netwerk/cookie/CookieParser.cpp

/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "CookieParser.h"
#include "CookieLogging.h"

#include "mozilla/CheckedInt.h"
#include "mozilla/dom/nsMixedContentBlocker.h"
#include "mozilla/glean/GleanMetrics.h"
#include "mozilla/net/Cookie.h"
#include "mozilla/StaticPrefs_network.h"
#include "mozilla/TextUtils.h"
#include "nsIConsoleReportCollector.h"
#include "nsIScriptError.h"
#include "nsIURI.h"
#include "nsIURL.h"
#include "prprf.h"

constexpr char ATTRIBUTE_PATH[] = "path";
constexpr uint64_t ATTRIBUTE_MAX_LENGTH = 1024;

constexpr auto CONSOLE_CHIPS_CATEGORY = "cookiesCHIPS"_ns;
constexpr auto CONSOLE_OVERSIZE_CATEGORY = "cookiesOversize"_ns;
constexpr auto CONSOLE_REJECTION_CATEGORY = "cookiesRejection"_ns;
constexpr auto CONSOLE_SAMESITE_CATEGORY = "cookieSameSite"_ns;
constexpr auto CONSOLE_INVALID_ATTRIBUTE_CATEGORY = "cookieInvalidAttribute"_ns;
constexpr auto SAMESITE_MDN_URL =
    "https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/"
    u"SameSite"_ns;

namespace mozilla {
namespace net {

CookieParser::CookieParser(nsIConsoleReportCollector* aCRC, nsIURI* aHostURI)
    : mCRC(aCRC), mHostURI(aHostURI) {
  MOZ_COUNT_CTOR(CookieParser);
  MOZ_ASSERT(aCRC);
  MOZ_ASSERT(aHostURI);
}

CookieParser::~CookieParser() {
  MOZ_COUNT_DTOR(CookieParser);

#define COOKIE_LOGGING_WITH_NAME(category, x)                 \
  CookieLogging::LogMessageToConsole(                         \
      mCRC, mHostURI, nsIScriptError::errorFlag, category, x, \
      AutoTArray<nsString, 1>{NS_ConvertUTF8toUTF16(mCookieData.name())});

  switch (mRejection) {
    case NoRejection:
      break;

    case RejectedInvalidCharAttributes:
      COOKIE_LOGGING_WITH_NAME(CONSOLE_REJECTION_CATEGORY,
                               "CookieRejectedInvalidCharAttributes"_ns);
      break;

    case RejectedNoneRequiresSecure:
      COOKIE_LOGGING_WITH_NAME(CONSOLE_SAMESITE_CATEGORY,
                               "CookieRejectedNonRequiresSecure2"_ns);
      break;

    case RejectedPartitionedRequiresSecure:
      COOKIE_LOGGING_WITH_NAME(CONSOLE_REJECTION_CATEGORY,
                               "CookieRejectedPartitionedRequiresSecure"_ns);
      break;

    case RejectedEmptyNameAndValue:
      CookieLogging::LogMessageToConsole(
          mCRC, mHostURI, nsIScriptError::warningFlag,
          CONSOLE_REJECTION_CATEGORY, "CookieRejectedEmptyNameAndValue"_ns,
          nsTArray<nsString>());

      break;

    case RejectedNameValueOversize: {
      AutoTArray<nsString, 2> params = {
          NS_ConvertUTF8toUTF16(mCookieData.name())};

      nsString size;
      size.AppendInt(kMaxBytesPerCookie);
      params.AppendElement(size);

      CookieLogging::LogMessageToConsole(
          mCRC, mHostURI, nsIScriptError::warningFlag,
          CONSOLE_OVERSIZE_CATEGORY, "CookieOversize"_ns, params);
      break;
    }

    case RejectedInvalidCharName:
      COOKIE_LOGGING_WITH_NAME(CONSOLE_REJECTION_CATEGORY,
                               "CookieRejectedInvalidCharName"_ns);
      break;

    case RejectedInvalidDomain:
      COOKIE_LOGGING_WITH_NAME(CONSOLE_REJECTION_CATEGORY,
                               "CookieRejectedInvalidDomain"_ns);
      break;

    case RejectedInvalidPrefix:
      COOKIE_LOGGING_WITH_NAME(CONSOLE_REJECTION_CATEGORY,
                               "CookieRejectedInvalidPrefix"_ns);
      break;

    case RejectedInvalidCharValue:
      COOKIE_LOGGING_WITH_NAME(CONSOLE_REJECTION_CATEGORY,
                               "CookieRejectedInvalidCharValue"_ns);
      break;

    case RejectedHttpOnlyButFromScript:
      COOKIE_LOGGING_WITH_NAME(CONSOLE_REJECTION_CATEGORY,
                               "CookieRejectedHttpOnlyButFromScript"_ns);
      break;

    case RejectedSecureButNonHttps:
      COOKIE_LOGGING_WITH_NAME(CONSOLE_REJECTION_CATEGORY,
                               "CookieRejectedSecureButNonHttps"_ns);
      break;

    case RejectedForNonSameSiteness:
      COOKIE_LOGGING_WITH_NAME(CONSOLE_SAMESITE_CATEGORY,
                               "CookieRejectedForNonSameSiteness"_ns);
      break;

    case RejectedForeignNoPartitionedError:
      COOKIE_LOGGING_WITH_NAME(CONSOLE_CHIPS_CATEGORY,
                               "CookieForeignNoPartitionedError"_ns);
      break;

    case RejectedByPermissionManager:
      COOKIE_LOGGING_WITH_NAME(CONSOLE_REJECTION_CATEGORY,
                               "CookieRejectedByPermissionManager"_ns);
      break;

    case RejectedNonsecureOverSecure:
      COOKIE_LOGGING_WITH_NAME(CONSOLE_REJECTION_CATEGORY,
                               "CookieRejectedNonsecureOverSecure"_ns);
      break;
  }

#undef COOKIE_LOGGING_WITH_NAME

  if (mRejection != NoRejection || !mContainsCookie) {
    return;
  }

  for (const char* attribute : mWarnings.mAttributeOversize) {
    AutoTArray<nsString, 3> params = {NS_ConvertUTF8toUTF16(mCookieData.name()),
                                      NS_ConvertUTF8toUTF16(attribute)};

    nsString size;
    size.AppendInt(ATTRIBUTE_MAX_LENGTH);
    params.AppendElement(size);

    CookieLogging::LogMessageToConsole(
        mCRC, mHostURI, nsIScriptError::warningFlag, CONSOLE_OVERSIZE_CATEGORY,
        "CookieAttributeIgnored"_ns, params);
  }

  for (const char* attribute : mWarnings.mAttributeOverwritten) {
    CookieLogging::LogMessageToConsole(
        mCRC, mHostURI, nsIScriptError::warningFlag,
        CONSOLE_INVALID_ATTRIBUTE_CATEGORY, "CookieAttributeOverwritten"_ns,
        AutoTArray<nsString, 2>{NS_ConvertUTF8toUTF16(mCookieData.name()),
                                NS_ConvertUTF8toUTF16(attribute)});
  }

  if (mWarnings.mInvalidSameSiteAttribute) {
    CookieLogging::LogMessageToConsole(
        mCRC, mHostURI, nsIScriptError::infoFlag, CONSOLE_SAMESITE_CATEGORY,
        "CookieSameSiteValueInvalid2"_ns,
        AutoTArray<nsString, 1>{NS_ConvertUTF8toUTF16(mCookieData.name())});
  }

  if (mWarnings.mInvalidMaxAgeAttribute) {
    CookieLogging::LogMessageToConsole(
        mCRC, mHostURI, nsIScriptError::infoFlag,
        CONSOLE_INVALID_ATTRIBUTE_CATEGORY, "CookieInvalidMaxAgeAttribute"_ns,
        AutoTArray<nsString, 1>{NS_ConvertUTF8toUTF16(mCookieData.name())});
  }

  if (mWarnings.mSameSiteNoneRequiresSecureForBeta) {
    CookieLogging::LogMessageToConsole(
        mCRC, mHostURI, nsIScriptError::warningFlag, CONSOLE_SAMESITE_CATEGORY,
        "CookieRejectedNonRequiresSecureForBeta3"_ns,
        AutoTArray<nsString, 2>{NS_ConvertUTF8toUTF16(mCookieData.name()),
                                SAMESITE_MDN_URL});
  }

  if (mWarnings.mSameSiteLaxForced) {
    CookieLogging::LogMessageToConsole(
        mCRC, mHostURI, nsIScriptError::infoFlag, CONSOLE_SAMESITE_CATEGORY,
        "CookieLaxForced2"_ns,
        AutoTArray<nsString, 1>{NS_ConvertUTF8toUTF16(mCookieData.name())});
  }

  if (mWarnings.mSameSiteLaxForcedForBeta) {
    CookieLogging::LogMessageToConsole(
        mCRC, mHostURI, nsIScriptError::warningFlag, CONSOLE_SAMESITE_CATEGORY,
        "CookieLaxForcedForBeta2"_ns,
        AutoTArray<nsString, 2>{NS_ConvertUTF8toUTF16(mCookieData.name()),
                                SAMESITE_MDN_URL});
  }

  if (mWarnings.mForeignNoPartitionedWarning) {
    CookieLogging::LogMessageToConsole(
        mCRC, mHostURI, nsIScriptError::warningFlag, CONSOLE_CHIPS_CATEGORY,
        "CookieForeignNoPartitionedWarning"_ns,
        AutoTArray<nsString, 1>{
            NS_ConvertUTF8toUTF16(mCookieData.name()),
        });
  }
}

// clang-format off
// The following comment block elucidates the function of ParseAttributes.
/******************************************************************************
 ** Augmented BNF, modified from RFC2109 Section 4.2.2 and RFC2616 Section 2.1
 ** please note: this BNF deviates from both specifications, and reflects this
 ** implementation. <bnf> indicates a reference to the defined grammar "bnf".

 ** Differences from RFC2109/2616 and explanations:
    1. implied *LWS
         The grammar described by this specification is word-based. Except
         where noted otherwise, linear white space (<LWS>) can be included
         between any two adjacent words (token or quoted-string), and
         between adjacent words and separators, without changing the
         interpretation of a field.
       <LWS> according to spec is SP|HT|CR|LF, but here, we allow only SP | HT.

    2. We use CR | LF as cookie separators, not ',' per spec, since ',' is in
       common use inside values.

    3. tokens and values have looser restrictions on allowed characters than
       spec. This is also due to certain characters being in common use inside
       values. We allow only '=' to separate token/value pairs, and ';' to
       terminate tokens or values. <LWS> is allowed within tokens and values
       (see bug 206022).

    4. where appropriate, full <OCTET>s are allowed, where the spec dictates to
       reject control chars or non-ASCII chars. This is erring on the loose
       side, since there's probably no good reason to enforce this strictness.

    5. Attribute "HttpOnly", not covered in the RFCs, is supported
       (see bug 178993).

 ** Begin BNF:
    token         = 1*<any allowed-chars except separators>
    value         = 1*<any allowed-chars except value-sep>
    separators    = ";" | "="
    value-sep     = ";"
    cookie-sep    = CR | LF
    allowed-chars = <any OCTET except cookie-sep>
    OCTET         = <any 8-bit sequence of data>
    LWS           = SP | HT
    CR            = <US-ASCII CR, carriage return (13)>
    LF            = <US-ASCII LF, linefeed (10)>
    SP            = <US-ASCII SP, space (32)>
    HT            = <US-ASCII HT, horizontal-tab (9)>

    set-cookie    = "Set-Cookie:" cookies
    cookies       = cookie *( cookie-sep cookie )
    cookie        = [NAME "="] VALUE *(";" cookie-av)    ; cookie NAME/VALUE must come first
    NAME          = token                                ; cookie name
    VALUE         = value                                ; cookie value
    cookie-av     = token ["=" value]

    valid values for cookie-av (checked post-parsing) are:
    cookie-av     = "Path"    "=" value
                  | "Domain"  "=" value
                  | "Expires" "=" value
                  | "Max-Age" "=" value
                  | "Comment" "=" value
                  | "Version" "=" value
                  | "Partitioned"
                  | "SameSite"
                  | "Secure"
                  | "HttpOnly"

******************************************************************************/
// clang-format on

// helper functions for GetTokenValue
static inline bool iswhitespace(char c) { return c == ' ' || c == '\t'; }
static inline bool isterminator(char c) { return c == '\n' || c == '\r'; }
static inline bool isvalueseparator(char c) {
  return isterminator(c) || c == ';';
}
static inline bool istokenseparator(char c) {
  return isvalueseparator(c) || c == '=';
}

// Parse a single token/value pair.
// Returns true if a cookie terminator is found, so caller can parse new cookie.
// static
bool CookieParser::GetTokenValue(nsACString::const_char_iterator& aIter,
                                 nsACString::const_char_iterator& aEndIter,
                                 nsDependentCSubstring& aTokenString,
                                 nsDependentCSubstring& aTokenValue,
                                 bool& aEqualsFound) {
  nsACString::const_char_iterator start;
  nsACString::const_char_iterator lastSpace;
  // initialize value string to clear garbage
  aTokenValue.Rebind(aIter, aIter);

  // find <token>, including any <LWS> between the end-of-token and the
  // token separator. we'll remove trailing <LWS> next
  while (aIter != aEndIter && iswhitespace(*aIter)) {
    ++aIter;
  }
  start = aIter;
  while (aIter != aEndIter && !istokenseparator(*aIter)) {
    ++aIter;
  }

  // remove trailing <LWS>; first check we're not at the beginning
  lastSpace = aIter;
  if (lastSpace != start) {
    while (--lastSpace != start && iswhitespace(*lastSpace)) {
    }
    ++lastSpace;
  }
  aTokenString.Rebind(start, lastSpace);

  aEqualsFound = (*aIter == '=');
  if (aEqualsFound) {
    // find <value>
    while (++aIter != aEndIter && iswhitespace(*aIter)) {
    }

    start = aIter;

    // process <token>
    // just look for ';' to terminate ('=' allowed)
    while (aIter != aEndIter && !isvalueseparator(*aIter)) {
      ++aIter;
    }

    // remove trailing <LWS>; first check we're not at the beginning
    if (aIter != start) {
      lastSpace = aIter;
      while (--lastSpace != start && iswhitespace(*lastSpace)) {
      }

      aTokenValue.Rebind(start, ++lastSpace);
    }
  }

  // aIter is on ';', or terminator, or EOS
  if (aIter != aEndIter) {
    // if on terminator, increment past & return true to process new cookie
    if (isterminator(*aIter)) {
      ++aIter;
      return true;
    }
    // fall-through: aIter is on ';', increment and return false
    ++aIter;
  }
  return false;
}

static inline void SetSameSiteAttribute(CookieStruct& aCookieData,
                                        int32_t aValue) {
  aCookieData.sameSite() = aValue;
  aCookieData.rawSameSite() = aValue;
}

// Tests for control characters, defined by RFC 5234 to be %x00-1F / %x7F.
// An exception is made for HTAB as the cookie spec treats that as whitespace.
static bool ContainsControlChars(const nsACString& aString) {
  const auto* start = aString.BeginReading();
  const auto* end = aString.EndReading();

  return std::find_if(start, end, [](unsigned char c) {
           return (c <= 0x1F && c != 0x09) || c == 0x7F;
         }) != end;
}

static inline void SetSameSiteAttributeDefault(CookieStruct& aCookieData) {
  // Set cookie with SameSite attribute that is treated as Default
  // and doesn't requires changing the DB schema.
  aCookieData.sameSite() = nsICookie::SAMESITE_LAX;
  aCookieData.rawSameSite() = nsICookie::SAMESITE_NONE;
}

bool CookieParser::CheckAttributeSize(const nsACString& currentValue,
                                      const char* aAttribute,
                                      const nsACString& aValue) {
  if (aValue.Length() > ATTRIBUTE_MAX_LENGTH) {
    mWarnings.mAttributeOversize.AppendElement(aAttribute);
    return false;
  }

  if (!currentValue.IsEmpty()) {
    mWarnings.mAttributeOverwritten.AppendElement(aAttribute);
  }

  return true;
}

// Parses attributes from cookie header. expires/max-age attributes aren't
// folded into the cookie struct here, because we don't know which one to use
// until we've parsed the header.
bool CookieParser::ParseAttributes(nsCString& aCookieHeader,
                                   nsACString& aExpires, nsACString& aMaxage,
                                   bool& aAcceptedByParser) {
  aAcceptedByParser = false;

  static const char kDomain[] = "domain";
  static const char kExpires[] = "expires";
  static const char kMaxage[] = "max-age";
  static const char kSecure[] = "secure";
  static const char kHttpOnly[] = "httponly";
  static const char kSameSite[] = "samesite";
  static const char kSameSiteLax[] = "lax";
  static const char kSameSiteNone[] = "none";
  static const char kSameSiteStrict[] = "strict";
  static const char kPartitioned[] = "partitioned";

  nsACString::const_char_iterator cookieStart;
  aCookieHeader.BeginReading(cookieStart);

  nsACString::const_char_iterator cookieEnd;
  aCookieHeader.EndReading(cookieEnd);

  mCookieData.isSecure() = false;
  mCookieData.isHttpOnly() = false;
  mCookieData.isPartitioned() = false;

  SetSameSiteAttributeDefault(mCookieData);

  nsDependentCSubstring tokenString(cookieStart, cookieStart);
  nsDependentCSubstring tokenValue(cookieStart, cookieStart);
  bool newCookie;
  bool equalsFound;

  // extract cookie <NAME> & <VALUE> (first attribute), and copy the strings.
  // if we find multiple cookies, return for processing
  // note: if there's no '=', we assume token is <VALUE>. this is required by
  //       some sites (see bug 169091).
  // XXX fix the parser to parse according to <VALUE> grammar for this case
  newCookie = GetTokenValue(cookieStart, cookieEnd, tokenString, tokenValue,
                            equalsFound);
  if (equalsFound) {
    mCookieData.name() = tokenString;
    mCookieData.value() = tokenValue;
  } else {
    mCookieData.value() = tokenString;
  }

  // extract remaining attributes
  while (cookieStart != cookieEnd && !newCookie) {
    newCookie = GetTokenValue(cookieStart, cookieEnd, tokenString, tokenValue,
                              equalsFound);

    if (ContainsControlChars(tokenString) || ContainsControlChars(tokenValue)) {
      RejectCookie(RejectedInvalidCharAttributes);
      return newCookie;
    }

    // decide which attribute we have, and copy the string
    if (tokenString.LowerCaseEqualsLiteral(ATTRIBUTE_PATH)) {
      if (CheckAttributeSize(mCookieData.path(), ATTRIBUTE_PATH, tokenValue)) {
        mCookieData.path() = tokenValue;
      }

    } else if (tokenString.LowerCaseEqualsLiteral(kDomain)) {
      if (CheckAttributeSize(mCookieData.host(), kDomain, tokenValue)) {
        mCookieData.host() = tokenValue;
      }

    } else if (tokenString.LowerCaseEqualsLiteral(kExpires)) {
      if (CheckAttributeSize(aExpires, kExpires, tokenValue)) {
        aExpires = tokenValue;
      }

    } else if (tokenString.LowerCaseEqualsLiteral(kMaxage)) {
      if (CheckAttributeSize(aMaxage, kMaxage, tokenValue)) {
        aMaxage = tokenValue;
      }

      // ignore any tokenValue for isSecure; just set the boolean
    } else if (tokenString.LowerCaseEqualsLiteral(kSecure)) {
      mCookieData.isSecure() = true;

      // ignore any tokenValue for isPartitioned; just set the boolean
    } else if (tokenString.LowerCaseEqualsLiteral(kPartitioned)) {
      mCookieData.isPartitioned() = true;

      // ignore any tokenValue for isHttpOnly (see bug 178993);
      // just set the boolean
    } else if (tokenString.LowerCaseEqualsLiteral(kHttpOnly)) {
      mCookieData.isHttpOnly() = true;

    } else if (tokenString.LowerCaseEqualsLiteral(kSameSite)) {
      if (tokenValue.LowerCaseEqualsLiteral(kSameSiteLax)) {
        SetSameSiteAttribute(mCookieData, nsICookie::SAMESITE_LAX);
      } else if (tokenValue.LowerCaseEqualsLiteral(kSameSiteStrict)) {
        SetSameSiteAttribute(mCookieData, nsICookie::SAMESITE_STRICT);
      } else if (tokenValue.LowerCaseEqualsLiteral(kSameSiteNone)) {
        SetSameSiteAttribute(mCookieData, nsICookie::SAMESITE_NONE);
      } else {
        // Reset to Default if unknown token value (see Bug 1682450)
        SetSameSiteAttributeDefault(mCookieData);
        mWarnings.mInvalidSameSiteAttribute = true;
      }
    }
  }

  // re-assign aCookieHeader, in case we need to process another cookie
  aCookieHeader.Assign(Substring(cookieStart, cookieEnd));

  // If same-site is explicitly set to 'none' but this is not a secure context,
  // let's abort the parsing.
  if (!mCookieData.isSecure() &&
      mCookieData.sameSite() == nsICookie::SAMESITE_NONE) {
    if (StaticPrefs::network_cookie_sameSite_noneRequiresSecure()) {
      RejectCookie(RejectedNoneRequiresSecure);
      return newCookie;
    }

    // Still warn about the missing Secure attribute when not enforcing.
    mWarnings.mSameSiteNoneRequiresSecureForBeta = true;
  }

  // Ensure the partitioned cookie is set with the secure attribute if CHIPS
  // is enabled.
  if (StaticPrefs::network_cookie_CHIPS_enabled() &&
      mCookieData.isPartitioned() && !mCookieData.isSecure()) {
    RejectCookie(RejectedPartitionedRequiresSecure);
    return newCookie;
  }

  if (mCookieData.rawSameSite() == nsICookie::SAMESITE_NONE &&
      mCookieData.sameSite() == nsICookie::SAMESITE_LAX) {
    bool laxByDefault =
        StaticPrefs::network_cookie_sameSite_laxByDefault() &&
        !nsContentUtils::IsURIInPrefList(
            mHostURI, "network.cookie.sameSite.laxByDefault.disabledHosts");
    if (laxByDefault) {
      mWarnings.mSameSiteLaxForced = true;
    } else if (StaticPrefs::
                   network_cookie_sameSite_laxByDefaultWarningsForBeta()) {
      mWarnings.mSameSiteLaxForcedForBeta = true;
    }
  }

  // Cookie accepted.
  aAcceptedByParser = true;

  MOZ_ASSERT(Cookie::ValidateSameSite(mCookieData));
  return newCookie;
}

namespace {

nsAutoCString GetPathFromURI(nsIURI* aHostURI) {
  // strip down everything after the last slash to get the path,
  // ignoring slashes in the query string part.
  // if we can QI to nsIURL, that'll take care of the query string portion.
  // otherwise, it's not an nsIURL and can't have a query string, so just find
  // the last slash.
  nsAutoCString path;
  nsCOMPtr<nsIURL> hostURL = do_QueryInterface(aHostURI);
  if (hostURL) {
    hostURL->GetDirectory(path);
  } else {
    aHostURI->GetPathQueryRef(path);
    int32_t slash = path.RFindChar('/');
    if (slash != kNotFound) {
      path.Truncate(slash + 1);
    }
  }

  // strip the right-most %x2F ("/") if the path doesn't contain only 1 '/'.
  int32_t lastSlash = path.RFindChar('/');
  int32_t firstSlash = path.FindChar('/');
  if (lastSlash != firstSlash && lastSlash != kNotFound &&
      lastSlash == static_cast<int32_t>(path.Length() - 1)) {
    path.Truncate(lastSlash);
  }

  return path;
}

}  // namespace

bool CookieParser::CheckPath() {
  // if a path is given, check the host has permission
  if (mCookieData.path().IsEmpty() || mCookieData.path().First() != '/') {
    nsAutoCString path = GetPathFromURI(mHostURI);
    if (CheckAttributeSize(mCookieData.path(), ATTRIBUTE_PATH, path)) {
      mCookieData.path() = path;
    }
  }

  MOZ_ASSERT(CookieCommons::CheckPathSize(mCookieData));

  return !mCookieData.path().Contains('\t');
}

// static
bool CookieParser::HasSecurePrefix(const nsACString& aString) {
  return StringBeginsWith(aString, "__Secure-"_ns,
                          nsCaseInsensitiveCStringComparator);
}

// static
bool CookieParser::HasHostPrefix(const nsACString& aString) {
  return StringBeginsWith(aString, "__Host-"_ns,
                          nsCaseInsensitiveCStringComparator);
}

// CheckPrefixes
//
// Reject cookies whose name starts with the magic prefixes from
// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis
// if they do not meet the criteria required by the prefix.
//
// Must not be called until after CheckDomain() and CheckPath() have
// regularized and validated the CookieStruct values!
bool CookieParser::CheckPrefixes(CookieStruct& aCookieData,
                                 bool aSecureRequest) {
  bool hasSecurePrefix = HasSecurePrefix(aCookieData.name());
  bool hasHostPrefix = HasHostPrefix(aCookieData.name());

  if (!hasSecurePrefix && !hasHostPrefix) {
    // not one of the magic prefixes: carry on
    return true;
  }

  if (!aSecureRequest || !aCookieData.isSecure()) {
    // the magic prefixes may only be used from a secure request and
    // the secure attribute must be set on the cookie
    return false;
  }

  if (hasHostPrefix) {
    // The host prefix requires that the path is "/" and that the cookie
    // had no domain attribute. CheckDomain() and CheckPath() MUST be run
    // first to make sure invalid attributes are rejected and to regularlize
    // them. In particular all explicit domain attributes result in a host
    // that starts with a dot, and if the host doesn't start with a dot it
    // correctly matches the true host.
    if (aCookieData.host()[0] == '.' ||
        !aCookieData.path().EqualsLiteral("/")) {
      return false;
    }
  }

  return true;
}

bool CookieParser::ParseMaxAgeAttribute(const nsACString& aMaxage,
                                        int64_t* aValue) {
  MOZ_ASSERT(aValue);

  if (aMaxage.IsEmpty()) {
    return false;
  }

  nsACString::const_char_iterator iter;
  aMaxage.BeginReading(iter);

  nsACString::const_char_iterator end;
  aMaxage.EndReading(end);

  // Negative values mean that the cookie is already expired. Don't bother to
  // parse.
  if (*iter == '-') {
    *aValue = INT64_MIN;
    return true;
  }

  CheckedInt<int64_t> value(0);

  for (; iter != end; ++iter) {
    if (!mozilla::IsAsciiDigit(*iter)) {
      mWarnings.mInvalidMaxAgeAttribute = true;
      return false;
    }

    value *= 10;
    if (!value.isValid()) {
      *aValue = INT64_MAX;
      return true;
    }

    value += *iter - '0';
    if (!value.isValid()) {
      *aValue = INT64_MAX;
      return true;
    }
  }

  *aValue = value.value();
  return true;
}

bool CookieParser::GetExpiry(CookieStruct& aCookieData,
                             const nsACString& aExpires,
                             const nsACString& aMaxage, int64_t aCurrentTime,
                             const nsACString& aDateHeader, bool aFromHttp) {
  int64_t maxageCap = StaticPrefs::network_cookie_maxageCap();

  /* Determine when the cookie should expire. This is done by taking the
   * difference between the server time and the time the server wants the cookie
   * to expire, and adding that difference to the client time. This localizes
   * the client time regardless of whether or not the TZ environment variable
   * was set on the client.
   *
   * Note: We need to consider accounting for network lag here, per RFC.
   */
  // check for max-age attribute first; this overrides expires attribute
  int64_t maxage = 0;
  if (ParseMaxAgeAttribute(aMaxage, &maxage)) {
    if (maxage == INT64_MIN || maxage == INT64_MAX) {
      aCookieData.expiry() = maxage;
    } else {
      CheckedInt<int64_t> value(aCurrentTime);
      value += maxageCap ? std::min(maxage, maxageCap) : maxage;

      aCookieData.expiry() = value.isValid() ? value.value() : INT64_MAX;
    }

    return false;
  }

  // check for expires attribute
  if (!aExpires.IsEmpty()) {
    // parse expiry time
    PRTime expiresTime;
    if (PR_ParseTimeString(aExpires.BeginReading(), true, &expiresTime) !=
        PR_SUCCESS) {
      return true;
    }

    int64_t expires = expiresTime / int64_t(PR_USEC_PER_SEC);

    // If we have the server time, we can adjust the "expire" attribute value
    // by adding the delta between the server and the local times.  If the
    // current time is set in the future, we can consider valid cookies that
    // are not expired for the server.
    if (!aDateHeader.IsEmpty()) {
      MOZ_ASSERT(aFromHttp);

      PRTime dateHeaderTime;
      if (PR_ParseTimeString(aDateHeader.BeginReading(), true,
                             &dateHeaderTime) == PR_SUCCESS) {
        int64_t serverTime = dateHeaderTime / int64_t(PR_USEC_PER_SEC);
        int64_t delta = aCurrentTime - serverTime;

        if (StaticPrefs::network_cookie_useServerTime()) {
          expires += delta;
        } else if (expires <= aCurrentTime &&
                   (expires + delta) > aCurrentTime) {
          mozilla::glean::networking::set_cookie_expired_without_server_time
              .AddToNumerator(1);
        }
      }
    }

    // If set-cookie used absolute time to set expiration, and it can't use
    // client time to set expiration.
    // Because if current time be set in the future, but the cookie expire
    // time be set less than current time and more than server time.
    // The cookie item have to be used to the expired cookie.
    if (maxageCap) {
      aCookieData.expiry() = std::min(expires, aCurrentTime + maxageCap);
    } else {
      aCookieData.expiry() = expires;
    }

    return false;
  }

  // default to session cookie if no attributes found.  Here we don't need to
  // enforce the maxage cap, because session cookies are short-lived by
  // definition.
  return true;
}

// returns true if 'a' is equal to or a subdomain of 'b',
// assuming no leading dots are present.
static inline bool IsSubdomainOf(const nsACString& a, const nsACString& b) {
  if (a == b) {
    return true;
  }
  if (a.Length() > b.Length()) {
    return a[a.Length() - b.Length() - 1] == '.' && StringEndsWith(a, b);
  }
  return false;
}

// processes domain attribute, and returns true if host has permission to set
// for this domain.
// static
bool CookieParser::CheckDomain(CookieStruct& aCookieData, nsIURI* aHostURI,
                               const nsACString& aBaseDomain,
                               bool aRequireHostMatch) {
  // Note: The logic in this function is mirrored in
  // toolkit/components/extensions/ext-cookies.js:checkSetCookiePermissions().
  // If it changes, please update that function, or file a bug for someone
  // else to do so.

  // get host from aHostURI
  nsAutoCString hostFromURI;
  nsContentUtils::GetHostOrIPv6WithBrackets(aHostURI, hostFromURI);

  // if a domain is given, check the host has permission
  if (!aCookieData.host().IsEmpty()) {
    // Tolerate leading '.' characters, but not if it's otherwise an empty host.
    if (aCookieData.host().Length() > 1 && aCookieData.host().First() == '.') {
      aCookieData.host().Cut(0, 1);
    }

    // switch to lowercase now, to avoid case-insensitive compares everywhere
    ToLowerCase(aCookieData.host());

    // check whether the host is either an IP address, an alias such as
    // 'localhost', an eTLD such as 'co.uk', or the empty string. in these
    // cases, require an exact string match for the domain, and leave the cookie
    // as a non-domain one. bug 105917 originally noted the requirement to deal
    // with IP addresses.
    if (aRequireHostMatch) {
      return hostFromURI.Equals(aCookieData.host());
    }

    // ensure the proposed domain is derived from the base domain; and also
    // that the host domain is derived from the proposed domain (per RFC2109).
    if (IsSubdomainOf(aCookieData.host(), aBaseDomain) &&
        IsSubdomainOf(hostFromURI, aCookieData.host())) {
      // prepend a dot to indicate a domain cookie
      aCookieData.host().InsertLiteral(".", 0);
      return true;
    }

    /*
     * note: RFC2109 section 4.3.2 requires that we check the following:
     * that the portion of host not in domain does not contain a dot.
     * this prevents hosts of the form x.y.co.nz from setting cookies in the
     * entire .co.nz domain. however, it's only a only a partial solution and
     * it breaks sites (IE doesn't enforce it), so we don't perform this check.
     */
    return false;
  }

  // no domain specified, use hostFromURI
  aCookieData.host() = hostFromURI;
  return true;
}

static void RecordPartitionedTelemetry(const CookieStruct& aCookieData,
                                       bool aIsForeign) {
  mozilla::glean::networking::set_cookie.Add(1);
  if (aCookieData.isPartitioned()) {
    mozilla::glean::networking::set_cookie_partitioned.AddToNumerator(1);
  }
  if (aIsForeign) {
    mozilla::glean::networking::set_cookie_foreign.AddToNumerator(1);
  }
  if (aIsForeign && aCookieData.isPartitioned()) {
    mozilla::glean::networking::set_cookie_foreign_partitioned.AddToNumerator(
        1);
  }
}

// processes a single cookie, and returns true if there are more cookies
// to be processed
bool CookieParser::Parse(const nsACString& aBaseDomain, bool aRequireHostMatch,
                         CookieStatus aStatus, nsCString& aCookieHeader,
                         const nsACString& aDateHeader, bool aFromHttp,
                         bool aIsForeignAndNotAddon, bool aPartitionedOnly,
                         bool aIsInPrivateBrowsing) {
  MOZ_ASSERT(!mContainsCookie);

  // init expiryTime such that session cookies won't prematurely expire
  mCookieData.expiry() = INT64_MAX;

  mCookieData.schemeMap() = CookieCommons::URIToSchemeType(mHostURI);

  // aCookieHeader is an in/out param to point to the next cookie, if
  // there is one. Save the present value for logging purposes
  mCookieString.Assign(aCookieHeader);

  // newCookie says whether there are multiple cookies in the header;
  // so we can handle them separately.
  nsAutoCString expires;
  nsAutoCString maxage;
  bool acceptedByParser = false;
  bool newCookie =
      ParseAttributes(aCookieHeader, expires, maxage, acceptedByParser);
  if (!acceptedByParser) {
    return newCookie;
  }

  // Collect telemetry on how often secure cookies are set from non-secure
  // origins, and vice-versa.
  //
  // 0 = nonsecure and "http:"
  // 1 = nonsecure and "https:"
  // 2 = secure and "http:"
  // 3 = secure and "https:"
  bool potentiallyTrustworthy =
      nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin(mHostURI);

  int64_t currentTimeInUsec = PR_Now();

  // calculate expiry time of cookie.
  mCookieData.isSession() =
      GetExpiry(mCookieData, expires, maxage,
                currentTimeInUsec / PR_USEC_PER_SEC, aDateHeader, aFromHttp);
  if (aStatus == STATUS_ACCEPT_SESSION) {
    // force lifetime to session. note that the expiration time, if set above,
    // will still apply.
    mCookieData.isSession() = true;
  }

  // reject cookie if name and value are empty, per RFC6265bis
  if (mCookieData.name().IsEmpty() && mCookieData.value().IsEmpty()) {
    COOKIE_LOGFAILURE(SET_COOKIE, mHostURI, mCookieString,
                      "cookie name and value are empty");

    RejectCookie(RejectedEmptyNameAndValue);
    return newCookie;
  }

  // reject cookie if it's over the size limit, per RFC2109
  if (!CookieCommons::CheckNameAndValueSize(mCookieData)) {
    COOKIE_LOGFAILURE(SET_COOKIE, mHostURI, mCookieString,
                      "cookie too big (> 4kb)");
    RejectCookie(RejectedNameValueOversize);
    return newCookie;
  }

  // We count SetCookie operations in the parent process only for HTTP set
  // cookies to prevent double counting.
  if (XRE_IsParentProcess() || !aFromHttp) {
    RecordPartitionedTelemetry(mCookieData, aIsForeignAndNotAddon);
  }

  if (!CookieCommons::CheckName(mCookieData)) {
    COOKIE_LOGFAILURE(SET_COOKIE, mHostURI, mCookieString,
                      "invalid name character");
    RejectCookie(RejectedInvalidCharName);
    return newCookie;
  }

  // domain & path checks
  if (!CheckDomain(mCookieData, mHostURI, aBaseDomain, aRequireHostMatch)) {
    COOKIE_LOGFAILURE(SET_COOKIE, mHostURI, mCookieString,
                      "failed the domain tests");
    RejectCookie(RejectedInvalidDomain);
    return newCookie;
  }

  if (!CheckPath()) {
    COOKIE_LOGFAILURE(SET_COOKIE, mHostURI, mCookieString,
                      "failed the path tests");
    return newCookie;
  }

  // If a cookie is nameless, then its value must not start with
  // `__Host-` or `__Secure-`
  if (mCookieData.name().IsEmpty() && (HasSecurePrefix(mCookieData.value()) ||
                                       HasHostPrefix(mCookieData.value()))) {
    COOKIE_LOGFAILURE(SET_COOKIE, mHostURI, mCookieString,
                      "failed hidden prefix tests");
    RejectCookie(RejectedInvalidPrefix);
    return newCookie;
  }

  // magic prefix checks. MUST be run after CheckDomain() and CheckPath()
  if (!CheckPrefixes(mCookieData, potentiallyTrustworthy)) {
    COOKIE_LOGFAILURE(SET_COOKIE, mHostURI, mCookieString,
                      "failed the prefix tests");
    RejectCookie(RejectedInvalidPrefix);
    return newCookie;
  }

  if (!CookieCommons::CheckValue(mCookieData)) {
    COOKIE_LOGFAILURE(SET_COOKIE, mHostURI, mCookieString,
                      "invalid value character");
    RejectCookie(RejectedInvalidCharValue);
    return newCookie;
  }

  // if the new cookie is httponly, make sure we're not coming from script
  if (!aFromHttp && mCookieData.isHttpOnly()) {
    COOKIE_LOGFAILURE(SET_COOKIE, mHostURI, mCookieString,
                      "cookie is httponly; coming from script");
    RejectCookie(RejectedHttpOnlyButFromScript);
    return newCookie;
  }

  // If the new cookie is non-https and wants to set secure flag,
  // browser have to ignore this new cookie.
  // (draft-ietf-httpbis-cookie-alone section 3.1)
  if (mCookieData.isSecure() && !potentiallyTrustworthy) {
    COOKIE_LOGFAILURE(SET_COOKIE, mHostURI, aCookieHeader,
                      "non-https cookie can't set secure flag");
    RejectCookie(RejectedSecureButNonHttps);
    return newCookie;
  }

  // If the new cookie is same-site but in a cross site context,
  // browser must ignore the cookie.
  bool laxByDefault =
      StaticPrefs::network_cookie_sameSite_laxByDefault() &&
      !nsContentUtils::IsURIInPrefList(
          mHostURI, "network.cookie.sameSite.laxByDefault.disabledHosts");
  auto effectiveSameSite =
      laxByDefault ? mCookieData.sameSite() : mCookieData.rawSameSite();
  if ((effectiveSameSite != nsICookie::SAMESITE_NONE) &&
      aIsForeignAndNotAddon) {
    COOKIE_LOGFAILURE(SET_COOKIE, mHostURI, mCookieString,
                      "failed the samesite tests");
    RejectCookie(RejectedForNonSameSiteness);
    return newCookie;
  }

  // If the cookie does not have the partitioned attribute,
  // but is foreign we should give the developer a message.
  // If CHIPS isn't required yet, we will warn the console
  // that we have upcoming changes. Otherwise we give a rejection message.
  if (aPartitionedOnly && !mCookieData.isPartitioned() &&
      aIsForeignAndNotAddon) {
    if (StaticPrefs::network_cookie_cookieBehavior_optInPartitioning() ||
        (aIsInPrivateBrowsing &&
         StaticPrefs::
             network_cookie_cookieBehavior_optInPartitioning_pbmode())) {
      COOKIE_LOGFAILURE(SET_COOKIE, mHostURI, mCookieString,
                        "foreign cookies must be partitioned");
      RejectCookie(RejectedForeignNoPartitionedError);
      return newCookie;
    }
    mWarnings.mForeignNoPartitionedWarning = true;
  }

  mContainsCookie = true;
  return newCookie;
}

void CookieParser::RejectCookie(Rejection aRejection) {
  MOZ_ASSERT(mRejection == NoRejection);
  MOZ_ASSERT(aRejection != NoRejection);
  mRejection = aRejection;
}

void CookieParser::GetCookieString(nsACString& aCookieString) const {
  aCookieString.Assign(mCookieString);
}

}  // namespace net
}  // namespace mozilla