search

cypress-io / cypress

Fast, easy and reliable testing for anything that runs in a browser.
https://cypress.io
MIT License
46.86k stars 3.17k forks source link

Invalid cookies crash Cypress #962

Closed csabapalfi closed 6 years ago

csabapalfi commented 6 years ago

Is this a Feature or Bug?

Bug

Current behavior:

When a server responds with an invalid Set-Cookie header (e.g. containing a unicode character) then Cypress crashes.

Desired behavior:

When a server responds with an invalid Set-Cookie header (e.g. containing a unicode character) then Cypress could:

How to reproduce:

See test code below.

Test code:

describe('HomeAway', () => {
    it('Search Landing Page', () => {
        cy.visit('https://www.homeaway.com/d/1540e08a-4d04-41f1-9795-526cd5217516/new-york-city');
    });
});

Additional Info (images, stack traces, etc)

Our WAF (Incapsula) might be dropping that invalid cookie intentionally.

The error thrown:

TypeError: The header content contains invalid characters
    at ServerResponse.OutgoingMessage.setHeader (_http_outgoing.js:346:11)
    at ServerResponse.header (/Users/cpalfi/cypress/packages/server/node_modules/express/lib/response.js:700:10)
    at ServerResponse.append (/Users/cpalfi/cypress/packages/server/node_modules/express/lib/response.js:670:15)
    at /Users/cpalfi/cypress/packages/server/lib/controllers/proxy.coffee:193:14
    at Object.getHttpContent (/Users/cpalfi/cypress/packages/server/lib/controllers/proxy.coffee:233:7)
brian-mann commented 6 years ago

Curl'ing that URL gives me...

screen shot 2017-11-27 at 4 16 04 pm

I'm assuming the cookie that ends up on a new line is the one causing the problem. TBH I'm surprised the web works as well as it does.

I mean, Microsoft spent over $100 million dollars a year building IE6 and we know where that ended up.

brian-mann commented 6 years ago

TIL it appears any cookie name with an underscore is ignored by chrome. The new line causes the crash in node.

screen shot 2017-11-27 at 4 52 20 pm

csabapalfi commented 6 years ago

I think Incapsula (the Web Application Firewall that we use) drops that cookie only when certain conditions are met. I wonder if it's deliberately trying to break proxying the page to prevent scraping/abuse. Tbh I should probably reach out to those guys, too.

csabapalfi commented 6 years ago

Raised this with our security team here who are reaching out to Incapsula to confirm the reason behind the invalid cookies. I'm sure it's going to be some weird quirk.

jennifer-shehane commented 6 years ago

The code for this is done, but this has yet to be released. We'll update this issue and reference the changelog when it's released.

unr commented 5 years ago

Hey @csabapalfi did your team ever figure this out?

I'm having similar issues (outside of Cypress) where Incap is returning this invalid cookie, and crashing my node-http-proxy. :/

csabapalfi commented 5 years ago

I think it’s one of their built-in bot deterring features or something similar. We had to reach out to them and it got turned off for our domain.

unr commented 5 years ago

That’s where my own investigation has lead me. Appreciate the answer thank you! On Apr 16, 2019, 1:25 PM -0400, Csaba Palfi notifications@github.com, wrote:

I think it’s one of their built-in bot deterring features or something similar. We had to reach out to them and it got turned off for our domain. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.