Ensure that cookie names over 256 characters are rejected by validation

2025-10-30 23:47:52 +02:00 · 2020-07-04 16:08:12 +01:00
parent eb933cc3f4
commit 3e13f3197f
2 changed files with 31 additions and 2 deletions
--- a/pkg/validation/cookie.go
+++ b/pkg/validation/cookie.go
@@ -35,11 +35,17 @@ func validateCookie(o options.Cookie) []string {
 }

 func validateCookieName(name string) []string {
+	msgs := []string{}
+
 	cookie := &http.Cookie{Name: name}
 	if cookie.String() == "" {
-		return []string{fmt.Sprintf("invalid cookie name: %q", name)}
+		msgs = append(msgs, fmt.Sprintf("invalid cookie name: %q", name))
 	}
-	return []string{}
+
+	if len(name) > 256 {
+		msgs = append(msgs, fmt.Sprintf("cookie name should be under 256 characters: cookie name is %d characters", len(name)))
+	}
+	return msgs
 }

 func validateCookieSecret(secret string) []string {
--- a/pkg/validation/cookie_test.go
+++ b/pkg/validation/cookie_test.go
@@ -1,6 +1,7 @@
 package validation

 import (
+	"strings"
 	"testing"
 	"time"

@@ -9,8 +10,12 @@ import (
 )

 func TestValidateCookie(t *testing.T) {
+	alphabet := "abcdefghijklmnopqrstuvwxyz"
+
 	validName := "_oauth2_proxy"
 	invalidName := "_oauth2;proxy" // Separater character not allowed
+	// 10 times the alphabet should be longer than 256 characters
+	longName := strings.Repeat(alphabet, 10)
 	validSecret := "secretthirtytwobytes+abcdefghijk"
 	invalidSecret := "abcdef"                                          // 6 bytes is not a valid size
 	validBase64Secret := "c2VjcmV0dGhpcnR5dHdvYnl0ZXMrYWJjZGVmZ2hpams" // Base64 encoding of "secretthirtytwobytes+abcdefghijk"
@@ -25,6 +30,7 @@ func TestValidateCookie(t *testing.T) {
 	}

 	invalidNameMsg := "invalid cookie name: \"_oauth2;proxy\""
+	longNameMsg := "cookie name should be under 256 characters: cookie name is 260 characters"
 	missingSecretMsg := "missing setting: cookie-secret"
 	invalidSecretMsg := "cookie_secret must be 16, 24, or 32 bytes to create an AES cipher, but is 6 bytes"
 	invalidBase64SecretMsg := "cookie_secret must be 16, 24, or 32 bytes to create an AES cipher, but is 10 bytes"
@@ -134,6 +140,23 @@ func TestValidateCookie(t *testing.T) {
 				invalidNameMsg,
 			},
 		},
+		{
+			name: "with a name that is too long",
+			cookie: options.Cookie{
+				Name:     longName,
+				Secret:   validSecret,
+				Domains:  emptyDomains,
+				Path:     "",
+				Expire:   time.Hour,
+				Refresh:  15 * time.Minute,
+				Secure:   true,
+				HTTPOnly: false,
+				SameSite: "",
+			},
+			errStrings: []string{
+				longNameMsg,
+			},
+		},
 		{
 			name: "with refresh longer than expire",
 			cookie: options.Cookie{