From e408c7023bc65348c9e18ce65f6115a78f1bc927 Mon Sep 17 00:00:00 2001
From: Blake Embrey <hello@blakeembrey.com>
Date: Fri, 15 Nov 2024 13:51:28 -0800
Subject: [PATCH 1/2] Loosen cookie name/value validation

---
 src/index.ts          |  11 ++-
 src/serialize.spec.ts | 174 ++++++++++++++++++++----------------------
 2 files changed, 90 insertions(+), 95 deletions(-)

diff --git a/src/index.ts b/src/index.ts
index af222fc..ed7d11a 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -8,8 +8,11 @@
  * tchar             = "!" / "#" / "$" / "%" / "&" / "'" /
  *                     "*" / "+" / "-" / "." / "^" / "_" /
  *                     "`" / "|" / "~" / DIGIT / ALPHA
+ *
+ * Note: Allowing more characters - https://github.com/jshttp/cookie/issues/191
+ * Allow same range as cookie value, except `=`, which delimits end of name.
  */
-const cookieNameRegExp = /^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/;
+const cookieNameRegExp = /^[\u0021-\u003A\u003C\u003E-\u007E]+$/;
 
 /**
  * RegExp to match cookie-value in RFC 6265 sec 4.1.1
@@ -19,9 +22,11 @@ const cookieNameRegExp = /^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/;
  *                     ; US-ASCII characters excluding CTLs,
  *                     ; whitespace DQUOTE, comma, semicolon,
  *                     ; and backslash
+ *
+ * Allowing more characters: https://github.com/jshttp/cookie/issues/191
+ * Comma, backslash, and DQUOTE are not part of the parsing algorithm.
  */
-const cookieValueRegExp =
-  /^("?)[\u0021\u0023-\u002B\u002D-\u003A\u003C-\u005B\u005D-\u007E]*\1$/;
+const cookieValueRegExp = /^[\u0021-\u003A\u003C-\u007E]*$/;
 
 /**
  * RegExp to match domain-value in RFC 6265 sec 4.1.1
diff --git a/src/serialize.spec.ts b/src/serialize.spec.ts
index 7091027..458de3f 100644
--- a/src/serialize.spec.ts
+++ b/src/serialize.spec.ts
@@ -14,91 +14,80 @@ describe("cookie.serialize(name, value)", function () {
     expect(cookie.serialize("foo", "")).toEqual("foo=");
   });
 
-  it("should serialize valid name", function () {
-    var validNames = [
-      "foo",
-      "foo!bar",
-      "foo#bar",
-      "foo$bar",
-      "foo'bar",
-      "foo*bar",
-      "foo+bar",
-      "foo-bar",
-      "foo.bar",
-      "foo^bar",
-      "foo_bar",
-      "foo`bar",
-      "foo|bar",
-      "foo~bar",
-      "foo7bar",
-    ];
-
-    validNames.forEach(function (name) {
-      expect(cookie.serialize(name, "baz")).toEqual(name + "=baz");
-    });
+  it.each([
+    ["foo"],
+    ["foo,bar"],
+    ["foo!bar"],
+    ["foo#bar"],
+    ["foo$bar"],
+    ["foo'bar"],
+    ["foo*bar"],
+    ["foo+bar"],
+    ["foo-bar"],
+    ["foo.bar"],
+    ["foo^bar"],
+    ["foo_bar"],
+    ["foo`bar"],
+    ["foo|bar"],
+    ["foo~bar"],
+    ["foo7bar"],
+    ["foo/bar"],
+    ["foo@bar"],
+    ["foo[bar"],
+    ["foo]bar"],
+    ["foo:bar"],
+    ["foo{bar"],
+    ["foo}bar"],
+    ['foo"bar'],
+    ["foo<bar"],
+    ["foo>bar"],
+    ["foo?bar"],
+    ["foo\\bar"],
+  ])("should serialize name: %s", (name) => {
+    expect(cookie.serialize(name, "baz")).toEqual(`${name}=baz`);
   });
 
-  it("should throw for invalid name", function () {
-    var invalidNames = [
-      "foo\n",
-      "foo\u280a",
-      "foo/foo",
-      "foo,foo",
-      "foo;foo",
-      "foo@foo",
-      "foo[foo]",
-      "foo?foo",
-      "foo:foo",
-      "foo{foo}",
-      "foo foo",
-      "foo\tfoo",
-      'foo"foo',
-      "foo<script>foo",
-    ];
-
-    invalidNames.forEach(function (name) {
-      expect(cookie.serialize.bind(cookie, name, "bar")).toThrow(
-        /argument name is invalid/,
-      );
-    });
+  it.each([
+    ["foo\n"],
+    ["foo\u280a"],
+    ["foo=bar"],
+    ["foo;bar"],
+    ["foo bar"],
+    ["foo\tbar"],
+  ])("should throw for invalid name: %s", (name) => {
+    expect(() => cookie.serialize(name, "bar")).toThrow(
+      /argument name is invalid/,
+    );
   });
 });
 
 describe("cookie.serialize(name, value, options)", function () {
   describe('with "domain" option', function () {
-    it("should serialize valid domain", function () {
-      var validDomains = [
-        "example.com",
-        "sub.example.com",
-        ".example.com",
-        "localhost",
-        ".localhost",
-        "my-site.org",
-        "localhost",
-      ];
-
-      validDomains.forEach(function (domain) {
-        expect(cookie.serialize("foo", "bar", { domain: domain })).toEqual(
-          "foo=bar; Domain=" + domain,
-        );
-      });
+    it.each([
+      ["example.com"],
+      ["sub.example.com"],
+      [".example.com"],
+      ["localhost"],
+      [".localhost"],
+      ["my-site.org"],
+      ["localhost"],
+    ])("should serialize domain: %s", (domain) => {
+      expect(cookie.serialize("foo", "bar", { domain })).toEqual(
+        `foo=bar; Domain=${domain}`,
+      );
     });
 
-    it("should throw for invalid domain", function () {
-      var invalidDomains = [
-        "example.com\n",
-        "sub.example.com\u0000",
-        "my site.org",
-        "domain..com",
-        "example.com; Path=/",
-        "example.com /* inject a comment */",
-      ];
-
-      invalidDomains.forEach(function (domain) {
-        expect(
-          cookie.serialize.bind(cookie, "foo", "bar", { domain: domain }),
-        ).toThrow(/option domain is invalid/);
-      });
+    it.each([
+      ["example.com\n"],
+      ["sub.example.com\u0000"],
+      ["my site.org"],
+      ["domain..com"],
+      ["example.com; Path=/"],
+      ["example.com /* inject a comment */"],
+    ])("should throw for invalid domain: %s", (domain) => {
+      expect(() => cookie.serialize("foo", "bar", { domain })).toThrow(
+        /option domain is invalid/,
+      );
     });
   });
 
@@ -113,22 +102,23 @@ describe("cookie.serialize(name, value, options)", function () {
       ).toEqual("foo=YmFy");
     });
 
-    it("should throw when returned value is invalid", function () {
-      expect(
-        cookie.serialize.bind(cookie, "foo", "+ \n", {
-          encode: function (v) {
-            return v;
-          },
-        }),
-      ).toThrow(/argument val is invalid/);
-      expect(
-        cookie.serialize.bind(cookie, "foo", "foo bar", {
-          encode: function (v) {
-            return v;
-          },
-        }),
-      ).toThrow(/argument val is invalid/);
-    });
+    it.each(["foo=bar", 'foo"bar', "foo,bar", "foo\\bar", "foo$bar"])(
+      "should serialize value: %s",
+      (value) => {
+        expect(cookie.serialize("foo", value, { encode: (x) => x })).toEqual(
+          `foo=${value}`,
+        );
+      },
+    );
+
+    it.each([["+\n"], ["foo bar"], ["foo\tbar"], ["foo;bar"]])(
+      "should throw for invalid value: %s",
+      (value) => {
+        expect(() =>
+          cookie.serialize("foo", value, { encode: (x) => x }),
+        ).toThrow(/argument val is invalid/);
+      },
+    );
   });
 
   describe('with "expires" option', function () {

From 8c9f8668629cc41bcde90e4d70dee9631697ae46 Mon Sep 17 00:00:00 2001
From: Blake Embrey <hello@blakeembrey.com>
Date: Fri, 15 Nov 2024 13:58:50 -0800
Subject: [PATCH 2/2] Add utf8 example to value test

---
 src/serialize.spec.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/serialize.spec.ts b/src/serialize.spec.ts
index 458de3f..8f8d56f 100644
--- a/src/serialize.spec.ts
+++ b/src/serialize.spec.ts
@@ -111,7 +111,7 @@ describe("cookie.serialize(name, value, options)", function () {
       },
     );
 
-    it.each([["+\n"], ["foo bar"], ["foo\tbar"], ["foo;bar"]])(
+    it.each([["+\n"], ["foo bar"], ["foo\tbar"], ["foo;bar"], ["foo\u280a"]])(
       "should throw for invalid value: %s",
       (value) => {
         expect(() =>