Cookie hardedning

tolyo · tolyo · commit fe7614aabdb5 · 2025-12-01T01:40:09.000+02:00
diff --git a/@types/services/cookie/cookie.d.ts b/@types/services/cookie/cookie.d.ts
@@ -10,10 +10,15 @@ export class CookieService {
   /**
    * @param {ng.CookieOptions} defaults
    *   Default cookie attributes defined by `$cookiesProvider.defaults`.
+   * @param {ng.ExceptionHandlerService} $exceptionHandler
    */
-  constructor(defaults: ng.CookieOptions);
-  /** @type {CookieOptions} */
-  defaults: CookieOptions;
+  constructor(
+    defaults: ng.CookieOptions,
+    $exceptionHandler: ng.ExceptionHandlerService,
+  );
+  /** @type {ng.CookieOptions} */
+  defaults: ng.CookieOptions;
+  $exceptionHandler: import("../exception/interface.ts").ErrorHandler;
   /**
    * Retrieves a raw cookie value.
    *
@@ -27,6 +32,7 @@ export class CookieService {
    * @template T
    * @param {string} key
    * @returns {T|null}
+   * @throws {SyntaxError} if cookie JSON is invalid
    */
   getObject<T>(key: string): T | null;
   /**
@@ -40,27 +46,30 @@ export class CookieService {
    *
    * @param {string} key
    * @param {string} value
-   * @param {CookieOptions} [options]
+   * @param {ng.CookieOptions} [options]
    */
-  put(key: string, value: string, options?: CookieOptions): void;
+  put(key: string, value: string, options?: ng.CookieOptions): void;
   /**
    * Serializes an object as JSON and stores it as a cookie.
    *
    * @param {string} key
    * @param {any} value
-   * @param {CookieOptions} [options]
+   * @param {ng.CookieOptions} [options]
+   * @throws {TypeError} if Object cannot be converted to JSON
    */
-  putObject(key: string, value: any, options?: CookieOptions): void;
+  putObject(key: string, value: any, options?: ng.CookieOptions): void;
   /**
    * Removes a cookie by setting an expired date.
    *
    * @param {string} key
-   * @param {CookieOptions} [options]
+   * @param {ng.CookieOptions} [options]
    */
-  remove(key: string, options?: CookieOptions): void;
+  remove(key: string, options?: ng.CookieOptions): void;
 }
 export class CookieProvider {
   defaults: {};
-  $get(): CookieService;
+  $get: (
+    | string
+    | (($exceptionHandler: ng.ExceptionHandlerService) => CookieService)
+  )[];
 }
-export type CookieOptions = import("./interface.ts").CookieOptions;
diff --git a/src/core/di/injector.js b/src/core/di/injector.js
@@ -216,16 +216,16 @@ export function createInjector(modulesToLoad, strictDi = false) {
           const cookieOpts = options.cookie ?? {};
 
           return createPersistentProxy(instance, name, {
-            getItem: (key) => {
+            getItem(key) {
               const raw = $cookie.get(key);
               return raw == null ? null : raw;
             },
 
-            setItem: (key, value) => {
+            setItem(key, value) {
               $cookie.put(key, value, cookieOpts);
             },
 
-            removeItem: (key) => {
+            removeItem(key) {
               $cookie.remove(key, cookieOpts);
             },
 
diff --git a/src/services/cookie/cookie.js b/src/services/cookie/cookie.js
@@ -1,6 +1,13 @@
-/**
- * @typedef {import("./interface.ts").CookieOptions} CookieOptions
- */
+import { $injectTokens } from "../../injection-tokens.js";
+import {
+  assert,
+  isDefined,
+  isFunction,
+  isNullOrUndefined,
+  isNumber,
+  isObject,
+  isString,
+} from "../../shared/utils.js";
 
 /**
  * @returns {Record<string,string>}
@@ -13,6 +20,7 @@ function parseCookies() {
   const parts = document.cookie.split("; ");
   for (const part of parts) {
     const eq = part.indexOf("=");
+    if (eq === -1) continue; // skip malformed cookie
     const key = decodeURIComponent(part.substring(0, eq));
     const val = decodeURIComponent(part.substring(eq + 1));
     out[key] = val;
@@ -23,27 +31,70 @@ function parseCookies() {
 /** Utility: stringify options */
 /**
  *
- * @param {CookieOptions} opts
+ * @param {ng.CookieOptions} opts
+ * @returns {string}
+ */
+/**
+ * Build cookie options string from an options object.
+ * Safely validates types for path, domain, expires, secure, and samesite.
+ *
+ * @param {ng.CookieOptions} opts
  * @returns {string}
+ * @throws {TypeError} if any of options are invalid
  */
 function buildOptions(opts = {}) {
-  let s = "";
+  const parts = [];
 
-  if (opts.path) s += `;path=${opts.path}`;
-  if (opts.domain) s += `;domain=${opts.domain}`;
+  // Path
+  if (isDefined(opts.path)) {
+    if (!isString(opts.path)) throw new TypeError(`badarg:path ${opts.path}`);
+    parts.push(`path=${opts.path}`);
+  }
 
-  if (opts.expires) {
-    const exp =
-      opts.expires instanceof Date
-        ? opts.expires.toUTCString()
-        : new Date(opts.expires).toUTCString();
-    s += `;expires=${exp}`;
+  // Domain
+  if (isDefined(opts.domain)) {
+    if (!isString(opts.domain))
+      throw new TypeError(`badarg:domain ${opts.domain}`);
+    parts.push(`domain=${opts.domain}`);
   }
 
-  if (opts.secure) s += `;secure`;
-  if (opts.samesite) s += `;samesite=${opts.samesite}`;
+  // Expires
+  if (opts.expires != null) {
+    let expDate;
+
+    if (opts.expires instanceof Date) {
+      expDate = opts.expires;
+    } else if (isNumber(opts.expires) || isString(opts.expires)) {
+      expDate = new Date(opts.expires);
+    } else {
+      throw new TypeError(`badarg:expires ${String(opts.expires)}`);
+    }
+
+    if (isNaN(expDate.getTime())) {
+      throw new TypeError(`badarg:expires ${String(opts.expires)}`);
+    }
 
-  return s;
+    parts.push(`expires=${expDate.toUTCString()}`);
+  }
+
+  // Secure
+  if (opts.secure) {
+    parts.push("secure");
+  }
+
+  // SameSite
+  if (isDefined(opts.samesite)) {
+    if (!isString(opts.samesite))
+      throw new TypeError(`badarg:samesite ${opts.samesite}`);
+    const s = opts.samesite.toLowerCase();
+    if (!["lax", "strict", "none"].includes(s)) {
+      throw new TypeError(`badarg:samesite ${opts.samesite}`);
+    }
+    parts.push(`samesite=${s}`);
+  }
+
+  // Join all parts with semicolons
+  return parts.length ? ";" + parts.join(";") : "";
 }
 
 /**
@@ -58,10 +109,14 @@ export class CookieService {
   /**
    * @param {ng.CookieOptions} defaults
    *   Default cookie attributes defined by `$cookiesProvider.defaults`.
+   * @param {ng.ExceptionHandlerService} $exceptionHandler
    */
-  constructor(defaults) {
-    /** @type {CookieOptions} */
-    this.defaults = defaults;
+  constructor(defaults, $exceptionHandler) {
+    assert(isObject(defaults), "badarg");
+    assert(isFunction($exceptionHandler), "badarg");
+    /** @type {ng.CookieOptions} */
+    this.defaults = Object.freeze({ ...defaults });
+    this.$exceptionHandler = $exceptionHandler;
   }
 
   /**
@@ -71,6 +126,7 @@ export class CookieService {
    * @returns {string|null}
    */
   get(key) {
+    assert(isString(key), "badarg");
     const all = parseCookies();
     return all[key] || null;
   }
@@ -81,14 +137,18 @@ export class CookieService {
    * @template T
    * @param {string} key
    * @returns {T|null}
+   * @throws {SyntaxError} if cookie JSON is invalid
    */
   getObject(key) {
+    assert(isString(key), "badarg");
     const raw = this.get(key);
     if (!raw) return null;
     try {
       return /** @type {T} */ (JSON.parse(raw));
-    } catch {
-      return null;
+    } catch (err) {
+      const error = new SyntaxError(`badparse: "${key}" => ${err.message}`);
+      this.$exceptionHandler(error);
+      throw error;
     }
   }
 
@@ -106,35 +166,53 @@ export class CookieService {
    *
    * @param {string} key
    * @param {string} value
-   * @param {CookieOptions} [options]
+   * @param {ng.CookieOptions} [options]
    */
   put(key, value, options = {}) {
+    assert(isString(key), "badarg: key");
+    assert(isString(value), "badarg: value");
     const encodedKey = encodeURIComponent(key);
     const encodedVal = encodeURIComponent(value);
 
-    document.cookie =
-      `${encodedKey}=${encodedVal}` +
-      buildOptions({ ...this.defaults, ...options });
+    try {
+      document.cookie =
+        `${encodedKey}=${encodedVal}` +
+        buildOptions({ ...this.defaults, ...options });
+    } catch (e) {
+      this.$exceptionHandler(e);
+      throw e;
+    }
   }
 
   /**
    * Serializes an object as JSON and stores it as a cookie.
    *
    * @param {string} key
    * @param {any} value
-   * @param {CookieOptions} [options]
+   * @param {ng.CookieOptions} [options]
+   * @throws {TypeError} if Object cannot be converted to JSON
    */
   putObject(key, value, options) {
-    this.put(key, JSON.stringify(value), options);
+    assert(isString(key), "badarg: key");
+    assert(!isNullOrUndefined(key), "badarg: key");
+    try {
+      const str = JSON.stringify(value);
+      this.put(key, str, options);
+    } catch (err) {
+      const error = new TypeError(`badserialize: "${key}" => ${err.message}`);
+      this.$exceptionHandler(error);
+      throw error;
+    }
   }
 
   /**
    * Removes a cookie by setting an expired date.
    *
    * @param {string} key
-   * @param {CookieOptions} [options]
+   * @param {ng.CookieOptions} [options]
    */
   remove(key, options = {}) {
+    assert(isString(key), "badarg");
     this.put(key, "", {
       ...this.defaults,
       ...options,
@@ -148,7 +226,9 @@ export class CookieProvider {
     this.defaults = {};
   }
 
-  $get() {
-    return new CookieService(this.defaults);
-  }
+  $get = [
+    $injectTokens.$exceptionHandler,
+    /** @param {ng.ExceptionHandlerService} $exceptionHandler  */
+    ($exceptionHandler) => new CookieService(this.defaults, $exceptionHandler),
+  ];
 }
diff --git a/src/services/cookie/cookie.spec.js b/src/services/cookie/cookie.spec.js
@@ -51,9 +51,12 @@ describe("$cookie service", () => {
     expect($cookie.getObject("user")).toEqual(obj);
   });
 
-  it("should return null for invalid JSON in getObject", () => {
+  it("should throw SyntaxError for invalid JSON in getObject", () => {
     document.cookie = "broken={unclosed";
-    expect($cookie.getObject("broken")).toBeNull();
+    expect(() => $cookie.getObject("broken")).toThrowError(
+      SyntaxError,
+      /^badparse: "broken" =>/,
+    );
   });
 
   it("getAll should return all cookies as an object", () => {
@@ -107,6 +110,36 @@ describe("$cookie service", () => {
     expect($cookie.get("c2")).toBe("v2");
   });
 
+  it("should throw TypeError if expires is invalid type", () => {
+    const invalidValues = [true, {}, [], () => {}, Symbol()];
+    invalidValues.forEach((val) => {
+      expect(() => $cookie.put("badExp", "x", { expires: val })).toThrowError(
+        TypeError,
+        /^badarg:expires/,
+      );
+    });
+  });
+
+  it("should throw TypeError if expires is an invalid date", () => {
+    expect(() =>
+      $cookie.put("badDate", "x", { expires: "invalid-date" }),
+    ).toThrowError(TypeError, /^badarg:expires/);
+  });
+
+  it("should accept a valid Date object in expires", () => {
+    const exp = new Date(Date.now() + 1000 * 60); // 1 minute in future
+    expect(() => $cookie.put("goodDate", "v", { expires: exp })).not.toThrow();
+    expect($cookie.get("goodDate")).toBe("v");
+  });
+
+  it("should accept a valid date string in expires", () => {
+    const exp = new Date(Date.now() + 1000 * 60).toUTCString();
+    expect(() =>
+      $cookie.put("goodString", "v", { expires: exp }),
+    ).not.toThrow();
+    expect($cookie.get("goodString")).toBe("v");
+  });
+
   function clearCookies() {
     const cookies = document.cookie.split(";").map((c) => c.trim());
     cookies.forEach((c) => {
