
+            Assert.Equal(3, cookies.Count);
+            Assert.Equal(new[]
+            {
+                "TestCookie=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; secure",
+                "TestCookieC1=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; secure",
+                "TestCookieC2=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; secure",
+            }, cookies);
+        }
 
         [Fact]
         public void DeleteChunkedCookieWithOptionsAndResponseCookies_AllDeleted()

src/Shared/ChunkingCookieManager/ChunkingCookieManager.cs

@@ -103,7 +103,7 @@ private static int ParseChunksCount(string? value)
             var chunksCount = ParseChunksCount(value);
             if (chunksCount > 0)
             {
-                var chunks = new string[chunksCount];
+                var chunks = new List<string>(10); // chunksCount may be wrong, don't trust it.
                 for (var chunkId = 1; chunkId <= chunksCount; chunkId++)
                 {
                     var chunk = requestCookies[key + ChunkKeySuffix + chunkId.ToString(CultureInfo.InvariantCulture)];
@@ -128,7 +128,7 @@ private static int ParseChunksCount(string? value)
                         return value;
                     }
 
-                    chunks[chunkId - 1] = chunk;
+                    chunks.Add(chunk);
                 }
 
                 return string.Join(string.Empty, chunks);
@@ -254,13 +254,22 @@ public void DeleteCookie(HttpContext context, string key, CookieOptions options)
                 key + "="
             };
 
-            var requestCookie = context.Request.Cookies[key];
-            var chunks = ParseChunksCount(requestCookie);
+            var requestCookies = context.Request.Cookies;
+            var requestCookie = requestCookies[key];
+            long chunks = ParseChunksCount(requestCookie);
             if (chunks > 0)
             {
                 for (var i = 1; i <= chunks + 1; i++)
                 {
                     var subkey = key + ChunkKeySuffix + i.ToString(CultureInfo.InvariantCulture);
+
+                    // Only delete cookies we received. We received the chunk count cookie so we should have received the others too.
+                    if (string.IsNullOrEmpty(requestCookies[subkey]))
+                    {
+                        chunks = i - 1;
+                        break;
+                    }
+
                     keys.Add(subkey + "=");
                 }
             }