fix: reject non-ascii octets in validateCookiePath

[spokodev]

What

validateCookiePath in lib/web/cookies/util.js accepts octets above 0x7E (non-ascii and C1 controls), which RFC 6265 prohibits for a cookie path.

Why

RFC 6265 §4.1.1 defines:

path-value = <any CHAR except CTLs or ";">

where CHAR is a US-ASCII character (0x00-0x7F). The current check rejects code < 0x20 (CTLs), code === 0x7F (DEL) and code === 0x3B (;), but has no upper bound, so any code point from 0x80 to 0xFF passes:

validateCookiePath('/a\xE9') // é — currently returns undefined, should throw

This is inconsistent with the two sibling validators in the same file, which both reject code > 0x7E:

• validateCookieName — code > 0x7E present
• validateCookieValue — code > 0x7E present
• validateCookiePath — code > 0x7E missing

validateCookieName('a\xE9')  // throws (correct)
validateCookieValue('a\xE9') // throws (correct)
validateCookiePath('/a\xE9') // does not throw (this PR)

It is reachable from the public setCookie(headers, { path }) API. This is a conformance defect, not a security issue: CR, LF and other control octets are already rejected by the code < 0x20 clause, so no header injection is possible.

Fix

Replace the redundant code === 0x7F clause with the upper bound code > 0x7E, matching the sibling validators. DEL (0x7F) stays rejected because 0x7F > 0x7E.

     if (
       code < 0x20 || // exclude CTLs (0-31)
-      code === 0x7F || // DEL
+      code > 0x7E || // exclude non-ascii and DEL
       code === 0x3B // ;
     ) {

Tests

Added a case to test/cookie/validate-cookie-path.js asserting that a non-ascii path and the C1 control range throw. It fails on main (Missing expected exception) and passes with the fix. The existing DEL and printable-character cases still pass.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.47%. Comparing base (0f1f890) to head (5a96e95).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #5452   +/-   ##
=======================================
  Coverage   93.46%   93.47%           
=======================================
  Files         110      110           
  Lines       37106    37106           
=======================================
+ Hits        34682    34683    +1     
+ Misses       2424     2423    -1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.