fix(msal-browser): CookieStorage tolerates malformed percent-encoded cookies from unrelated third parties (#8549)

- [x] Fix `CookieStorage.getItem` to compare raw (encoded) key before
decoding, avoiding `decodeURIComponent` on unrelated cookies
- [x] Fix `CookieStorage.getKeys` to split on `=` first and wrap
`decodeURIComponent` of the key in try-catch to skip malformed cookies
- [x] Add tests for `getItem` and `getKeys` with malformed/invalid
percent-encoded cookies
- [x] Add test: `getItem` returns raw value when matching MSAL cookie
has a malformed percent-encoded value (fallback branch)
- [x] Add test: `getKeys` still includes keys when the cookie value (not
key) has a malformed percent-encoded sequence
- [x] Create changefile for the fix
- [x] Fix prettier formatting in source and test files

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: tnorling <5307810+tnorling@users.noreply.github.com>
Co-authored-by: Thomas Norling <thomas.norling@microsoft.com>

Author: Copilot

change/@azure-msal-browser-d9418b5d-5917-4f34-bbb4-d3fa16d1a1f7.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Fix CookieStorage.getItem and getKeys throwing URIError when unrelated cookies contain invalid percent-encoded sequences [#7531](https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/7531)",
+  "packageName": "@azure/msal-browser",
+  "email": "198982749+Copilot@users.noreply.github.com",
+  "dependentChangeType": "patch"
+}

lib/msal-browser/src/cache/CookieStorage.ts

@@ -25,15 +25,21 @@ export class CookieStorage implements IWindowStorage<string> {
     }
 
     getItem(key: string): string | null {
-        const name = `${encodeURIComponent(key)}`;
+        const name = encodeURIComponent(key);
         const cookieList = document.cookie.split(";");
         for (let i = 0; i < cookieList.length; i++) {
-            const cookie = cookieList[i];
-            const [key, ...rest] = decodeURIComponent(cookie).trim().split("=");
-            const value = rest.join("=");
-
-            if (key === name) {
-                return value;
+            const cookie = cookieList[i].trim();
+            const eqIndex = cookie.indexOf("=");
+            const rawKey =
+                eqIndex === -1 ? cookie : cookie.substring(0, eqIndex);
+            if (rawKey === name) {
+                const rawValue =
+                    eqIndex === -1 ? "" : cookie.substring(eqIndex + 1);
+                try {
+                    return decodeURIComponent(rawValue);
+                } catch {
+                    return rawValue;
+                }
             }
         }
         return "";
@@ -82,8 +88,15 @@ export class CookieStorage implements IWindowStorage<string> {
         const cookieList = document.cookie.split(";");
         const keys: Array<string> = [];
         cookieList.forEach((cookie) => {
-            const cookieParts = decodeURIComponent(cookie).trim().split("=");
-            keys.push(cookieParts[0]);
+            const trimmed = cookie.trim();
+            const eqIndex = trimmed.indexOf("=");
+            const rawKey =
+                eqIndex === -1 ? trimmed : trimmed.substring(0, eqIndex);
+            try {
+                keys.push(decodeURIComponent(rawKey));
+            } catch {
+                // Skip cookies with malformed percent-encoded sequences in the key
+            }
         });
 
         return keys;

lib/msal-browser/test/cache/CookieStorage.spec.ts

@@ -70,6 +70,34 @@ describe("CookieStorage tests", () => {
         expect(cookieStorage.getItem(msalCacheKey)).toBe(cacheVal);
     });
 
+    it("getItem returns correct value when unrelated cookie has malformed percent-encoded sequence", () => {
+        cookieStorage.setItem(msalCacheKey, cacheVal);
+        // Simulate an unrelated cookie with an invalid UTF-8 percent sequence (e.g. latin1 %E4)
+        jest.spyOn(document, "cookie", "get").mockReturnValue(
+            `someTracker=Kraftr%E4ume; ${msalCacheKey}=${encodeURIComponent(
+                cacheVal
+            )}`
+        );
+        expect(cookieStorage.getItem(msalCacheKey)).toBe(cacheVal);
+    });
+
+    it("getItem does not throw when all unrelated cookies have malformed percent-encoded sequences", () => {
+        jest.spyOn(document, "cookie", "get").mockReturnValue(
+            `badCookie1=val%E4ue; badCookie2=%GGinvalid`
+        );
+        expect(() => cookieStorage.getItem(msalCacheKey)).not.toThrow();
+        expect(cookieStorage.getItem(msalCacheKey)).toBe("");
+    });
+
+    it("getItem returns raw value when matching MSAL cookie has malformed percent-encoded value", () => {
+        const malformedValue = "Kraftr%E4ume";
+        jest.spyOn(document, "cookie", "get").mockReturnValue(
+            `${encodeURIComponent(msalCacheKey)}=${malformedValue}`
+        );
+        expect(() => cookieStorage.getItem(msalCacheKey)).not.toThrow();
+        expect(cookieStorage.getItem(msalCacheKey)).toBe(malformedValue);
+    });
+
     it("removeItem", () => {
         cookieStorage.setItem(msalCacheKey, cacheVal);
         expect(cookieStorage.getItem(msalCacheKey)).toEqual(cacheVal);
@@ -88,6 +116,29 @@ describe("CookieStorage tests", () => {
         ]);
     });
 
+    it("getKeys skips cookies with malformed percent-encoded key sequences", () => {
+        // Simulate cookies where one key has an invalid percent-encoded sequence
+        jest.spyOn(document, "cookie", "get").mockReturnValue(
+            `testKey1=testVal1; bad%E4Key=someVal; testKey2=testVal2`
+        );
+        expect(() => cookieStorage.getKeys()).not.toThrow();
+        const keys = cookieStorage.getKeys();
+        expect(keys).toContain("testKey1");
+        expect(keys).toContain("testKey2");
+        // bad%E4Key has a malformed percent sequence in the key and should be skipped
+        expect(keys.some((k) => k.includes("bad"))).toBe(false);
+    });
+
+    it("getKeys includes keys when cookie value has malformed percent-encoded sequence", () => {
+        jest.spyOn(document, "cookie", "get").mockReturnValue(
+            `testKey1=Kraftr%E4ume; testKey2=testVal2`
+        );
+        expect(() => cookieStorage.getKeys()).not.toThrow();
+        const keys = cookieStorage.getKeys();
+        expect(keys).toContain("testKey1");
+        expect(keys).toContain("testKey2");
+    });
+
     it("containsKey", () => {
         cookieStorage.setItem("testKey1", "testVal1");
         cookieStorage.setItem("testKey2", "testVal2", 5);