yuzucchii/jetzig
1
0
Fork 0
mirror of https://github.com/jetzig-framework/jetzig.git synced 2025-05-14 14:06:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'fix-session-nonce-re-use'

Browse Source
This commit is contained in:
Bob Farrell 2024-05-02 18:50:52 +01:00
commit 19da5362cf
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/jetzig/http/Session.zig
View File

@ -100,6 +100,8 @@ fn parseSessionCookie(self: *Self, cookie_value: []const u8) !void {
}
fn decrypt(self: *Self, data: []u8) ![]u8 {
if (data.len < Cipher.nonce_length + Cipher.tag_length) return error.JetzigInvalidSessionCookie;
const secret_bytes = std.mem.sliceAsBytes(self.encryption_key);
const key = secret_bytes[0..Cipher.key_length];
const nonce = data[0..Cipher.nonce_length];
@ -176,3 +178,19 @@ test "get value from parsed/decrypted cookie" {
var value = (try session.get("foo")).?;
try std.testing.expectEqualStrings("bar", try value.toString());
}
test "invalid cookie value - too short" {
const allocator = std.testing.allocator;
var cookies = jetzig.http.Cookies.init(
allocator,
"_jetzig-session=abc",
);
defer cookies.deinit();
try cookies.parse();
const secret: [Cipher.key_length]u8 = [_]u8{0x69} ** Cipher.key_length;
var session = Self.init(allocator, &cookies, &secret);
defer session.deinit();
try std.testing.expectError(error.JetzigInvalidSessionCookie, session.parse());
}