Skip to content

Commit

Permalink
fix: Use default cookie decoder instead of bare native
Browse files Browse the repository at this point in the history 
SvelteKit currently depends on cookie@0.6.0 which has known
security vulnerability. User can create an override if they do
not need to keep the backward compatibility.

cookie@0.6.0 wraps the passed decoder in try..catch but the new
version does not. When overriding, the `cookies.get` will throw
if passed in cookie contains malformed content.

In both cases the default `decode` of `cookie` library also
has small performance optimization so removing the passing of
decodeURIComponent should be win already.
  • Loading branch information
@kkarikos
kkarikos committed Nov 21, 2024
1 parent 94c45b9 commit 87955d8
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions packages/kit/src/runtime/server/cookie.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,8 +67,8 @@ export function get_cookies(request, url, trailing_slash) {
return c.value;
}

const decoder = opts?.decode || decodeURIComponent;
const req_cookies = parse(header, { decode: decoder });
// `parse` uses default decoder if `opts.decode` is undefined
const req_cookies = parse(header, { decode: opts?.decode });
const cookie = req_cookies[name]; // the decoded string or undefined

// in development, if the cookie was set during this session with `cookies.set`,
Expand All @@ -95,8 +95,8 @@ export function get_cookies(request, url, trailing_slash) {
* @param {import('cookie').CookieParseOptions} opts
*/
getAll(opts) {
const decoder = opts?.decode || decodeURIComponent;
const cookies = parse(header, { decode: decoder });
// `parse` uses default decoder if `opts.decode` is undefined
const cookies = parse(header, { decode: opts?.decode });

for (const c of Object.values(new_cookies)) {
if (
Expand Down

0 comments on commit 87955d8

Please sign in to comment.