Follow-up from PR #22 review.
Context
src/modes/injection/cookie-extractor.mts currently passes extracted session cookie values verbatim into the outbound `Cookie` header in `session-grant-client.mts`:
```ts
Cookie: `${cfg.sessionCookieName}=${sessionCookieValue}`,
```
Risk
If a session cookie value contains `;`, `,`, control characters, or whitespace (outside of RFC 6265 `cookie-octet` grammar), the outbound `Cookie` header to the provider could be malformed or — in combination with a permissive provider cookie parser — smuggle an additional cookie token.
Why deferred
Default session stores (express-session, Redis-backed sid, connect.sid) produce hex/base64url-safe values. The risk is bounded to custom session stores producing ill-formed values, which is uncommon. Deferred from PR #22 review per maintainer discretion.
Proposed fix
Validate the extracted value against the RFC 6265 `cookie-octet` grammar in `extractCookie`, treating non-conforming values as missing (`return null`). Add a test for each rejected character class.
Alternatively, document the contract explicitly in the spec and rely on upstream HTTP parsing (Node's `http.IncomingMessage.headers.cookie`) to have already filtered malformed headers.
Related
Follow-up from PR #22 review.
Context
src/modes/injection/cookie-extractor.mtscurrently passes extracted session cookie values verbatim into the outbound `Cookie` header in `session-grant-client.mts`:```ts
Cookie: `${cfg.sessionCookieName}=${sessionCookieValue}`,
```
Risk
If a session cookie value contains `;`, `,`, control characters, or whitespace (outside of RFC 6265 `cookie-octet` grammar), the outbound `Cookie` header to the provider could be malformed or — in combination with a permissive provider cookie parser — smuggle an additional cookie token.
Why deferred
Default session stores (express-session, Redis-backed sid, connect.sid) produce hex/base64url-safe values. The risk is bounded to custom session stores producing ill-formed values, which is uncommon. Deferred from PR #22 review per maintainer discretion.
Proposed fix
Validate the extracted value against the RFC 6265 `cookie-octet` grammar in `extractCookie`, treating non-conforming values as missing (`return null`). Add a test for each rejected character class.
Alternatively, document the contract explicitly in the spec and rely on upstream HTTP parsing (Node's `http.IncomingMessage.headers.cookie`) to have already filtered malformed headers.
Related