Merge pull request #1593 from elysiajs/next

SaltyAom · web-flow · commit 07b449a3a351 · 2025-12-04T16:03:46.000+07:00
patch 1.4.18
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+# 1.4.18 - 4 Dec 2025
+Security:
+- use `JSON.stringify` over custom escape implementation
+
 # 1.4.17 - 2 Dec 2025
 Improvement:
 - [#1573](https://github.com/elysiajs/elysia/pull/1573) `Server` is always resolved to `any` when `@types/bun` is missing
diff --git a/example/a.ts b/example/a.ts
@@ -3,14 +3,10 @@ import * as z from 'zod'
 import { post, req } from '../test/utils'
 
 const app = new Elysia({
-	cookie: { secrets: 'secrets', sign: 'session' }
+	cookie: {
+		domain: "\\` + console.log(c.q='pwn2') }) //"
+	}
 })
-	.onError(({ code, error }) => {
-		console.log({ code })
-
-		if (code === 'INVALID_COOKIE_SIGNATURE')
-			return 'Where is the signature?'
-	})
 	.get('/', ({ cookie: { session } }) => 'awd')
 
 console.log(app.routes[0].compile().toString())
diff --git a/example/stress/instance.ts b/example/stress/instance.ts
@@ -9,7 +9,14 @@ const memory = process.memoryUsage().heapTotal / 1024 / 1024
 const t1 = performance.now()
 
 for (let i = 0; i < total; i++) {
-	const plugin = new Elysia()
+	const plugin = new Elysia({
+		cookie: {
+			domain: 'saltyaom.com',
+			priority: 'high',
+			secrets: 'a',
+			sign: 'a'
+		}
+	})
 
 	for (let j = 0; j < sub; j++) plugin.get(`/${i * sub + j}`, () => 'hi')
 
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
 	"name": "elysia",
 	"description": "Ergonomic Framework for Human",
-	"version": "1.4.17",
+	"version": "1.4.18",
 	"author": {
 		"name": "saltyAom",
 		"url": "https://github.com/SaltyAom",
diff --git a/src/compose.ts b/src/compose.ts
@@ -67,13 +67,6 @@ import { tee } from './adapter/utils'
 const allocateIf = (value: string, condition: unknown) =>
 	condition ? value : ''
 
-const overrideUnsafeQuote = (value: string) =>
-	// '`' + value + '`'
-	'`' + value.replace(/`/g, '\\`').replace(/\${/g, '$\\{') + '`'
-
-const overrideUnsafeQuoteArrayValue = (value: string) =>
-	value.replace(/`/g, '\\`').replace(/\${/g, '$\\{')
-
 const defaultParsers = [
 	'json',
 	'text',
@@ -606,16 +599,16 @@ export const composeHandler = ({
 			if (cookieMeta.sign === true)
 				_encodeCookie +=
 					'for(const [key, cookie] of Object.entries(_setCookie)){' +
-					`c.set.cookie[key].value=await signCookie(cookie.value,${!secret ? 'undefined' : overrideUnsafeQuote(secret)})` +
+					`c.set.cookie[key].value=await signCookie(cookie.value,${!secret ? 'undefined' : JSON.stringify(secret)})` +
 					'}'
 			else {
 				if (typeof cookieMeta.sign === 'string')
 					cookieMeta.sign = [cookieMeta.sign]
 
 				for (const name of cookieMeta.sign)
 					_encodeCookie +=
-						`if(_setCookie[${overrideUnsafeQuote(name)}]?.value)` +
-						`c.set.cookie[${overrideUnsafeQuote(name)}].value=await signCookie(_setCookie[${overrideUnsafeQuote(name)}].value,${!secret ? 'undefined' : overrideUnsafeQuote(secret)})\n`
+						`if(_setCookie[${JSON.stringify(name)}]?.value)` +
+						`c.set.cookie[${JSON.stringify(name)}].value=await signCookie(_setCookie[${JSON.stringify(name)}].value,${!secret ? 'undefined' : JSON.stringify(secret)})\n`
 			}
 
 			_encodeCookie += '}\n'
@@ -663,7 +656,7 @@ export const composeHandler = ({
 					: `${name}:${defaultValue},`
 
 			if (typeof value === 'string')
-				return `${name}:${overrideUnsafeQuote(value)},`
+				return `${name}:${JSON.stringify(value)},`
 			if (value instanceof Date)
 				return `${name}: new Date(${value.getTime()}),`
 
@@ -674,11 +667,11 @@ export const composeHandler = ({
 			? `{secrets:${
 					cookieMeta.secrets !== undefined
 						? typeof cookieMeta.secrets === 'string'
-							? overrideUnsafeQuote(cookieMeta.secrets)
+							? JSON.stringify(cookieMeta.secrets)
 							: '[' +
 								cookieMeta.secrets
-									.map(overrideUnsafeQuoteArrayValue)
-									.reduce((a, b) => a + `'${b}',`, '') +
+									.map((x) => JSON.stringify(x))
+									.join(',') +
 								']'
 						: 'undefined'
 				},` +
@@ -687,11 +680,11 @@ export const composeHandler = ({
 						? true
 						: cookieMeta.sign !== undefined
 							? typeof cookieMeta.sign === 'string'
-								? overrideUnsafeQuote(cookieMeta.sign)
+								? JSON.stringify(cookieMeta.sign)
 								: '[' +
 									cookieMeta.sign
-										.map(overrideUnsafeQuoteArrayValue)
-										.reduce((a, b) => a + `'${b}',`, '') +
+										.map((x) => JSON.stringify(x))
+										.join(',') +
 									']'
 							: 'undefined'
 				},` +

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "elysia",`
`3`	`3`	`"description": "Ergonomic Framework for Human",`
`4`		`- "version": "1.4.17",`
	`4`	`+ "version": "1.4.18",`
`5`	`5`	`"author": {`
`6`	`6`	`"name": "saltyAom",`
`7`	`7`	`"url": "https://github.com/SaltyAom",`