From 439a0c1206a49334a0f360e8f97e2a391d0da889 Mon Sep 17 00:00:00 2001
From: Bob Farrell <git@bob.frl>
Date: Thu, 2 May 2024 18:48:47 +0100
Subject: [PATCH] Add bounds check for session decrypt data

---
 src/jetzig/http/Session.zig | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/jetzig/http/Session.zig b/src/jetzig/http/Session.zig
index 7ad1405..a88fb99 100644
--- a/src/jetzig/http/Session.zig
+++ b/src/jetzig/http/Session.zig
@@ -101,6 +101,8 @@ fn parseSessionCookie(self: *Self, cookie_value: []const u8) !void {
 }
 
 fn decrypt(self: *Self, data: []u8) ![]u8 {
+    if (data.len < Cipher.nonce_length + Cipher.tag_length) return error.JetzigInvalidSessionCookie;
+
     const secret_bytes = std.mem.sliceAsBytes(self.encryption_key);
     const key = secret_bytes[0..Cipher.key_length];
     const nonce = data[0..Cipher.nonce_length];
@@ -177,3 +179,19 @@ test "get value from parsed/decrypted cookie" {
     var value = (try session.get("foo")).?;
     try std.testing.expectEqualStrings("bar", try value.toString());
 }
+
+test "invalid cookie value - too short" {
+    const allocator = std.testing.allocator;
+    var cookies = jetzig.http.Cookies.init(
+        allocator,
+        "_jetzig-session=abc",
+    );
+    defer cookies.deinit();
+    try cookies.parse();
+
+    const secret: [Cipher.key_length]u8 = [_]u8{0x69} ** Cipher.key_length;
+    var session = Self.init(allocator, &cookies, &secret);
+    defer session.deinit();
+
+    try std.testing.expectError(error.JetzigInvalidSessionCookie, session.parse());
+}