livebook-dev/livebook
1
1
Fork 0
mirror of https://github.com/livebook-dev/livebook.git synced 2024-09-20 10:05:57 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix invalid cookie naming - cookie names can't contain : (#2539)

Browse source 
Closes #2537

RFCs:
* http://tools.ietf.org/html/rfc6265#section-4.1.1
* http://tools.ietf.org/html/rfc2616#section-2.2
This commit is contained in:
Milad 2024-04-02 15:25:08 +02:00 committed by GitHub
parent 8e11d6a571
commit fa4addcb50
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 16 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
assets/js/app.js
View file

@ -143,9 +143,9 @@ if (hasCookiesAccess()) {
} }
function hasCookiesAccess() { function hasCookiesAccess() {
document.cookie = `lb:probe_cookie=;path=/${cookieOptions()}`; document.cookie = `lb_probe_cookie=;path=/${cookieOptions()}`;
return document.cookie return document.cookie
.split("; ") .split("; ")
.some((cookie) => cookie.startsWith(`lb:probe_cookie=`)); .some((cookie) => cookie.startsWith(`lb_probe_cookie=`));
} }

6
assets/js/lib/user.js
View file

@ -1,9 +1,9 @@
import { cookieOptions, decodeBase64, encodeBase64 } from "./utils"; import { cookieOptions, decodeBase64, encodeBase64 } from "./utils";
const USER_DATA_COOKIE = "lb:user_data"; const USER_DATA_COOKIE = "lb_user_data";
/** /**
* Stores user data in the `"lb:user_data"` cookie. * Stores user data in the `"lb_user_data"` cookie.
*/ */
export function storeUserData(userData) { export function storeUserData(userData) {
const json = JSON.stringify(userData); const json = JSON.stringify(userData);
@ -12,7 +12,7 @@ export function storeUserData(userData) {
} }
/** /**
* Loads user data from the `"lb:user_data"` cookie. * Loads user data from the `"lb_user_data"` cookie.
*/ */
export function loadUserData() { export function loadUserData() {
const encoded = getCookieValue(USER_DATA_COOKIE); const encoded = getCookieValue(USER_DATA_COOKIE);

4
lib/livebook_web/endpoint.ex
View file

@ -6,7 +6,7 @@ defmodule LivebookWeb.Endpoint do
# Set :encryption_salt if you would also like to encrypt it. # Set :encryption_salt if you would also like to encrypt it.
@session_options [ @session_options [
store: :cookie, store: :cookie,
key: "lb:session", key: "lb_session",
signing_salt: "deadbook" signing_salt: "deadbook"
] ]
@ -126,7 +126,7 @@ defmodule LivebookWeb.Endpoint do
if cookie_size > 24576 do if cookie_size > 24576 do
conn.cookies conn.cookies
|> Enum.reject(fn {key, _value} -> String.starts_with?(key, "lb:") end) |> Enum.reject(fn {key, _value} -> String.starts_with?(key, "lb_") end)
|> Enum.take(10) |> Enum.take(10)
|> Enum.reduce(conn, fn {key, _value}, conn -> |> Enum.reduce(conn, fn {key, _value}, conn ->
Plug.Conn.delete_resp_cookie(conn, key) Plug.Conn.delete_resp_cookie(conn, key)

6
lib/livebook_web/plugs/user_plug.ex
View file

@ -48,7 +48,7 @@ defmodule LivebookWeb.UserPlug do
defp ensure_user_data(conn) when conn.halted, do: conn defp ensure_user_data(conn) when conn.halted, do: conn
defp ensure_user_data(conn) do defp ensure_user_data(conn) do
if Map.has_key?(conn.req_cookies, "lb:user_data") do if Map.has_key?(conn.req_cookies, "lb_user_data") do
conn conn
else else
identity_data = get_session(conn, :identity_data) identity_data = get_session(conn, :identity_data)
@ -58,7 +58,7 @@ defmodule LivebookWeb.UserPlug do
# We disable HttpOnly, so that it can be accessed on the client # We disable HttpOnly, so that it can be accessed on the client
# and set expiration to 5 years # and set expiration to 5 years
opts = [http_only: false, max_age: 157_680_000] ++ LivebookWeb.Endpoint.cookie_options() opts = [http_only: false, max_age: 157_680_000] ++ LivebookWeb.Endpoint.cookie_options()
put_resp_cookie(conn, "lb:user_data", encoded, opts) put_resp_cookie(conn, "lb_user_data", encoded, opts)
end end
end end
@ -74,7 +74,7 @@ defmodule LivebookWeb.UserPlug do
defp mirror_user_data_in_session(conn) when conn.halted, do: conn defp mirror_user_data_in_session(conn) when conn.halted, do: conn
defp mirror_user_data_in_session(conn) do defp mirror_user_data_in_session(conn) do
user_data = conn.cookies["lb:user_data"] |> Base.decode64!() |> Jason.decode!() user_data = conn.cookies["lb_user_data"] |> Base.decode64!() |> Jason.decode!()
put_session(conn, :user_data, user_data) put_session(conn, :user_data, user_data)
end end
end end

6
test/livebook_web/controllers/endpoint_test.exs
View file

@ -4,7 +4,7 @@ defmodule LivebookWeb.EndpointTest do
test "delete cookies once they go over a certain limit", %{conn: conn} do test "delete cookies once they go over a certain limit", %{conn: conn} do
cookies = cookies =
Enum.map(1..5, &"c#{&1}=#{String.duplicate("a", 4096)}") ++ Enum.map(1..5, &"c#{&1}=#{String.duplicate("a", 4096)}") ++
Enum.map(1..5, &"lb:#{&1}=#{String.duplicate("a", 4096)}") Enum.map(1..5, &"lb_#{&1}=#{String.duplicate("a", 4096)}")
assert [ assert [
"c1=;" <> _, "c1=;" <> _,
@ -12,8 +12,8 @@ defmodule LivebookWeb.EndpointTest do
"c3=;" <> _, "c3=;" <> _,
"c4=;" <> _, "c4=;" <> _,
"c5=;" <> _, "c5=;" <> _,
"lb:session" <> _, "lb_session" <> _,
"lb:user_data" <> _ "lb_user_data" <> _
] = ] =
conn conn
|> put_req_header("cookie", Enum.join(cookies, "; ")) |> put_req_header("cookie", Enum.join(cookies, "; "))

6
test/livebook_web/plugs/user_plug_test.exs
View file

@ -38,7 +38,7 @@ defmodule LivebookWeb.UserPlugTest do
"hex_color" => <<_::binary>>, "hex_color" => <<_::binary>>,
"id" => <<_::binary>>, "id" => <<_::binary>>,
"name" => nil "name" => nil
} = conn.cookies["lb:user_data"] |> Base.decode64!() |> Jason.decode!() } = conn.cookies["lb_user_data"] |> Base.decode64!() |> Jason.decode!()
end end
test "keeps user_data cookie if present" do test "keeps user_data cookie if present" do
@ -48,10 +48,10 @@ defmodule LivebookWeb.UserPlugTest do
conn = conn =
conn(:get, "/") conn(:get, "/")
|> init_test_session(%{}) |> init_test_session(%{})
|> put_req_cookie("lb:user_data", cookie_value) |> put_req_cookie("lb_user_data", cookie_value)
|> fetch_cookies() |> fetch_cookies()
|> call() |> call()
assert conn.cookies["lb:user_data"] == cookie_value assert conn.cookies["lb_user_data"] == cookie_value
end end
end end