From 04389fd0c6db2948f1ecc4c9bd6f73a761d00c82 Mon Sep 17 00:00:00 2001
From: EndlessSeeker <153817598+EndlessSeeker@users.noreply.github.com>
Date: Wed, 24 Jun 2026 15:03:05 +0800
Subject: [PATCH] fix: harden cluster key rate limit cookie parsing (#4012)

Signed-off-by: EndlessSeeker <1766508902@qq.com>
---
 .../cluster-key-rate-limit/util/utils.go      |  4 +-
 .../cluster-key-rate-limit/util/utils_test.go | 39 +++++++++++++++++++
 2 files changed, 41 insertions(+), 2 deletions(-)
 create mode 100644 plugins/wasm-go/extensions/cluster-key-rate-limit/util/utils_test.go

diff --git a/plugins/wasm-go/extensions/cluster-key-rate-limit/util/utils.go b/plugins/wasm-go/extensions/cluster-key-rate-limit/util/utils.go
index 2c6ca6313..d8cf387dc 100644
--- a/plugins/wasm-go/extensions/cluster-key-rate-limit/util/utils.go
+++ b/plugins/wasm-go/extensions/cluster-key-rate-limit/util/utils.go
@@ -50,8 +50,8 @@ func ExtractCookieValueByKey(cookie string, key string) (value string) {
 	pairs := strings.Split(cookie, ";")
 	for _, pair := range pairs {
 		pair = strings.TrimSpace(pair)
-		kv := strings.Split(pair, "=")
-		if kv[0] == key {
+		kv := strings.SplitN(pair, "=", 2)
+		if len(kv) == 2 && kv[0] == key {
 			value = kv[1]
 			break
 		}
diff --git a/plugins/wasm-go/extensions/cluster-key-rate-limit/util/utils_test.go b/plugins/wasm-go/extensions/cluster-key-rate-limit/util/utils_test.go
new file mode 100644
index 000000000..2add0bcba
--- /dev/null
+++ b/plugins/wasm-go/extensions/cluster-key-rate-limit/util/utils_test.go
@@ -0,0 +1,39 @@
+package util
+
+import "testing"
+
+func TestExtractCookieValueByKey(t *testing.T) {
+	tests := []struct {
+		name   string
+		cookie string
+		key    string
+		want   string
+	}{
+		{
+			name:   "extracts matching cookie value",
+			cookie: "user=alice; other=value",
+			key:    "user",
+			want:   "alice",
+		},
+		{
+			name:   "skips segment without equals sign",
+			cookie: "user; other=value",
+			key:    "user",
+			want:   "",
+		},
+		{
+			name:   "keeps equals signs in cookie value",
+			cookie: "user=alice=admin; other=value",
+			key:    "user",
+			want:   "alice=admin",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := ExtractCookieValueByKey(tt.cookie, tt.key); got != tt.want {
+				t.Fatalf("ExtractCookieValueByKey() = %q, want %q", got, tt.want)
+			}
+		})
+	}
+}