From 0c77dd6f63d37e16d5ae3a3fe4df48ee02f714f8 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Wed, 13 Apr 2022 22:08:30 -0400
Subject: [PATCH] Fix "maxAge" option to reject invalid values

---
 HISTORY.md     |  1 +
 index.js       |  4 ++++
 test/cookie.js | 18 ++++++++++++++++++
 3 files changed, 23 insertions(+)

diff --git a/HISTORY.md b/HISTORY.md
index 73ef0cb..052d791 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -3,6 +3,7 @@ unreleased
 
   * Add `priority` option for Priority cookie support
   * Fix accidental cookie name/value truncation when given invalid chars
+  * Fix `maxAge` option to reject invalid values
   * Remove quotes from returned quoted cookie value
   * Use `req.socket` over deprecated `req.connection`
   * pref: small lookup regexp optimization
diff --git a/index.js b/index.js
index 999c1c4..23c30bc 100644
--- a/index.js
+++ b/index.js
@@ -172,6 +172,10 @@ function Cookie(name, value, attrs) {
     throw new TypeError('option domain is invalid');
   }
 
+  if (typeof this.maxAge === 'number' ? (isNaN(this.maxAge) || !isFinite(this.maxAge)) : this.maxAge) {
+    throw new TypeError('option maxAge is invalid')
+  }
+
   if (this.priority && !PRIORITY_REGEXP.test(this.priority)) {
     throw new TypeError('option priority is invalid')
   }
diff --git a/test/cookie.js b/test/cookie.js
index 47f0433..b0daea9 100644
--- a/test/cookie.js
+++ b/test/cookie.js
@@ -61,6 +61,24 @@ describe('new Cookie(name, value, [options])', function () {
         var cookie = new cookies.Cookie('foo', 'bar', { maxAge: 86400 })
         assert.equal(cookie.maxage, 86400)
       })
+
+      it('should throw on invalid value', function () {
+        assert.throws(function () {
+          new cookies.Cookie('foo', 'bar', { maxAge: 'foo' })
+        }, /option maxAge is invalid/)
+      })
+
+      it('should throw on Infinity', function () {
+        assert.throws(function () {
+          new cookies.Cookie('foo', 'bar', { maxAge: Infinity })
+        }, /option maxAge is invalid/)
+      })
+
+      it('should throw on NaN', function () {
+        assert.throws(function () {
+          new cookies.Cookie('foo', 'bar', { maxAge: NaN })
+        }, /option maxAge is invalid/)
+      })
     })
 
     describe('priority', function () {