fix(core): skip malformed cookie fragments in mergeCookies#3822
Open
anxkhn wants to merge 1 commit into
Open
Conversation
`mergeCookies()` split each source cookie string on `; ` and forced the result of `Cookie.parse()` with a non-null assertion. tough-cookie's `Cookie.parse` returns `undefined` (it does not throw) for an unparseable fragment, such as a bare name with no `=` (e.g. `sessionid`) or one starting with `=`. The assertion suppressed that, so the next `.key` access (and `setCookieSync`) threw `TypeError: Cannot read properties of undefined`. Because this runs on the navigation hot path for every request that carries a user-supplied cookie header, a single malformed fragment turned into a confusing crash that repeated until the request failed. Guard the parsed cookie and skip fragments that cannot be parsed, matching the existing defensive `continue`s in the same loop. Valid cookies are unaffected.
barjin
reviewed
Jul 7, 2026
barjin
left a comment
Member
There was a problem hiding this comment.
Thank you for your interest in this project @anxkhn !
The change you're describing is breaking - Crawlee would now silently swallow errors about invalid cookies. I believe we want to keep the throwing behaviour.
If you think the error message is confusing or doesn't correctly describe the source of the error, I'd prefer to update the error handling (e.g., share more information about the error in the message). What do you think?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
mergeCookies()splits each source cookie string on;and forced the resultof
Cookie.parse()with a non-null assertion:tough-cookie's
Cookie.parsereturnsundefined(it does not throw) for afragment it cannot parse, for example a bare name with no
=(sessionid) orone that starts with
=. The!suppressed thatundefined, so the very nextline dereferenced it and threw:
This runs on the navigation hot path:
http-based crawlers callmergeCookiesfor every request that carries a cookie header, and that header can be an
arbitrary string a user set on the
Request. A single malformed fragment turnsinto a confusing crash that repeats on every retry until the request is marked
failed, instead of the fragment simply being ignored.
The fix guards the parsed cookie and skips fragments that cannot be parsed,
matching the two existing defensive
continues already in the same loop. Validcookies are unaffected.
Testing
Added a regression test next to the existing
mergeCookies()test intest/core/crawlers/cheerio_crawler.test.ts. It fails onmasterwith theTypeErrorabove and passes with the fix:yarn vitest run test/core/crawlers/cheerio_crawler.test.ts-> 48 passed.Lint (
eslint), typecheck (tsc --noEmit -p packages/core/tsconfig.json), andbiome formatare all clean.