safe_cookies 0.1.5 → 0.2.2

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    MjI5NWM4ZWE1M2UzNWFjNjFkNzc2M2EzN2U4NzJhZTgzNjQ0NmQ1NQ==
-  data.tar.gz: !binary |-
-    OGNlMjkzMmI2MTFhZTFlNzA3MDZmMmYxOWQ3YmQ1ZGE4Njg0OWZlOA==
+SHA256:
+  metadata.gz: 7175011cd4a253c98779e5fdb5d221ea99dbbe5708e3a9dce37547ac89d29361
+  data.tar.gz: 08e2daf10fdd7ec2a115162969eaffd241edca9f82671a146bfafd381bd9f7a3
 SHA512:
-  metadata.gz: !binary |-
-    MjU5MGUyMzQyNTI2MzE5OTkzYjBkOTI4NjQ1ZjQxOTk4NGQzOTkxMDEyNDk3
-    YmQ3YjJjZDBhYTU3ZjBhNzgzMGYwNzdmNzcyZTFmYWY1NzQ0N2RhZDUyYzA1
-    NjJlZDc4NjdiMWU2M2NhOWY5YzBmNWFkNWNmY2Y1OTgxNjI1YjQ=
-  data.tar.gz: !binary |-
-    Yjg4YTA3OGYyY2RhYmJkZTAyYmNiNjE2ZGRjNTc4MTA0NDJjMTc1ZjA3Mjcy
-    MjFhYjlhOGY1ZjQyYTE3OTEzODE3ZmU3YmE5YzIxOTNhOWE4NTg5M2M3ZTk4
-    ZWMzMzVmODk4MWE3MDdjN2RkZjI1N2UwN2EyOTVlNmM0MmMwMjk=
+  metadata.gz: 8f9932ab978f4cdeabc001314496ffed4214f9a966b45847e246c2c78730b1388ee1169a4def1864edb78481fbb30cefbffe29fd366f1a3abe207d107175c681
+  data.tar.gz: d42dbf95c6d38e99c1e0f356f31925ef6da59ba465a768ad5d25f573a02bb75e671330dbe6dfc4a52bf039879eab7ee53fe371d50d7e540ddaa5f87cd93aa8f6

data/.gitignore

@@ -15,3 +15,4 @@ spec/reports
 test/tmp
 test/version_tmp
 tmp
+.idea

data/README.md

@@ -1,89 +1,127 @@
+# This gem is no longer maintained!
+
+Read about [reasons and alternatives](https://makandracards.com/makandra/53693-rails-making-all-cookies-secure-to-pass-a-security-audit).
+
+
+--------------------
+
 # SafeCookies
 
-This Gem brings a middleware that will make all cookies secure. In detail, it will:
+This gem has a middleware that will make all cookies secure, by setting the
+`HttpOnly` and the `secure` flag for all cookies the application sets on the
+client.
+
+Making a cookie `HttpOnly` prevents Javascripts from seeing it, which really
+should be the default. It makes it way harder to steal cookie information via
+malicious Javascript.
+
+Making a cookie `secure` tells the browser to only send the cookie over HTTPS
+connections, protecting it from being sniffed by a man-in-the-middle. (Setting a
+[HSTS](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) header
+achieves the same, but Safari < 7 and IE < 11 don't speak HSTS.)
+
+SafeCookies will *additionally* rewrite all cookies the user is sending. **But**
+it can only do so, if the cookie was registered before (see below). It will rewrite
+user cookies only once per user.
 
-* set all new application cookies 'HttpOnly', unless specified otherwise
-* set all new application cookies 'secure', if the request came via HTTPS and not specified otherwise
-* rewrite request cookies, setting both flags as above
 
 ## Installation
 
-Add this line to your application's Gemfile:
+1. Add `gem 'safe_cookies'` to your application's Gemfile, then run `bundle install`.
 
-    gem 'safe_cookies'
+2. Add a configuration block in an initializer (e.g. `config/initializers/safe_cookies.rb`):
 
-Then run:
+        SafeCookies.configure do |config|
+          # configuration ...
+        end
 
-    $ bundle
+3. Register the middleware:
 
-Or install it yourself as:
+    Rails 3+: add the following lines to the application block in `config/application.rb`:
 
-    $ gem install safe_cookies
+        require 'safe_cookies'
+        config.middleware.insert_before ActionDispatch::Cookies, SafeCookies::Middleware
 
+    Rails 2: add the following lines to the initializer block in `config/environment.rb`:
 
-## Usage
+        require 'safe_cookies'
+        config.middleware.insert_before ActionController::Session::CookieStore, SafeCookies::Middleware
 
-### Step 1
-**Rails 3**: add the following line in config/application.rb:
+Now all new cookies will be made `secure` and `HttpOnly`. But what about cookies
+already out there?
 
-    class Application < Rails::Application
-      # ...
-      config.middleware.insert_before ActionDispatch::Cookies, SafeCookies::Middleware
-    end
 
-**Rails 2:** add the following lines in config/environment.rb:
+## Updating existing cookies
+
+Unfortunately, [the client won't ever tell us](http://tools.ietf.org/html/rfc6265#section-4.2.2)
+if it stores a cookie with flags such as `secure` or which expiry date it is
+stored with. Therefore, in order to make the middleware retroactively secure
+cookies owned by the client, you need to register each of those cookies with
+the middleware, specifying their properties.
 
-    Rails::Initializer.run do |config|
-      # ...
-      require 'safe_cookies'
-      config.middleware.insert_before ActionController::Session::CookieStore, SafeCookies::Middleware
+Carefully scan your app for cookies you are using. There's no easy way to find
+out if you missed one (but see below for some help the gem provides).
+
+    SafeCookies.configure do |config|
+      config.register_cookie 'remember_token', :expire_after => 1.year
+      config.register_cookie 'last_action', :expire_after => 30.days, :path => '/commerce'
     end
 
-### Step 2
-Register cookies, either just after the lines you added in step 1 or in in an initializer
-(e.g. config/initializers/safe_cookies.rb):
+Available options are: `:expire_after` (required)`, :path, :secure, :http_only`.
+For cookies with "session" expiry, set `:expire_after => nil`.
+
+
+## Having a cookie non-secure or non-HttpOnly
+
+Tell SafeCookies which cookies not to make `secure` or `HttpOnly` by registering
+them, just like above:
 
     SafeCookies.configure do |config|
-      config.register_cookie :remember_token, :expire_after => 1.year
-      config.register_cookie :last_action, :expire_after => 30.days
-      config.register_cookie :default_language, :expire_after => 10.years, :secure => false
-      config.register_cookie :javascript_data, :expire_after => 1.day, :http_only => false
+      config.register_cookie 'default_language', :expire_after => 10.years, :secure => false
+      config.register_cookie 'javascript_data', :expire_after => 1.day, :http_only => false
     end
 
-This will have the `default_language` cookie not made secure, the `javascript_data` cookie
-not made http-only. It will rewrite the `remember_token` with an expiry of one year and the
-`last_action` cookie with an expiry of 30 days, making both of them secure and http-only.
-Available options are: `:expire_after (required), :path, :secure, :http_only`.
 
-### Step 3
-Override `SafeCookies::Middleware#handle_unknown_cookies(cookies)` (see "Dealing with unregistered cookies" below).
+## Finding unregistered user cookies
+
+There are lots of cookies your application receives that you never did set.
+However, if you want to know about any unknown cookies touching your
+application, SafeCookies gives you two tools.
+
+1) If you set `config.log_unknown_cookies = true` in the configuration block, all
+unknown cookies will be written to the Rails log. When you start implementing
+the middleware, closely watch it to find cookies you forgot to register.
+
+2) You may overwrite `SafeCookies::Middleware#handle_unknown_cookies(cookies)`
+in the configuration block for customized behaviour (like, notifying you per
+email).
+
+To ignore cookies that are irrelevant to you, you may configure them to be
+ignored. Use the `config.ignore_cookie` directive, which takes either a String
+or a Regex parameter. *Be careful when using regular expressions!*
 
 
-## Dealing with unregistered cookies
+## Fixing cookie paths
 
-The middleware is not able to secure cookies without knowing their properties (most important: their
-expiry). Unfortunately, the [client won't ever tell us](http://tools.ietf.org/html/rfc6265#section-4.2.2)
-if the cookie was originally sent with flags such as "secure" or which expiry date it currently has.
-Therefore, it is important to register all cookies that users may come with, specifying their properties.
-Unregistered cookies cannot be secured.
+In August 2013 we noticed a bug in SafeCookies < 0.1.4, by which secured cookies
+would be set for the current "directory" (see comments in `cookie_path_fix.rb`)
+instead of root (which usually is what you want). Users would get multiple
+cookies for that domain, leading to issues like being unable to sign in.
 
-If a request brings a cookie that is not registered, the middleware will raise
-`SafeCookies::UnknownCookieError`. Rails 3+ should handle the exception as any other in your application,
-but by default, **you will not be notified from Rails 2 applications** and the user will see a standard
-500 Server Error. Override `SafeCookies::Middleware#handle_unknown_cookies(cookies)` in the config
-initializer for customized exception handling (like, notifying you per email).
+The configuration option `config.fix_paths` turns on fixing this error. It
+expects an option `:for_cookies_secured_before => Time.parse('some minutes after
+you will have deployed')` which reflects the point of time from which SafeCookies
+can expect cookies to be set with the correct path. It will only rewrite cookies
+with a new path if it had set them before that point of time.
 
-You should not ignore an unregistered cookie, but instead register it.
 
+## Development
 
-## Fix cookie paths
+- Tests live in `spec`.
+- You can run specs from the project root by saying `bundle exec rake`.
 
-In August 2013 we noticed a bug in SafeCookies < 0.1.4, by which secured cookies would be set for the
-current "directory" (see comments in `cookie_path_fix.rb`) instead of root (which usually is what you want).
-Users would get multiple cookies for that domain, leading to issues like being unable to sign in.
+If you would like to contribute:
 
-The configuration option `config.fix_paths` turns on fixing this error. It requires an option
-`:for_cookies_secured_before => Time.parse('some minutes after you will have deployed')` which reflects the
-point of time from which cookies will be secured with the correct path. The middleware will fix the cookie
-paths by rewriting all cookies that it has already secured, but only if the were secured before the time
-you specified.
+- Fork the repository.
+- Push your changes **with passing specs**.
+- Send us a pull request.

data/lib/safe_cookies.rb

@@ -5,12 +5,11 @@ require "safe_cookies/helpers"
 require "safe_cookies/util"
 require "safe_cookies/version"
 require "rack"
+require "time" # add Time#rfc2822
 
 # Naming:
 # - application_cookies: cookies received from the application. The 'Set-Cookie' header is a string
 # - request_cookies: cookies received from the client. Rack::Request#cookies returns a Hash of { 'name' => 'value' }
-# - response_cookies: cookies to be sent to the client
-#   (= application_cookies + any cookies set in the middleware)
 
 module SafeCookies
 
@@ -19,6 +18,7 @@ module SafeCookies
   STORE_COOKIE_NAME = '_safe_cookies__known_cookies'
   SECURED_COOKIE_NAME = 'secured_old_cookies'
   HELPER_COOKIES_LIFETIME = 10 * 365 * 24 * 60 * 60 # 10 years
+  
 
   class Middleware
     
@@ -30,22 +30,23 @@ module SafeCookies
 
     def initialize(app)
       @app = app
-      @configuration = SafeCookies.configuration or raise "Don't know what to do without configuration"
+      @config = SafeCookies.configuration or raise "Don't know what to do without configuration"
     end
 
     def call(env)
       reset_instance_variables
       
       @request = Rack::Request.new(env)
-      ensure_no_unknown_cookies_in_request!
+      check_if_request_has_unknown_cookies
 
+      # call the next middleware up the stack
       status, @headers, body = @app.call(env)
       cache_application_cookies_string
       
-      remove_application_cookies_from_request_cookies
-      rewrite_application_cookies
+      enhance_application_cookies!
       store_application_cookie_names
-      fix_cookie_paths if fix_cookie_paths?
+      
+      delete_cookies_on_bad_path if fix_cookie_paths?
       rewrite_request_cookies unless cookies_have_been_rewritten_before?
 
       [ status, @headers, body ]
@@ -53,31 +54,27 @@ module SafeCookies
 
     private
     
+    # Instance variables survive requests because the middleware is a singleton.
     def reset_instance_variables
-      @request, @headers, @application_cookies = nil
+      @request, @headers, @application_cookies_string = nil
     end
 
-    def ensure_no_unknown_cookies_in_request!
+    def check_if_request_has_unknown_cookies
       request_cookie_names = request_cookies.keys.map(&:to_s)
       unknown_cookie_names = request_cookie_names - known_cookie_names
       
       if unknown_cookie_names.any?
-        handle_unknown_cookies(unknown_cookie_names)
-      end
-    end
+        message = "Request for '#{@request.url}' had unknown cookies: #{unknown_cookie_names.join(', ')}"
+        log(message) if @config.log_unknown_cookies
 
-    def remove_application_cookies_from_request_cookies
-      if @application_cookies
-        application_cookie_names = @application_cookies.scan(COOKIE_NAME_REGEX)
-        application_cookie_names.each do |cookie|
-          request_cookies.delete(cookie)
-        end
+        handle_unknown_cookies(unknown_cookie_names)
       end
     end
-
-    def rewrite_application_cookies
-      if @application_cookies
-        cookies = @application_cookies.split("\n")
+    
+    # Overwrites @header['Set-Cookie']!
+    def enhance_application_cookies!
+      if @application_cookies_string
+        cookies = @application_cookies_string.split("\n")
       
         # On Rack 1.1, cookie values sometimes contain trailing newlines.
         # Example => ["foo=1; path=/\n", "bar=2; path=/"]
@@ -96,36 +93,51 @@ module SafeCookies
         @headers['Set-Cookie'] = cookies.join("\n")
       end
     end
-
+    
+    # Store the names of cookies that are set by the application.
+    # (We are already securing those and will not need to rewrite them.)
     def store_application_cookie_names
-      if @application_cookies
-        application_cookie_names = stored_application_cookie_names + @application_cookies.scan(COOKIE_NAME_REGEX)
+      if @application_cookies_string
+        application_cookie_names = stored_application_cookie_names + @application_cookies_string.scan(COOKIE_NAME_REGEX)
         application_cookies_string = application_cookie_names.uniq.join(KNOWN_COOKIES_DIVIDER)
 
         set_cookie!(STORE_COOKIE_NAME, application_cookies_string, :expire_after => HELPER_COOKIES_LIFETIME)
       end
     end
     
-    # This method takes all cookies sent with the request and rewrites them,
+    # This method takes the cookies sent with the request and rewrites them,
     # making them both secure and http-only (unless specified otherwise in
     # the configuration).
     # With the SECURED_COOKIE_NAME cookie we remember the exact time that we
     # rewrote the cookies.
     def rewrite_request_cookies
-      if request_cookies.any?
-        registered_cookies_in_request.each do |cookie_name, options|
-          value = request_cookies[cookie_name]
-
+      rewritable_cookies = rewritable_request_cookies
+      
+      # don't rewrite request cookies that the application is setting in the response
+      if @application_cookies_string
+        app_cookie_names = @application_cookies_string.scan(COOKIE_NAME_REGEX)
+        Util.except!(rewritable_cookies, *app_cookie_names)
+      end
+      
+      if rewritable_cookies.any?
+        rewritable_cookies.each do |cookie_name, value|
+          options = @config.registered_cookies[cookie_name]
           set_cookie!(cookie_name, value, options)
         end
       
-        formatted_now = Rack::Utils.rfc2822(Time.now.gmtime)
-        set_cookie!(SECURED_COOKIE_NAME, formatted_now, :expire_after => HELPER_COOKIES_LIFETIME)
+        set_cookie!(SECURED_COOKIE_NAME, Time.now.gmtime.rfc2822, :expire_after => HELPER_COOKIES_LIFETIME)
       end
     end
     
+    # API method
     def handle_unknown_cookies(cookie_names)
-      raise SafeCookies::UnknownCookieError.new("Request for '#{@request.url}' had unknown cookies: #{cookie_names.join(', ')}")
+    end
+    
+    def log(error_message)
+      message = '** [SafeCookies] '
+      message << error_message
+      
+      Rails.logger.error(message) if defined?(Rails)
     end
 
   end

data/lib/safe_cookies/configuration.rb

@@ -13,12 +13,15 @@ module SafeCookies
   end
 
   class Configuration
-    attr_reader :registered_cookies, :fix_cookie_paths, :correct_cookie_paths_timestamp
+    attr_accessor :log_unknown_cookies
+    attr_reader :registered_cookies, :fix_cookie_paths, :correct_cookie_paths_timestamp,
+      :ignored_cookies
 
     def initialize
       self.registered_cookies = {}
       self.insecure_cookies = []
       self.scriptable_cookies = []
+      self.ignored_cookies = []
     end
     
     # Register cookies you expect to receive. The middleware will rewrite all
@@ -45,6 +48,14 @@ module SafeCookies
       scriptable_cookies << name if options[:http_only] == false
     end
     
+    # Ignore cookies that you don't control like this:
+    #
+    #   ignore_cookie 'ignored_cookie'
+    #   ignore_cookie /^__utm/
+    def ignore_cookie(name_or_regex)
+      self.ignored_cookies << name_or_regex
+    end
+    
     def fix_paths(options = {})
       options.has_key?(:for_cookies_secured_before) or raise MissingOptionError.new("Was told to fix paths without the :for_cookies_secured_before timestamp.")
 
@@ -63,7 +74,8 @@ module SafeCookies
     private
     
     attr_accessor :insecure_cookies, :scriptable_cookies
-    attr_writer :registered_cookies, :fix_cookie_paths, :correct_cookie_paths_timestamp
+    attr_writer :registered_cookies, :fix_cookie_paths, :correct_cookie_paths_timestamp,
+      :ignored_cookies
 
   end
 

data/lib/safe_cookies/cookie_path_fix.rb

@@ -2,39 +2,37 @@ module SafeCookies
   module CookiePathFix
   
     # Previously, the SafeCookies gem would not set a path when rewriting
-    # cookies. Browsers then would assume and store the current "directory",
-    # leading to multiple cookies per domain.
+    # cookies. Browsers then would assume and store the current "directory"
+    # (see below), leading to multiple cookies per domain.
+    #
+    # If the cookies were secured before the configured datetime, this method
+    # instructs the client to delete all cookies it sent with the request and
+    # that we are able to rewrite, plus the SECURED_COOKIE_NAME helper cookie.
     #
-    # If cookies had been secured before the configured datetime, the method
-    # `fix_cookie_paths` deletes all cookies coming with the request, and the
-    # SECURED_COOKIE_NAME helper cookie.
     # The middleware still sees the request cookies and will rewrite them as
-    # if it hadn't seen them before.
-  
-    def fix_cookie_paths
-      registered_cookies_in_request.keys.each do |registered_cookie|
-        delete_cookie_for_current_directory(registered_cookie)
-      end
+    # if it hadn't seen them before, setting them on the correct path (root,
+    # by default).
+    def delete_cookies_on_bad_path
+      rewritable_request_cookies.keys.each &method(:delete_cookie_for_current_directory)
       delete_cookie_for_current_directory(SafeCookies::SECURED_COOKIE_NAME)
     
-      # Delete this cookie here, so the middleware will secure all cookies anew.
-      request_cookies.delete(SafeCookies::SECURED_COOKIE_NAME)
+      # Delete this cookie here, so the middleware believes it hasn't secured
+      # the cookies yet.
+      @request.cookies.delete(SafeCookies::SECURED_COOKIE_NAME)
     end
       
     private
   
     def fix_cookie_paths?
-      @configuration.fix_cookie_paths or return false
-    
-      cookies_need_path_fix = (secured_old_cookies_timestamp < @configuration.correct_cookie_paths_timestamp)
-
-      cookies_have_been_rewritten_before? and cookies_need_path_fix
+      @config.fix_cookie_paths &&
+      cookies_have_been_rewritten_before? &&
+      (secured_old_cookies_timestamp < @config.correct_cookie_paths_timestamp)
     end
 
     # Delete cookies by giving them an expiry in the past,
     # cf. https://tools.ietf.org/html/rfc6265#section-4.1.2.
     #
-    # Most important, as specified in
+    # Most importantly, as specified in
     # https://tools.ietf.org/html/rfc6265#section-4.1.2.4 and in section 5.1.4,
     # cookies set without a path will be set for the current "directory", that is:
     #
@@ -51,16 +49,23 @@ module SafeCookies
     end
   
     def current_directory_is_root?
-      !@request.path[%r(^/[^/]+/[^\?]+), 0] # roughly: "there are not three slashes"
+      # in words: "there are not three slashes before any query params"
+      !@request.path[%r(^/[^/]+/[^\?]+), 0]
     end
   
     def secured_old_cookies_timestamp
-      Time.rfc2822(request_cookies[SafeCookies::SECURED_COOKIE_NAME])
+      @request.cookies.has_key?(SafeCookies::SECURED_COOKIE_NAME) or return nil
+
+      Time.rfc2822(@request.cookies[SafeCookies::SECURED_COOKIE_NAME])
     rescue ArgumentError
       # If we cannot parse the secured_old_cookies time,
       # assume it was before we noticed the bug to ensure
       # broken cookie paths will be fixed.
-      Time.parse "2013-08-25 0:00"
+      #
+      # One reason to get here is that Rack::Utils.rfc2822 produces an invalid
+      # datetime string in Rack v1.1, writing the date with dashes
+      # (e.g. '04-Nov-2013').
+      Time.parse "2013-08-25 00:00"
     end
 
   end

data/lib/safe_cookies/helpers.rb

@@ -3,14 +3,18 @@ module SafeCookies
   
     KNOWN_COOKIES_DIVIDER = '|'
   
+    # Since we have to operate on and modify the actual @headers hash that the
+    # application returns, cache the @headers['Set-Cookie'] string so that
+    # later on, we still know what the application did set.
     def cache_application_cookies_string
       cookies = @headers['Set-Cookie']
       # Rack 1.1 returns an Array
       cookies = cookies.join("\n") if cookies.is_a?(Array)
     
       if cookies and cookies.length > 0
-        @application_cookies = cookies
+        @application_cookies_string = cookies
       end
+      # else, @application_cookies_string will be `nil`
     end
   
     def secure(cookie)
@@ -40,42 +44,43 @@ module SafeCookies
       options[:secure] = should_be_secure?(name)
       options[:httponly] = should_be_http_only?(name)
 
+      # Rack magic
       Rack::Utils.set_cookie_header!(@headers, name, options)
     end
   
   
     # getters
+    
+    # returns the request cookies minus ignored cookies
+    def request_cookies
+      Util.except!(@request.cookies.dup, *@config.ignored_cookies)
+    end
 
     def stored_application_cookie_names
-      store_cookie = request_cookies[STORE_COOKIE_NAME] || ""
+      store_cookie = @request.cookies[STORE_COOKIE_NAME] || ""
       store_cookie.split(KNOWN_COOKIES_DIVIDER)
     end
 
-    # returns those of the registered cookies that appear in the request
-    def registered_cookies_in_request
-      Util.slice(@configuration.registered_cookies, *request_cookies.keys)
+    def rewritable_request_cookies
+      Util.slice(request_cookies, *@config.registered_cookies.keys)
     end
 
     def known_cookie_names
       known = [STORE_COOKIE_NAME, SECURED_COOKIE_NAME]
       known += stored_application_cookie_names
-      known += @configuration.registered_cookies.keys
-    end
-
-    def request_cookies
-      @request.cookies
+      known += @config.registered_cookies.keys
     end
 
 
     # boolean
 
     def cookies_have_been_rewritten_before?
-      request_cookies.has_key? SECURED_COOKIE_NAME
+      @request.cookies.has_key? SECURED_COOKIE_NAME
     end
 
     def should_be_secure?(cookie)
       cookie_name = cookie.split('=').first.strip
-      ssl? and not @configuration.insecure_cookie?(cookie_name)
+      ssl? and not @config.insecure_cookie?(cookie_name)
     end
 
     def ssl?
@@ -89,7 +94,7 @@ module SafeCookies
 
     def should_be_http_only?(cookie)
       cookie_name = cookie.split('=').first.strip
-      not @configuration.scriptable_cookie?(cookie_name)
+      not @config.scriptable_cookie?(cookie_name)
     end  
 
   end

data/lib/safe_cookies/util.rb

@@ -1,17 +1,22 @@
-module SafeCookies
-  class Util
-    class << self
-      
-      def slice(hash, *allowed_keys)
-        sliced_hash = hash.select { |key, value|
-          allowed_keys.include? key
-        }
+class SafeCookies::Util
+  class << self
+    
+    def slice(hash, *allowed_keys)
+      sliced_hash = hash.select { |key, _value|
+        allowed_keys.include? key
+      }
 
-        # Normalize the result of Hash#select
-        # (Ruby 1.8 returns an Array, Ruby 1.9 returns a Hash)
-        Hash[sliced_hash]
+      # Normalize the result of Hash#select
+      # (Ruby 1.8 returns an Array, Ruby 1.9 returns a Hash)
+      Hash[sliced_hash]
+    end
+    
+    # rejected_keys may be of type String or Regex
+    def except!(hash, *rejected_keys)
+      hash.delete_if do |key, _value|
+        rejected_keys.any? { |rejected| rejected === key }
       end
-      
     end
+    
   end
-end
+end

data/lib/safe_cookies/version.rb

@@ -1,3 +1,3 @@
 module SafeCookies
-  VERSION = '0.1.5'
+  VERSION = '0.2.2'
 end

data/safe_cookies.gemspec

@@ -7,6 +7,7 @@ Gem::Specification.new do |gem|
   gem.description   = %q{Make all cookies `secure` and `HttpOnly`.}
   gem.summary       = %q{Make all cookies `secure` and `HttpOnly`.}
   gem.homepage      = "http://www.makandra.de"
+  gem.license       = "MIT"
 
   gem.files         = `git ls-files`.split($\)
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }

data/spec/cookie_path_fix_spec.rb

@@ -3,7 +3,7 @@ require 'cgi'
 
 describe SafeCookies::Middleware do
   
-  describe 'cookie path fix' do
+  describe 'cookie path fix,' do
     
     subject { described_class.new(app) }
     let(:app) { stub 'application' }
@@ -15,12 +15,11 @@ describe SafeCookies::Middleware do
     end
     
     def set_default_request_cookies(secured_at = Time.parse('2040-01-01 00:00'))
-      secured_old_cookies_time = Rack::Utils.rfc2822(secured_at.gmtime)
-      set_request_cookies(env, 'cookie_to_update=some_data', "secured_old_cookies=#{CGI::escape(secured_old_cookies_time)}")
+      set_request_cookies(env, 'cookie_to_update=some_data', "secured_old_cookies=#{CGI::escape(secured_at.gmtime.rfc2822)}")
     end
 
 
-    context 'rewriting previously secured cookies' do
+    context 'rewriting previously secured cookies,' do
       
       before do
         SafeCookies.configure do |config|
@@ -109,11 +108,21 @@ describe SafeCookies::Middleware do
         headers['Set-Cookie'].should =~ %r(secured_old_cookies=\w+.*path=/;)
       end
       
-      it 'rewrites cookies even if it cannot parse the secured_old_cookies timestamp' do
-        set_request_cookies(env, 'cookie_to_update=some_data', 'secured_old_cookies=rubbish')
-  
-        code, headers, response = subject.call(env)
-        headers['Set-Cookie'].should =~ /cookie_to_update=some_data;.*path=\/;/
+      context 'unparseable secured_old_cookies timestamp,' do
+        
+        before do
+          set_request_cookies(env, 'cookie_to_update=some_data', 'secured_old_cookies=rubbish')
+          code, @headers, response = subject.call(env)
+        end
+        
+        it 'rewrites cookies anyway' do
+          @headers['Set-Cookie'].should include('cookie_to_update=some_data;')
+        end
+        
+        it 'sets a new, parseable secured_old_cookies timestamp' do
+          @headers['Set-Cookie'].should include("secured_old_cookies=#{CGI::escape @now.gmtime.rfc2822}")
+        end
+
       end
 
     end

data/spec/safe_cookies_spec.rb

@@ -7,7 +7,7 @@ describe SafeCookies::Middleware do
   let(:app) { stub 'application' }
   let(:env) { { 'HTTPS' => 'on' } }
   
-  it 'should rewrite registered request cookies as secure and http-only, but only once' do
+  it 'rewrites registered request cookies as secure and http-only, but only once' do
     SafeCookies.configure do |config|
       config.register_cookie('foo', :expire_after => 3600)
     end
@@ -35,7 +35,7 @@ describe SafeCookies::Middleware do
     headers['Set-Cookie'].to_s.should == ''
   end
 
-  it 'should not make cookies secure if the request was not secure' do
+  it 'doesn’t make cookies secure if the request was not secure' do
     stub_app_call(app, :application_cookies => 'filter-settings=sort_by_date')
     env['HTTPS'] = 'off'
     
@@ -43,7 +43,7 @@ describe SafeCookies::Middleware do
     headers['Set-Cookie'].should include("filter-settings=sort_by_date")
     headers['Set-Cookie'].should_not match(/\bsecure\b/i)
   end
-
+  
   it 'expires the secured_old_cookies helper cookie in ten years' do
     Timecop.freeze(Time.parse('2013-09-17 17:53'))
 
@@ -59,43 +59,47 @@ describe SafeCookies::Middleware do
     headers['Set-Cookie'].should =~ /secured_old_cookies.*expires=Fri, 15 Sep 2023 \d\d:\d\d:\d\d/
   end
   
-  it 'sets cookies on the root path' do
-    SafeCookies.configure do |config|
-      config.register_cookie('my_old_cookie', :expire_after => 3600)
-    end
+  context 'cookie attributes' do
+
+    it 'sets cookies on the root path' do
+      SafeCookies.configure do |config|
+        config.register_cookie('my_old_cookie', :expire_after => 3600)
+      end
     
-    set_request_cookies(env, 'my_old_cookie=foobar')
-    stub_app_call(app)
+      set_request_cookies(env, 'my_old_cookie=foobar')
+      stub_app_call(app)
 
-    code, headers, response = subject.call(env)
+      code, headers, response = subject.call(env)
 
-    cookies = headers['Set-Cookie'].split("\n")
-    cookies.each do |cookie|
-      cookie.should include('; path=/;')
+      cookies = headers['Set-Cookie'].split("\n")
+      cookies.each do |cookie|
+        cookie.should include('; path=/;')
+      end
     end
-  end
   
-  it 'should not alter cookie options coming from the application' do
-    stub_app_call(app, :application_cookies => 'cookie=data; path=/; expires=next_week')
+    it 'should not alter cookie attributes coming from the application' do
+      stub_app_call(app, :application_cookies => 'cookie=data; path=/; expires=next_week')
   
-    code, headers, response = subject.call(env)
-    headers['Set-Cookie'].should =~ %r(cookie=data; path=/; expires=next_week; secure; HttpOnly)
-  end
+      code, headers, response = subject.call(env)
+      headers['Set-Cookie'].should =~ %r(cookie=data; path=/; expires=next_week; secure; HttpOnly)
+    end
   
-  it 'should respect cookie options set in the configuration' do
-    Timecop.freeze
+    it 'should respect cookie attributes set in the configuration' do
+      Timecop.freeze
     
-    SafeCookies.configure do |config|
-      config.register_cookie('foo', :expire_after => 3600, :path => '/special/path')
-    end
+      SafeCookies.configure do |config|
+        config.register_cookie('foo', :expire_after => 3600, :path => '/special/path')
+      end
 
-    stub_app_call(app)
-    set_request_cookies(env, 'foo=bar')
-    env['PATH_INFO'] = '/special/path/subfolder'
+      stub_app_call(app)
+      set_request_cookies(env, 'foo=bar')
+      env['PATH_INFO'] = '/special/path/subfolder'
   
-    code, headers, response = subject.call(env)
-    expected_expiry = Rack::Utils.rfc2822((Time.now + 3600).gmtime) # a special date format needed here
-    headers['Set-Cookie'].should =~ %r(foo=bar; path=/special/path; expires=#{expected_expiry}; secure; HttpOnly)
+      code, headers, response = subject.call(env)
+      expected_expiry = (Time.now + 3600).gmtime.rfc2822 # a special date format needed here
+      headers['Set-Cookie'].should =~ %r(foo=bar; path=/special/path; expires=#{expected_expiry}; secure; HttpOnly)
+    end
+    
   end
   
   context 'cookies set by the application' do
@@ -173,49 +177,44 @@ describe SafeCookies::Middleware do
       headers['Set-Cookie'].should =~ /js-data=json;.* secure/
       headers['Set-Cookie'].should_not =~ /js-data=json;.* HttpOnly/
     end
-  
+    
   end
 
-  context 'unknown request cookies' do
+  context 'ignored cookies' do
     
-    it 'should raise an error if there is an unknown cookie' do
-      set_request_cookies(env, 'foo=bar')
-    
-      expect{ subject.call(env) }.to raise_error(SafeCookies::UnknownCookieError)
+    before do
+      stub_app_call(app)
+      set_request_cookies(env, '__utma=123', '__utmz=456')
     end
-    
-    it 'should not raise an error if the (unregistered) cookie was initially set by the application' do
-      # application sets cookie
-      stub_app_call(app, :application_cookies => 'foo=bar; path=/some/path; secure')
-      
-      code, headers, response = subject.call(env)
 
-      received_cookies = extract_cookies(headers['Set-Cookie'])
-      received_cookies.should include('foo=bar') # sanity check
-      
-      # client returns with the cookie, `app` and `subject` are different
-      # objects than in the previous request
-      other_app = stub('application')
-      other_subject = described_class.new(other_app)
-      
-      stub_app_call(other_app)
-      set_request_cookies(env, *received_cookies)
+    it 'does not rewrite ignored cookies given as string' do
+      SafeCookies.configure do |config|
+        config.ignore_cookie '__utma'
+        config.ignore_cookie '__utmz'
+      end
 
-      other_subject.call(env)
+      code, headers, response = subject.call(env)
+      headers['Set-Cookie'].should_not =~ /__utm/
     end
-    
-    it 'should not raise an error if the cookie is listed in the cookie configuration' do
+
+    it 'does not rewrite ignored cookies given as regex' do
       SafeCookies.configure do |config|
-        config.register_cookie('foo', :expire_after => 3600)
+        config.ignore_cookie /^__utm/
       end
-    
-      stub_app_call(app)
-      set_request_cookies(env, 'foo=bar')
       
-      subject.call(env)
+      code, headers, response = subject.call(env)
+      headers['Set-Cookie'].should_not =~ /__utm/
     end
+    
+  end
   
-    it 'allows overwriting the error mechanism' do
+  
+  # The unknown cookies mechanism was more important when we were sending
+  # notifications on encountering unknown cookies. Perhaps, it will regain
+  # importance in the future.
+  context 'when a request has unknown cookies,' do
+    
+    it 'allows overwriting the handling mechanism' do
       stub_app_call(app)
       set_request_cookies(env, 'foo=bar')
       
@@ -227,6 +226,69 @@ describe SafeCookies::Middleware do
       subject.instance_variable_get('@custom_method_called').should == true
     end
     
+    context 'and it is configured to log unknown cookies' do
+    
+      before do
+        SafeCookies.configure do |config|
+          config.log_unknown_cookies = true
+        end
+      end
+    
+      it 'logs an error message' do
+        stub_app_call(app)
+        set_request_cookies(env, 'foo=bar')
+      
+        subject.should_receive(:log).with(/unknown cookies: foo/)
+        subject.call(env)
+      end
+    
+      it 'does not log an error if the (unregistered) cookie was initially set by the application' do
+        # application sets cookie
+        stub_app_call(app, :application_cookies => 'foo=bar; path=/some/path; secure')
+      
+        code, headers, response = subject.call(env)
+
+        received_cookies = extract_cookies(headers['Set-Cookie'])
+        received_cookies.should include('foo=bar') # sanity check
+      
+        # client returns with the cookie, `app` and `subject` are different
+        # objects than in the previous request
+        other_app = stub('application')
+        other_subject = described_class.new(other_app)
+      
+        stub_app_call(other_app)
+        set_request_cookies(env, *received_cookies)
+
+        other_subject.should_not_receive(:log)
+        other_subject.call(env)
+      end
+    
+      it 'does not log an error if the cookie is listed in the cookie configuration' do
+        SafeCookies.configure do |config|
+          config.register_cookie('foo', :expire_after => 3600)
+        end
+    
+        stub_app_call(app)
+        set_request_cookies(env, 'foo=bar')
+      
+        subject.should_not_receive(:log)
+        subject.call(env)
+      end
+    
+      it 'does not log an error if the cookie is ignored' do
+        SafeCookies.configure do |config|
+          config.ignore_cookie '__utma'
+        end
+
+        stub_app_call(app)
+        set_request_cookies(env, '__utma=tracking')
+      
+        subject.should_not_receive(:log)
+        subject.call(env)
+      end
+    
+    end
+    
   end
 
 end

data/spec/util_spec.rb

@@ -0,0 +1,27 @@
+require 'spec_helper'
+
+describe SafeCookies::Util do
+  
+  describe '.except!' do
+    
+    before do
+      @hash = { 'a' => 1, 'ab' => 2, 'b' => 3 }
+    end
+
+    it 'deletes the given keys from the original hash' do
+      SafeCookies::Util.except!(@hash, 'a')
+      @hash.should == { 'ab' => 2, 'b' => 3 }
+    end
+    
+    it 'deletes all keys that match the regex' do
+      SafeCookies::Util.except!(@hash, /b/)
+      @hash.should == { 'a' => 1 }
+    end
+    
+    it 'returns the original hash' do
+      SafeCookies::Util.except!(@hash, /(?!)/).should == @hash
+    end
+    
+  end
+
+end

metadata

@@ -1,69 +1,69 @@
 --- !ruby/object:Gem::Specification
 name: safe_cookies
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 0.2.2
 platform: ruby
 authors:
 - Dominik Schöler
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-10-18 00:00:00.000000000 Z
+date: 2021-04-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: debugger
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: Make all cookies `secure` and `HttpOnly`.
@@ -73,7 +73,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
+- ".gitignore"
 - Gemfile
 - LICENSE
 - README.md
@@ -89,8 +89,10 @@ files:
 - spec/cookie_path_fix_spec.rb
 - spec/safe_cookies_spec.rb
 - spec/spec_helper.rb
+- spec/util_spec.rb
 homepage: http://www.makandra.de
-licenses: []
+licenses:
+- MIT
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -98,17 +100,16 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.1.2
+rubygems_version: 3.2.15
 signing_key: 
 specification_version: 4
 summary: Make all cookies `secure` and `HttpOnly`.
@@ -117,3 +118,4 @@ test_files:
 - spec/cookie_path_fix_spec.rb
 - spec/safe_cookies_spec.rb
 - spec/spec_helper.rb
+- spec/util_spec.rb