Merged PR 50638: Harden Cookie parsing

BrennanConroy · wtgodbe · commit b668e440ee96 · 2025-06-06T21:27:47.000Z
Harden Cookie parsing

----
#### AI description  (iteration 1)
#### PR Classification
Bug fix focused on enforcing stricter cookie parsing rules in accordance with RFC 6265.

#### PR Summary
This pull request refines cookie parsing by updating test datasets and parser logic to reject improperly formatted cookie headers. The changes include:
- **`src/Http/Headers/test/CookieHeaderValueTest.cs`**: Renamed and modified test datasets to use strict parsing (e.g., renaming to ListOfStrictCookieHeaderDataSet) and update expected results for invalid cookie combinations.
- **`src/Http/Http/test/RequestCookiesCollectionTests.cs`**: Revised inline test cases to expect null outcomes for malformed cookies and added new cases for additional invalid formats.
- **`src/Http/Shared/CookieHeaderParserShared.cs`**: Enhanced parsing logic to skip invalid cookie segments by enforcing semicolon delimiters and incorporating detailed RFC comment documentation.
&lt;!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot --&gt;
diff --git a/src/Http/Headers/test/CookieHeaderValueTest.cs b/src/Http/Headers/test/CookieHeaderValueTest.cs
@@ -75,7 +75,7 @@ public static TheoryData<string> InvalidCookieValues
         }
     }
 
-    public static TheoryData<IList<CookieHeaderValue>, string?[]> ListOfCookieHeaderDataSet
+    public static TheoryData<IList<CookieHeaderValue>, string?[]> ListOfStrictCookieHeaderDataSet
     {
         get
         {
@@ -94,19 +94,30 @@ public static TheoryData<string> InvalidCookieValues
 
             dataset.Add(new[] { header1 }.ToList(), new[] { string1 });
             dataset.Add(new[] { header1, header1 }.ToList(), new[] { string1, string1 });
-            dataset.Add(new[] { header1, header1 }.ToList(), new[] { string1, null, "", " ", ";", " , ", string1 });
             dataset.Add(new[] { header2 }.ToList(), new[] { string2 });
             dataset.Add(new[] { header1, header2 }.ToList(), new[] { string1, string2 });
-            dataset.Add(new[] { header1, header2 }.ToList(), new[] { string1 + ", " + string2 });
             dataset.Add(new[] { header2, header1 }.ToList(), new[] { string2 + "; " + string1 });
             dataset.Add(new[] { header1, header2, header3, header4 }.ToList(), new[] { string1, string2, string3, string4 });
-            dataset.Add(new[] { header1, header2, header3, header4 }.ToList(), new[] { string.Join(",", string1, string2, string3, string4) });
             dataset.Add(new[] { header1, header2, header3, header4 }.ToList(), new[] { string.Join(";", string1, string2, string3, string4) });
 
             return dataset;
         }
     }
 
+    public static TheoryData<IList<CookieHeaderValue>, string?[]> ListOfCookieHeaderDataSet
+    {
+        get
+        {
+            var header1 = new CookieHeaderValue("name1", "n1=v1&n2=v2&n3=v3");
+            var string1 = "name1=n1=v1&n2=v2&n3=v3";
+
+            var dataset = new TheoryData<IList<CookieHeaderValue>, string?[]>();
+            dataset.Concat(ListOfStrictCookieHeaderDataSet);
+            dataset.Add(new[] { header1, header1 }.ToList(), new[] { string1, null, "", " ", ";", " , ", string1 });
+            return dataset;
+        }
+    }
+
     public static TheoryData<IList<CookieHeaderValue>?, string?[]> ListWithInvalidCookieHeaderDataSet
     {
         get
@@ -127,18 +138,19 @@ public static TheoryData<string> InvalidCookieValues
             dataset.Add(new[] { header1 }.ToList(), new[] { validString1, invalidString1 });
             dataset.Add(new[] { header1 }.ToList(), new[] { validString1, null, "", " ", ";", " , ", invalidString1 });
             dataset.Add(new[] { header1 }.ToList(), new[] { invalidString1, null, "", " ", ";", " , ", validString1 });
-            dataset.Add(new[] { header1 }.ToList(), new[] { validString1 + ", " + invalidString1 });
-            dataset.Add(new[] { header2 }.ToList(), new[] { invalidString1 + ", " + validString2 });
+            dataset.Add(null, new[] { validString1 + ", " });
+            dataset.Add(null, new[] { invalidString1 + ", " + validString2 });
             dataset.Add(new[] { header1 }.ToList(), new[] { invalidString1 + "; " + validString1 });
             dataset.Add(new[] { header2 }.ToList(), new[] { validString2 + "; " + invalidString1 });
             dataset.Add(new[] { header1, header2, header3 }.ToList(), new[] { invalidString1, validString1, validString2, validString3 });
             dataset.Add(new[] { header1, header2, header3 }.ToList(), new[] { validString1, invalidString1, validString2, validString3 });
             dataset.Add(new[] { header1, header2, header3 }.ToList(), new[] { validString1, validString2, invalidString1, validString3 });
             dataset.Add(new[] { header1, header2, header3 }.ToList(), new[] { validString1, validString2, validString3, invalidString1 });
-            dataset.Add(new[] { header1, header2, header3 }.ToList(), new[] { string.Join(",", invalidString1, validString1, validString2, validString3) });
-            dataset.Add(new[] { header1, header2, header3 }.ToList(), new[] { string.Join(",", validString1, invalidString1, validString2, validString3) });
-            dataset.Add(new[] { header1, header2, header3 }.ToList(), new[] { string.Join(",", validString1, validString2, invalidString1, validString3) });
-            dataset.Add(new[] { header1, header2, header3 }.ToList(), new[] { string.Join(",", validString1, validString2, validString3, invalidString1) });
+            dataset.Add(null, new[] { string.Join(",", invalidString1, validString1, validString2, validString3) });
+            dataset.Add(null, new[] { string.Join(",", validString1, invalidString1, validString2, validString3) });
+            dataset.Add(null, new[] { string.Join(",", validString1, validString2, invalidString1, validString3) });
+            dataset.Add(null, new[] { string.Join(",", validString1, validString2, validString3, invalidString1) });
+            dataset.Add(null, new[] { string.Join(",", validString1, validString2, validString3) });
             dataset.Add(new[] { header1, header2, header3 }.ToList(), new[] { string.Join(";", invalidString1, validString1, validString2, validString3) });
             dataset.Add(new[] { header1, header2, header3 }.ToList(), new[] { string.Join(";", validString1, invalidString1, validString2, validString3) });
             dataset.Add(new[] { header1, header2, header3 }.ToList(), new[] { string.Join(";", validString1, validString2, invalidString1, validString3) });
@@ -248,7 +260,7 @@ public void CookieHeaderValue_ParseList_AcceptsValidValues(IList<CookieHeaderVal
     }
 
     [Theory]
-    [MemberData(nameof(ListOfCookieHeaderDataSet))]
+    [MemberData(nameof(ListOfStrictCookieHeaderDataSet))]
     public void CookieHeaderValue_ParseStrictList_AcceptsValidValues(IList<CookieHeaderValue> cookies, string[] input)
     {
         var results = CookieHeaderValue.ParseStrictList(input);
@@ -267,7 +279,7 @@ public void CookieHeaderValue_TryParseList_AcceptsValidValues(IList<CookieHeader
     }
 
     [Theory]
-    [MemberData(nameof(ListOfCookieHeaderDataSet))]
+    [MemberData(nameof(ListOfStrictCookieHeaderDataSet))]
     public void CookieHeaderValue_TryParseStrictList_AcceptsValidValues(IList<CookieHeaderValue> cookies, string[] input)
     {
         var result = CookieHeaderValue.TryParseStrictList(input, out var results);
diff --git a/src/Http/Http/test/RequestCookiesCollectionTests.cs b/src/Http/Http/test/RequestCookiesCollectionTests.cs
@@ -33,15 +33,22 @@ public void ParseManyCookies()
     [Theory]
     [InlineData(",", null)]
     [InlineData(";", null)]
-    [InlineData("er=dd,cc,bb", new[] { "dd" })]
-    [InlineData("er=dd,err=cc,errr=bb", new[] { "dd", "cc", "bb" })]
-    [InlineData("errorcookie=dd,:(\"sa;", new[] { "dd" })]
+    [InlineData("er=dd,cc,bb", null)]
+    [InlineData("er=dd,err=cc,errr=bb", null)]
+    [InlineData("errorcookie=dd,:(\"sa;", null)]
     [InlineData("s;", null)]
+    [InlineData("a@a=a;", null)]
+    [InlineData("a@ a=a;", null)]
+    [InlineData("a a=a;", null)]
+    [InlineData(",a=a;", null)]
+    [InlineData(",a=a", null)]
+    [InlineData("a=a;,b=b", new []{ "a" })] // valid cookie followed by invalid cookie
+    [InlineData(",a=a;b=b", new[] { "b" })] // invalid cookie followed by valid cookie
     public void ParseInvalidCookies(string cookieToParse, string[] expectedCookieValues)
     {
         var cookies = RequestCookieCollection.Parse(new StringValues(new[] { cookieToParse }));
 
-        if(expectedCookieValues == null)
+        if (expectedCookieValues == null)
         {
             Assert.Equal(0, cookies.Count);
             return;
diff --git a/src/Http/Shared/CookieHeaderParserShared.cs b/src/Http/Shared/CookieHeaderParserShared.cs
@@ -83,6 +83,17 @@ public static bool TryParseValue(StringSegment value, ref int index, bool suppor
 
         if (!TryGetCookieLength(value, ref current, out parsedName, out parsedValue))
         {
+            var separatorIndex = value.IndexOf(';', current);
+            if (separatorIndex > 0)
+            {
+                // Skip the invalid values and keep trying.
+                index = separatorIndex;
+            }
+            else
+            {
+                // No more separators, so we're done.
+                index = value.Length;
+            }
             return false;
         }
 
@@ -91,6 +102,17 @@ public static bool TryParseValue(StringSegment value, ref int index, bool suppor
         // If we support multiple values and we've not reached the end of the string, then we must have a separator.
         if ((separatorFound && !supportsMultipleValues) || (!separatorFound && (current < value.Length)))
         {
+            var separatorIndex = value.IndexOf(';', current);
+            if (separatorIndex > 0)
+            {
+                // Skip the invalid values and keep trying.
+                index = separatorIndex;
+            }
+            else
+            {
+                // No more separators, so we're done.
+                index = value.Length;
+            }
             return false;
         }
 
@@ -106,7 +128,7 @@ private static int GetNextNonEmptyOrWhitespaceIndex(StringSegment input, int sta
         separatorFound = false;
         var current = startIndex + HttpRuleParser.GetWhitespaceLength(input, startIndex);
 
-        if ((current == input.Length) || (input[current] != ',' && input[current] != ';'))
+        if (current == input.Length || input[current] != ';')
         {
             return current;
         }
@@ -119,8 +141,8 @@ private static int GetNextNonEmptyOrWhitespaceIndex(StringSegment input, int sta
 
         if (skipEmptyValues)
         {
-            // Most headers only split on ',', but cookies primarily split on ';'
-            while ((current < input.Length) && ((input[current] == ',') || (input[current] == ';')))
+            // Cookies are split on ';'
+            while (current < input.Length && input[current] == ';')
             {
                 current++; // skip delimiter.
                 current = current + HttpRuleParser.GetWhitespaceLength(input, current);
@@ -130,6 +152,18 @@ private static int GetNextNonEmptyOrWhitespaceIndex(StringSegment input, int sta
         return current;
     }
 
+    /*
+     * https://www.rfc-editor.org/rfc/rfc6265#section-4.1.1
+     * cookie-pair       = cookie-name "=" cookie-value
+     * cookie-name       = token
+     * token          = 1*<any CHAR except CTLs or separators>
+       separators     = "(" | ")" | "<" | ">" | "@"
+                      | "," | ";" | ":" | "\" | <">
+                      | "/" | "[" | "]" | "?" | "="
+                      | "{" | "}" | SP | HT
+       CTL            = <any US-ASCII control character
+                        (octets 0 - 31) and DEL (127)>
+     */
     // name=value; name="value"
     internal static bool TryGetCookieLength(StringSegment input, ref int offset, [NotNullWhen(true)] out StringSegment? parsedName, [NotNullWhen(true)] out StringSegment? parsedValue)
     {
