feat(std/http): Validate cookie path value (#8457)

std/http/cookie.ts

@@ -70,6 +70,7 @@ function toString(cookie: Cookie): string {
     out.push(`SameSite=${cookie.sameSite}`);
   }
   if (cookie.path) {
+    validatePath(cookie.path);
     out.push(`Path=${cookie.path}`);
   }
   if (cookie.expires) {
@@ -92,6 +93,27 @@ function validateCookieName(name: string | undefined | null): void {
   }
 }
 
+/**
+ * Validate Path Value.
+ * @see https://tools.ietf.org/html/rfc6265#section-4.1.2.4
+ * @param path Path value.
+ */
+function validatePath(path: string | null): void {
+  if (path == null) {
+    return;
+  }
+  for (let i = 0; i < path.length; i++) {
+    const c = path.charAt(i);
+    if (
+      c < String.fromCharCode(0x20) || c > String.fromCharCode(0x7E) || c == ";"
+    ) {
+      throw new Error(
+        path + ": Invalid cookie path char '" + c + "'",
+      );
+    }
+  }
+}
+
 /**
  * Parse the cookies of the Server Request
  * @param req An object which has a `headers` property

std/http/cookie_test.ts

@@ -65,6 +65,29 @@ Deno.test({
   },
 });
 
+Deno.test({
+  name: "Cookie Path Validation",
+  fn(): void {
+    const res: Response = {};
+    const path = "/;domain=sub.domain.com";
+    res.headers = new Headers();
+    assertThrows(
+      (): void => {
+        setCookie(res, {
+          name: "Space",
+          value: "Cat",
+          httpOnly: true,
+          secure: true,
+          path,
+          maxAge: 3,
+        });
+      },
+      Error,
+      path + ": Invalid cookie path char ';'",
+    );
+  },
+});
+
 Deno.test({
   name: "Cookie Delete",
   fn(): void {