Skip to content

fix: don't throw when a set-cookie string has no name-value-pair#82

Merged
nfriedly merged 1 commit into
nfriedly:masterfrom
spokodev:fix/hunt
Jul 9, 2026
Merged

fix: don't throw when a set-cookie string has no name-value-pair#82
nfriedly merged 1 commit into
nfriedly:masterfrom
spokodev:fix/hunt

Conversation

@spokodev

@spokodev spokodev commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

parseString (and therefore parseSetCookie) throws when a Set-Cookie string contains only semicolons/whitespace and no name-value-pair:

parseSetCookie(";")
// TypeError: Cannot read properties of undefined (reading 'split')

parseSetCookie([";", "foo=bar"])
// throws — and the valid foo=bar cookie is lost along with it

setCookieValue.split(";").filter(isNonEmptyString) yields an empty array for such input, so parts.shift() is undefined and parseNameValuePair(undefined) calls .split on it.

This is inconsistent with how the library already handles empty content: parseSetCookie("") and parseSetCookie(" ") return [], and invalid cookies (e.g. forbidden __proto__ names) are dropped rather than throwing. A string that is all semicolons has no name-value-pair, so per RFC 6265 §5.2 it should be ignored, not crash the parser.

Fix: return null when there is no name-value-pair, so it's filtered out exactly like the other ignored-cookie cases. parseSetCookie(";") now returns [], parseSetCookie([";", "foo=bar"]) returns just the valid cookie, and { map: true } returns {}.

Adds a regression test.

@nfriedly nfriedly left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, this is great!

@nfriedly nfriedly merged commit d79cc2c into nfriedly:master Jul 9, 2026
3 checks passed
@nfriedly

nfriedly commented Jul 9, 2026

Copy link
Copy Markdown
Owner

This is now published to npm in v3.1.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants