AG-21419 get rid of encodeURIComponent for trusted-set-cookie-* scrip…

…tlets Merge in ADGUARD-FILTERS/scriptlets from fix/AG-21419 to master Squashed commit of the following: commit 7149764 Merge: 511a3de 2cedcec Author: Stanislav A <s.atroschenko@adguard.com> Date: Mon May 15 18:45:57 2023 +0300 Merge branch 'fix/AG-21419' of ssh://bit.adguard.com:7999/adguard-filters/scriptlets into fix/AG-21419 commit 511a3de Author: Stanislav A <s.atroschenko@adguard.com> Date: Mon May 15 18:44:27 2023 +0300 add description and logging for non-trusteds commit 2cedcec Author: Slava Leleka <v.leleka@adguard.com> Date: Mon May 15 18:42:42 2023 +0300 CHANGELOG.md edited online with Bitbucket commit f23894c Author: Stanislav A <s.atroschenko@adguard.com> Date: Mon May 15 18:40:50 2023 +0300 improve trusteds' descriptions commit 060babb Author: Slava Leleka <v.leleka@adguard.com> Date: Mon May 15 18:28:59 2023 +0300 CHANGELOG.md edited online with Bitbucket commit 0beae8a Author: Stanislav A <s.atroschenko@adguard.com> Date: Mon May 15 13:51:34 2023 +0300 handle semicolon in names and values, add info to description commit d8ccf17 Merge: 388b637 898998d Author: Stanislav A <s.atroschenko@adguard.com> Date: Fri May 12 20:56:43 2023 +0300 merge master commit 388b637 Author: Stanislav A <s.atroschenko@adguard.com> Date: Fri May 12 20:55:05 2023 +0300 swap changelog items commit ac98dea Author: Stanislav A <s.atroschenko@adguard.com> Date: Fri May 12 15:48:02 2023 +0300 update changelog commit d03e028 Author: Stanislav A <s.atroschenko@adguard.com> Date: Thu May 11 19:24:24 2023 +0300 get rid of encodeURIComponent for trusted-set-cookie-* scriptlets
AdguardTeam · May 16, 2023 · d16b49f · d16b49f
1 parent 898998d
commit d16b49f
Show file tree

Hide file tree

Showing 8 changed files with 32 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+- `trusted-set-cookie` and `trusted-set-cookie-reaload` scriptlets to not encode cookie name and value [#311](https://github.com/AdguardTeam/Scriptlets/issues/311)
 - improved `prevent-fetch` — if `responseType` is not specified,
   original response type is returned instead of `default` [#297](https://github.com/AdguardTeam/Scriptlets/issues/291)
 

diff --git a/src/helpers/cookie-utils.js b/src/helpers/cookie-utils.js
@@ -30,11 +30,18 @@ export const getCookiePath = (rawPath) => {
  * @param {string} rawName name argument of *set-cookie-* scriptlets
  * @param {string} rawValue value argument of *set-cookie-* scriptlets
  * @param {string} rawPath path argument of *set-cookie-* scriptlets
- * @returns {string|null} string OR `null` if path is not supported
+ * @param {boolean} shouldEncode if cookie's name and value should be encoded
+ * @returns {string|null} string OR `null` if name or value is invalid
  */
-export const concatCookieNameValuePath = (rawName, rawValue, rawPath) => {
-    // eslint-disable-next-line max-len
-    return `${encodeURIComponent(rawName)}=${encodeURIComponent(rawValue)}; ${getCookiePath(rawPath)};`;
+export const concatCookieNameValuePath = (rawName, rawValue, rawPath, shouldEncode = true) => {
+    const COOKIE_BREAKER = ';';
+    // semicolon will cause the cookie to break
+    if (!shouldEncode && (rawName.includes(COOKIE_BREAKER) || `${rawValue}`.includes(COOKIE_BREAKER))) {
+        return null;
+    }
+    const name = shouldEncode ? encodeURIComponent(rawName) : rawName;
+    const value = shouldEncode ? encodeURIComponent(rawValue) : rawValue;
+    return `${name}=${value}; ${getCookiePath(rawPath)};`;
 };
 
 /**

diff --git a/src/scriptlets/set-cookie-reload.js b/src/scriptlets/set-cookie-reload.js
@@ -36,6 +36,9 @@ import {
  *     - `/` — root path
  *     - `none` — to set no path at all
  *
+ * > Note that the scriptlet encodes cookie names and values,
+ * e.g value `"{ test: 'value'}"` becomes `%7B%20test%3A%20'value'%7D`.
+ *
  * **Examples**
  * ```
  * example.org#%#//scriptlet('set-cookie-reload', 'checking', 'ok')
@@ -63,6 +66,7 @@ export function setCookieReload(source, name, value, path = '/') {
 
     const cookieToSet = concatCookieNameValuePath(name, validValue, path);
     if (!cookieToSet) {
+        logMessage(source, 'Invalid cookie name or value');
         return;
     }
 

diff --git a/src/scriptlets/set-cookie.js b/src/scriptlets/set-cookie.js
@@ -35,6 +35,9 @@ import {
  *     - `/` — root path
  *     - `none` — to set no path at all
  *
+ * > Note that the scriptlet encodes cookie names and values,
+ * e.g value `"{ test: 'value'}"` becomes `%7B%20test%3A%20'value'%7D`.
+ *
  * **Examples**
  * ```
  * example.org#%#//scriptlet('set-cookie', 'CookieConsent', '1')
@@ -59,6 +62,7 @@ export function setCookie(source, name, value, path = '/') {
 
     const cookieToSet = concatCookieNameValuePath(name, validValue, path);
     if (!cookieToSet) {
+        logMessage(source, 'Invalid cookie name or value');
         return;
     }
 

diff --git a/src/scriptlets/trusted-set-cookie-reload.js b/src/scriptlets/trusted-set-cookie-reload.js
@@ -42,6 +42,9 @@ import {
  *   - `/` — root path
  *   - `none` — to set no path at all
  *
+ * > Note that the scriptlet does not encode cookie names and values. As a result, if a cookie's name or value includes `;`,
+ * the scriptlet will not set the cookie since this may cause the cookie to break.
+ *
  * **Examples**
  * 1. Set cookie and reload the page after it
  * ```
@@ -93,8 +96,9 @@ export function trustedSetCookieReload(source, name, value, offsetExpiresSec = '
         return;
     }
 
-    let cookieToSet = concatCookieNameValuePath(name, parsedValue, path);
+    let cookieToSet = concatCookieNameValuePath(name, parsedValue, path, false);
     if (!cookieToSet) {
+        logMessage(source, 'Invalid cookie name or value');
         return;
     }
 

diff --git a/src/scriptlets/trusted-set-cookie.js b/src/scriptlets/trusted-set-cookie.js
@@ -39,6 +39,9 @@ import {
  *   - `/` — root path
  *   - `none` — to set no path at all
  *
+ * > Note that the scriptlet does not encode cookie names and values. As a result, if a cookie's name or value includes `;`,
+ * the scriptlet will not set the cookie since this may cause the cookie to break.
+ *
  * **Examples**
  * 1. Set cookie
  * ```
@@ -85,8 +88,9 @@ export function trustedSetCookie(source, name, value, offsetExpiresSec = '', pat
         return;
     }
 
-    let cookieToSet = concatCookieNameValuePath(name, parsedValue, path);
+    let cookieToSet = concatCookieNameValuePath(name, parsedValue, path, false);
     if (!cookieToSet) {
+        logMessage(source, 'Invalid cookie name or value');
         return;
     }
 

diff --git a/tests/scriptlets/trusted-set-cookie-reload.spec.js b/tests/scriptlets/trusted-set-cookie-reload.spec.js
@@ -72,7 +72,7 @@ describe('Test trusted-set-cookie-reload scriptlet', () => {
         // and jest running test
         const cookieValue = parseCookieString(document.cookie)[cName];
         // Check only day, month and year
-        const currentDate = encodeURIComponent(Date().split(' ', 4).join(' '));
+        const currentDate = Date().split(' ', 4).join(' ');
         const dateDiff = cookieValue.split(' ', 4).join(' ');
 
         expect(dateDiff.startsWith(currentDate)).toBeTruthy();

diff --git a/tests/scriptlets/trusted-set-cookie.test.js b/tests/scriptlets/trusted-set-cookie.test.js
@@ -44,7 +44,7 @@ test('Set cookie string', (assert) => {
 
     assert.strictEqual(window.hit, 'FIRED', 'Hit was fired');
     assert.strictEqual(document.cookie.includes(cName), true, 'Cookie name has been set');
-    assert.strictEqual(document.cookie.includes(encodeURIComponent(cValue)), true, 'Cookie value has been set');
+    assert.strictEqual(document.cookie.includes(cValue), true, 'Cookie value has been set');
     clearCookie(cName);
 });