Validate session id in file session storage (#10806)

Author: brophdawg11

CHANGELOG.md

@@ -13,162 +13,164 @@ We manage release notes in this file instead of the paginated GitHub Releases Pa
   <summary>Table of Contents</summary>
 
 - [Remix v2 Releases](#remix-v2-releases)
-  - [v2.17.1](#v2171)
+  - [v2.17.2](#v2172)
     - [Patch Changes](#patch-changes)
+  - [v2.17.1](#v2171)
+    - [Patch Changes](#patch-changes-1)
   - [v2.17.0](#v2170)
     - [Minor Changes](#minor-changes)
     - [Changes by Package](#changes-by-package)
   - [v2.16.8](#v2168)
-    - [Patch Changes](#patch-changes-1)
-  - [v2.16.7](#v2167)
     - [Patch Changes](#patch-changes-2)
-  - [v2.16.6](#v2166)
+  - [v2.16.7](#v2167)
     - [Patch Changes](#patch-changes-3)
-  - [v2.16.5](#v2165)
+  - [v2.16.6](#v2166)
     - [Patch Changes](#patch-changes-4)
-  - [v2.16.4](#v2164)
+  - [v2.16.5](#v2165)
     - [Patch Changes](#patch-changes-5)
+  - [v2.16.4](#v2164)
+    - [Patch Changes](#patch-changes-6)
   - [v2.16.3](#v2163)
     - [Security Notice](#security-notice)
-    - [Patch Changes](#patch-changes-6)
-  - [v2.16.2](#v2162)
     - [Patch Changes](#patch-changes-7)
-  - [v2.16.1](#v2161)
+  - [v2.16.2](#v2162)
     - [Patch Changes](#patch-changes-8)
+  - [v2.16.1](#v2161)
+    - [Patch Changes](#patch-changes-9)
   - [v2.16.0](#v2160)
     - [Minor Changes](#minor-changes-1)
-    - [Patch Changes](#patch-changes-9)
+    - [Patch Changes](#patch-changes-10)
     - [Updated Dependencies](#updated-dependencies)
   - [v2.15.3](#v2153)
-    - [Patch Changes](#patch-changes-10)
+    - [Patch Changes](#patch-changes-11)
     - [Updated Dependencies](#updated-dependencies-1)
   - [v2.15.2](#v2152)
-    - [Patch Changes](#patch-changes-11)
+    - [Patch Changes](#patch-changes-12)
     - [Updated Dependencies](#updated-dependencies-2)
   - [v2.15.1](#v2151)
-    - [Patch Changes](#patch-changes-12)
-  - [v2.15.0](#v2150)
     - [Patch Changes](#patch-changes-13)
+  - [v2.15.0](#v2150)
+    - [Patch Changes](#patch-changes-14)
   - [v2.14.0](#v2140)
     - [Minor Changes](#minor-changes-2)
-    - [Patch Changes](#patch-changes-14)
+    - [Patch Changes](#patch-changes-15)
     - [Updated Dependencies](#updated-dependencies-3)
     - [Changes by Package](#changes-by-package-1)
   - [v2.13.1](#v2131)
-    - [Patch Changes](#patch-changes-15)
+    - [Patch Changes](#patch-changes-16)
   - [v2.13.0](#v2130)
     - [What's Changed](#whats-changed)
       - [Stabilized APIs](#stabilized-apis)
     - [Minor Changes](#minor-changes-3)
-    - [Patch Changes](#patch-changes-16)
+    - [Patch Changes](#patch-changes-17)
     - [Updated Dependencies](#updated-dependencies-4)
     - [Changes by Package](#changes-by-package-2)
   - [v2.12.1](#v2121)
-    - [Patch Changes](#patch-changes-17)
+    - [Patch Changes](#patch-changes-18)
     - [Changes by Package](#changes-by-package-3)
   - [v2.12.0](#v2120)
     - [What's Changed](#whats-changed-1)
       - [Future Flag for Automatic Dependency Optimization (unstable)](#future-flag-for-automatic-dependency-optimization-unstable)
       - [Improved Single Fetch Type Safety (unstable)](#improved-single-fetch-type-safety-unstable)
       - [Updates to Single Fetch Revalidation Behavior (unstable)](#updates-to-single-fetch-revalidation-behavior-unstable)
     - [Minor Changes](#minor-changes-4)
-    - [Patch Changes](#patch-changes-18)
+    - [Patch Changes](#patch-changes-19)
     - [Updated Dependencies](#updated-dependencies-5)
     - [Changes by Package](#changes-by-package-4)
   - [v2.11.2](#v2112)
-    - [Patch Changes](#patch-changes-19)
+    - [Patch Changes](#patch-changes-20)
     - [Updated Dependencies](#updated-dependencies-6)
     - [Changes by Package](#changes-by-package-5)
   - [v2.11.1](#v2111)
-    - [Patch Changes](#patch-changes-20)
+    - [Patch Changes](#patch-changes-21)
     - [Changes by Package](#changes-by-package-6)
   - [v2.11.0](#v2110)
     - [What's Changed](#whats-changed-2)
       - [Renamed `unstable_fogOfWar` future flag to `unstable_lazyRouteDiscovery` (unstable)](#renamed-unstable_fogofwar-future-flag-to-unstable_lazyroutediscovery-unstable)
       - [Removed `response` stub in Single Fetch (unstable)](#removed-response-stub-in-single-fetch-unstable)
     - [Minor Changes](#minor-changes-5)
-    - [Patch Changes](#patch-changes-21)
+    - [Patch Changes](#patch-changes-22)
     - [Updated Dependencies](#updated-dependencies-7)
     - [Changes by Package](#changes-by-package-7)
   - [v2.10.3](#v2103)
-    - [Patch Changes](#patch-changes-22)
+    - [Patch Changes](#patch-changes-23)
     - [Updated Dependencies](#updated-dependencies-8)
     - [Changes by Package](#changes-by-package-8)
   - [v2.10.2](#v2102)
-    - [Patch Changes](#patch-changes-23)
+    - [Patch Changes](#patch-changes-24)
     - [Changes by Package](#changes-by-package-9)
   - [v2.10.1](#v2101)
-    - [Patch Changes](#patch-changes-24)
+    - [Patch Changes](#patch-changes-25)
     - [Updated Dependencies](#updated-dependencies-9)
     - [Changes by Package](#changes-by-package-10)
   - [v2.10.0](#v2100)
     - [What's Changed](#whats-changed-3)
       - [Lazy Route Discovery (a.k.a. "Fog of War")](#lazy-route-discovery-aka-fog-of-war)
     - [Minor Changes](#minor-changes-6)
-    - [Patch Changes](#patch-changes-25)
+    - [Patch Changes](#patch-changes-26)
     - [Updated Dependencies](#updated-dependencies-10)
     - [Changes by Package](#changes-by-package-11)
   - [v2.9.2](#v292)
     - [What's Changed](#whats-changed-4)
       - [Updated Type-Safety for Single Fetch](#updated-type-safety-for-single-fetch)
-    - [Patch Changes](#patch-changes-26)
+    - [Patch Changes](#patch-changes-27)
     - [Updated Dependencies](#updated-dependencies-11)
     - [Changes by Package](#changes-by-package-12)
   - [v2.9.1](#v291)
-    - [Patch Changes](#patch-changes-27)
+    - [Patch Changes](#patch-changes-28)
     - [Changes by Package](#changes-by-package-13)
   - [v2.9.0](#v290)
     - [What's Changed](#whats-changed-5)
       - [Single Fetch (unstable)](#single-fetch-unstable)
       - [Undici](#undici)
     - [Minor Changes](#minor-changes-7)
-    - [Patch Changes](#patch-changes-28)
+    - [Patch Changes](#patch-changes-29)
     - [Updated Dependencies](#updated-dependencies-12)
     - [Changes by Package](#changes-by-package-14)
   - [v2.8.1](#v281)
-    - [Patch Changes](#patch-changes-29)
+    - [Patch Changes](#patch-changes-30)
     - [Updated Dependencies](#updated-dependencies-13)
     - [Changes by Package](#changes-by-package-15)
   - [v2.8.0](#v280)
     - [Minor Changes](#minor-changes-8)
-    - [Patch Changes](#patch-changes-30)
+    - [Patch Changes](#patch-changes-31)
     - [Updated Dependencies](#updated-dependencies-14)
     - [Changes by Package](#changes-by-package-16)
   - [2.7.2](#272)
-    - [Patch Changes](#patch-changes-31)
-  - [2.7.1](#271)
     - [Patch Changes](#patch-changes-32)
+  - [2.7.1](#271)
+    - [Patch Changes](#patch-changes-33)
   - [v2.7.0](#v270)
     - [What's Changed](#whats-changed-6)
       - [Stabilized Vite Plugin](#stabilized-vite-plugin)
       - [New `Layout` Export](#new-layout-export)
       - [Basename support](#basename-support)
       - [Cloudflare Proxy as a Vite Plugin](#cloudflare-proxy-as-a-vite-plugin)
     - [Minor Changes](#minor-changes-9)
-    - [Patch Changes](#patch-changes-33)
+    - [Patch Changes](#patch-changes-34)
     - [Updated Dependencies](#updated-dependencies-15)
     - [Changes by Package](#changes-by-package-17)
   - [v2.6.0](#v260)
     - [What's Changed](#whats-changed-7)
       - [Unstable Vite Plugin updates](#unstable-vite-plugin-updates)
     - [Minor Changes](#minor-changes-10)
-    - [Patch Changes](#patch-changes-34)
+    - [Patch Changes](#patch-changes-35)
     - [Updated Dependencies](#updated-dependencies-16)
     - [Changes by Package](#changes-by-package-18)
   - [v2.5.1](#v251)
-    - [Patch Changes](#patch-changes-35)
+    - [Patch Changes](#patch-changes-36)
     - [Updated Dependencies](#updated-dependencies-17)
     - [Changes by Package](#changes-by-package-19)
   - [v2.5.0](#v250)
     - [What's Changed](#whats-changed-8)
       - [SPA Mode (unstable)](#spa-mode-unstable)
       - [Server Bundles (unstable)](#server-bundles-unstable)
     - [Minor Changes](#minor-changes-11)
-    - [Patch Changes](#patch-changes-36)
+    - [Patch Changes](#patch-changes-37)
     - [Updated Dependencies](#updated-dependencies-18)
     - [Changes by Package](#changes-by-package-20)
   - [v2.4.1](#v241)
-    - [Patch Changes](#patch-changes-37)
+    - [Patch Changes](#patch-changes-38)
     - [Updated Dependencies](#updated-dependencies-19)
     - [Changes by Package](#changes-by-package-21)
   - [v2.4.0](#v240)
@@ -177,19 +179,19 @@ We manage release notes in this file instead of the paginated GitHub Releases Pa
       - [`future.v3_relativeSplatPath`](#futurev3_relativesplatpath)
       - [Vite Updates (Unstable)](#vite-updates-unstable)
     - [Minor Changes](#minor-changes-12)
-    - [Patch Changes](#patch-changes-38)
+    - [Patch Changes](#patch-changes-39)
     - [Updated Dependencies](#updated-dependencies-20)
     - [Changes by Package](#changes-by-package-22)
   - [v2.3.1](#v231)
-    - [Patch Changes](#patch-changes-39)
+    - [Patch Changes](#patch-changes-40)
     - [Updated Dependencies](#updated-dependencies-21)
     - [Changes by Package](#changes-by-package-23)
   - [v2.3.0](#v230)
     - [What's Changed](#whats-changed-10)
       - [Stabilized `useBlocker`](#stabilized-useblocker)
       - [`unstable_flushSync` API](#unstable_flushsync-api)
     - [Minor Changes](#minor-changes-13)
-    - [Patch Changes](#patch-changes-40)
+    - [Patch Changes](#patch-changes-41)
     - [Updated Dependencies](#updated-dependencies-22)
     - [Changes by Package](#changes-by-package-24)
   - [v2.2.0](#v220)
@@ -198,19 +200,19 @@ We manage release notes in this file instead of the paginated GitHub Releases Pa
       - [New Fetcher APIs](#new-fetcher-apis)
       - [Persistence Future Flag](#persistence-future-flag)
     - [Minor Changes](#minor-changes-14)
-    - [Patch Changes](#patch-changes-41)
+    - [Patch Changes](#patch-changes-42)
     - [Updated Dependencies](#updated-dependencies-23)
     - [Changes by Package](#changes-by-package-25)
   - [v2.1.0](#v210)
     - [What's Changed](#whats-changed-12)
       - [View Transitions](#view-transitions)
       - [Stable `createRemixStub`](#stable-createremixstub)
     - [Minor Changes](#minor-changes-15)
-    - [Patch Changes](#patch-changes-42)
+    - [Patch Changes](#patch-changes-43)
     - [Updated Dependencies](#updated-dependencies-24)
     - [Changes by Package](#changes-by-package-26)
   - [v2.0.1](#v201)
-    - [Patch Changes](#patch-changes-43)
+    - [Patch Changes](#patch-changes-44)
     - [Changes by Package 🔗](#changes-by-package-)
   - [v2.0.0](#v200)
     - [Breaking Changes](#breaking-changes)
@@ -242,6 +244,17 @@ Date: YYYY-MM-DD
 
 -->
 
+## v2.17.2
+
+Date: 2025-10-30
+
+### Patch Changes
+
+- `@remix-run/deno` - Validate format of incoming session ids in `createFileSessionStorage`
+- `@remix-run/node` - Validate format of incoming session ids in `createFileSessionStorage`
+
+**Full Changelog**: [`v2.17.1...v2.17.2`](https://github.com/remix-run/remix/compare/remix@2.17.1...remix@2.17.2)
+
 ## v2.17.1
 
 Date: 2025-09-17

packages/remix-deno/sessions/fileStorage.ts

@@ -50,6 +50,9 @@ export function createFileSessionStorage<Data = SessionData, FlashData = Data>({
 
         try {
           const file = getFile(dir, id);
+          if (!file) {
+            throw new Error("Error generating session");
+          }
           const exists = await Deno.stat(file)
             .then((s) => s.isFile)
             .catch(() => false);
@@ -69,6 +72,9 @@ export function createFileSessionStorage<Data = SessionData, FlashData = Data>({
     readData: async (id) => {
       try {
         const file = getFile(dir, id);
+        if (!file) {
+          return null;
+        }
         const content = JSON.parse(await Deno.readTextFile(file));
         const data = content.data;
         const expires = typeof content.expires === "string"
@@ -91,20 +97,31 @@ export function createFileSessionStorage<Data = SessionData, FlashData = Data>({
     updateData: async (id, data, expires) => {
       const content = JSON.stringify({ data, expires });
       const file = getFile(dir, id);
+      if (!file) {
+        return;
+      }
       await Deno.mkdir(path.dirname(file), { recursive: true }).catch(() => {});
       await Deno.writeTextFile(file, content);
     },
     deleteData: async (id) => {
       try {
-        await Deno.remove(getFile(dir, id));
+        const file = getFile(dir, id);
+        if (!file) {
+          return;
+        }
+        await Deno.remove(file);
       } catch (error) {
         if (error.code !== "ENOENT") throw error;
       }
     },
   });
 }
 
-function getFile(dir: string, id: string): string {
+function getFile(dir: string, id: string): string | null {
+  if (!/^[0-9a-f]{16}$/i.test(id)) {
+    return null;
+  }
+
   // Divide the session id up into a directory (first 2 bytes) and filename
   // (remaining 6 bytes) to reduce the chance of having very large directories,
   // which should speed up file access. This is a maximum of 2^16 directories,

packages/remix-node/__tests__/sessions-test.ts

@@ -51,6 +51,31 @@ describe("File session storage", () => {
     expect(session.get("user")).toBeUndefined();
   });
 
+  it("returns an empty session for invalid session ids", async () => {
+    let spy = jest.spyOn(console, "warn").mockImplementation(() => {});
+    let { getSession, commitSession } = createFileSessionStorage({
+      dir,
+    });
+
+    let cookie = `__session=${btoa(JSON.stringify("0123456789abcdef"))}`;
+    let session = await getSession(cookie);
+    session.set("user", "mjackson");
+    expect(session.get("user")).toBe("mjackson");
+    let setCookie = await commitSession(session);
+    session = await getSession(getCookieFromSetCookie(setCookie));
+    expect(session.get("user")).toBe("mjackson");
+
+    cookie = `__session=${btoa(JSON.stringify("0123456789abcdeg"))}`;
+    session = await getSession(cookie);
+    session.set("user", "mjackson");
+    expect(session.get("user")).toBe("mjackson");
+    setCookie = await commitSession(session);
+    session = await getSession(getCookieFromSetCookie(setCookie));
+    expect(session.get("user")).toBeUndefined();
+
+    spy.mockRestore();
+  });
+
   it("doesn't destroy the entire session directory when destroying an empty file session", async () => {
     let { getSession, destroySession } = createFileSessionStorage({
       dir,