Cypress: Invalid cookies crash Cypress

Created on 27 Nov 2017 · 8Comments · Source: cypress-io/cypress

Operating System: macOS 10.12.6 (16G29)
Cypress Version: 1.1.1
Browser Version: Chrome 62

Is this a Feature or Bug?

Bug

Current behavior:

When a server responds with an invalid Set-Cookie header (e.g. containing a unicode character) then Cypress crashes.

Desired behavior:

When a server responds with an invalid Set-Cookie header (e.g. containing a unicode character) then Cypress could:

ignore the invalid cookie and log that
or maybe have a configuration option to ignore invalid cookies

How to reproduce:

See test code below.

Test code:

describe('HomeAway', () => {
    it('Search Landing Page', () => {
        cy.visit('https://www.homeaway.com/d/1540e08a-4d04-41f1-9795-526cd5217516/new-york-city');
    });
});

Additional Info (images, stack traces, etc)

Our WAF (Incapsula) might be dropping that invalid cookie intentionally.

The error thrown:

TypeError: The header content contains invalid characters
    at ServerResponse.OutgoingMessage.setHeader (_http_outgoing.js:346:11)
    at ServerResponse.header (/Users/cpalfi/cypress/packages/server/node_modules/express/lib/response.js:700:10)
    at ServerResponse.append (/Users/cpalfi/cypress/packages/server/node_modules/express/lib/response.js:670:15)
    at /Users/cpalfi/cypress/packages/server/lib/controllers/proxy.coffee:193:14
    at Object.getHttpContent (/Users/cpalfi/cypress/packages/server/lib/controllers/proxy.coffee:233:7)

pkserver bug

Source

csabapalfi

All 8 comments

Curl'ing that URL gives me...

screen shot 2017-11-27 at 4 16 04 pm

I'm assuming the cookie that ends up on a new line is the one causing the problem. TBH I'm surprised the web works as well as it does.

I mean, Microsoft spent over $100 million dollars a year building IE6 and we know where that ended up.

brian-mann on 27 Nov 2017

😄1

TIL it appears any cookie name with an underscore is ignored by chrome. The new line causes the crash in node.

screen shot 2017-11-27 at 4 52 20 pm

brian-mann on 27 Nov 2017

I think Incapsula (the Web Application Firewall that we use) drops that cookie only when certain conditions are met. I wonder if it's deliberately trying to break proxying the page to prevent scraping/abuse. Tbh I should probably reach out to those guys, too.

csabapalfi on 27 Nov 2017

Raised this with our security team here who are reaching out to Incapsula to confirm the reason behind the invalid cookies. I'm sure it's going to be some weird quirk.

csabapalfi on 28 Nov 2017

The code for this is done, but this has yet to be released. We'll update this issue and reference the changelog when it's released.

jennifer-shehane on 28 Nov 2017

Hey @csabapalfi did your team ever figure this out?

I'm having similar issues (outside of Cypress) where Incap is returning this invalid cookie, and crashing my node-http-proxy. :/

unr on 16 Apr 2019

I think it’s one of their built-in bot deterring features or something similar. We had to reach out to them and it got turned off for our domain.

csabapalfi on 16 Apr 2019

That’s where my own investigation has lead me. Appreciate the answer thank you!
On Apr 16, 2019, 1:25 PM -0400, Csaba Palfi notifications@github.com, wrote:

I think it’s one of their built-in bot deterring features or something similar. We had to reach out to them and it got turned off for our domain.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

unr on 16 Apr 2019

👍1

Was this page helpful?

0 / 5 - 0 ratings