safe_cookies 0.1.4 → 0.1.5

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    MTlmZjRlYWYyZDJmZjZmOTZhNDcyNGFhZDMyODE0Nzk3YTRmN2I3ZA==
+    MjI5NWM4ZWE1M2UzNWFjNjFkNzc2M2EzN2U4NzJhZTgzNjQ0NmQ1NQ==
   data.tar.gz: !binary |-
-    MGY4OGY1Mjk1OGNiNDViZDA3Yjk2NTdkM2UzMGI0ZWUyMTZkYzQ4MA==
+    OGNlMjkzMmI2MTFhZTFlNzA3MDZmMmYxOWQ3YmQ1ZGE4Njg0OWZlOA==
 SHA512:
   metadata.gz: !binary |-
-    M2FmYjk3YjYxYTA1MWQ0MmIzYzMzMDcwNzE5NGMzYTc2MGM0ZmZiNTBjMmI5
-    MzU5MzEwNjE0OTY4M2Q2ZWEzYjQxZGRiYmVlMTE2YmY5YjZjYTYwM2EyMTcz
-    ZDBhNTRiMTE4N2ExYWIzNjhhMDIyOWQzMmZhOWRjYjkyNjQ5MjQ=
+    MjU5MGUyMzQyNTI2MzE5OTkzYjBkOTI4NjQ1ZjQxOTk4NGQzOTkxMDEyNDk3
+    YmQ3YjJjZDBhYTU3ZjBhNzgzMGYwNzdmNzcyZTFmYWY1NzQ0N2RhZDUyYzA1
+    NjJlZDc4NjdiMWU2M2NhOWY5YzBmNWFkNWNmY2Y1OTgxNjI1YjQ=
   data.tar.gz: !binary |-
-    MGVkY2ZhM2UzNmYyMDhlYjBiZGE4Y2Q3MjM3MzU3MTFmZTJmMzg2YTJkYTY4
-    MjBkYWZjYzk1MjRkYzljYWMwNGRkYWE4OTIzMjRhYjc3ZWYxZDY4MjJmZmVm
-    NWQyYTk4ZTZhNjA1YWY0YjFiMmI3NWMxZjI2MTEyYmI3YzM3MjI=
+    Yjg4YTA3OGYyY2RhYmJkZTAyYmNiNjE2ZGRjNTc4MTA0NDJjMTc1ZjA3Mjcy
+    MjFhYjlhOGY1ZjQyYTE3OTEzODE3ZmU3YmE5YzIxOTNhOWE4NTg5M2M3ZTk4
+    ZWMzMzVmODk4MWE3MDdjN2RkZjI1N2UwN2EyOTVlNmM0MmMwMjk=

data/lib/safe_cookies/configuration.rb

@@ -36,10 +36,11 @@ module SafeCookies
     #   :path => '/foo/path'
     #
     def register_cookie(name, options)
+      name.is_a?(String) or raise "Cookie name must be a String"
       options.has_key?(:expire_after) or raise MissingOptionError.new("Cookie #{name.inspect} was registered without an expiry")
       raise NotImplementedError if options.has_key?(:domain)
       
-      registered_cookies[name.to_s] = (options || {}).freeze
+      registered_cookies[name] = (options || {}).freeze
       insecure_cookies << name if options[:secure] == false
       scriptable_cookies << name if options[:http_only] == false
     end

data/lib/safe_cookies/cookie_path_fix.rb

@@ -1,6 +1,6 @@
 module SafeCookies
   module CookiePathFix
-    
+  
     # Previously, the SafeCookies gem would not set a path when rewriting
     # cookies. Browsers then would assume and store the current "directory",
     # leading to multiple cookies per domain.
@@ -10,25 +10,25 @@ module SafeCookies
     # SECURED_COOKIE_NAME helper cookie.
     # The middleware still sees the request cookies and will rewrite them as
     # if it hadn't seen them before.
-    
+  
     def fix_cookie_paths
       registered_cookies_in_request.keys.each do |registered_cookie|
         delete_cookie_for_current_directory(registered_cookie)
       end
       delete_cookie_for_current_directory(SafeCookies::SECURED_COOKIE_NAME)
-      
+    
       # Delete this cookie here, so the middleware will secure all cookies anew.
-      @request.cookies.delete(SafeCookies::SECURED_COOKIE_NAME)
+      request_cookies.delete(SafeCookies::SECURED_COOKIE_NAME)
     end
-        
+      
     private
-    
+  
     def fix_cookie_paths?
       @configuration.fix_cookie_paths or return false
-      
+    
       cookies_need_path_fix = (secured_old_cookies_timestamp < @configuration.correct_cookie_paths_timestamp)
 
-      cookies_have_been_rewritten_before and cookies_need_path_fix
+      cookies_have_been_rewritten_before? and cookies_need_path_fix
     end
 
     # Delete cookies by giving them an expiry in the past,
@@ -44,21 +44,24 @@ module SafeCookies
     # However, Firefox includes the right-most slash when guessing the cookie path,
     # so we must resort to letting browsers estimate the deletion cookie path again.
     def delete_cookie_for_current_directory(cookie_name)
-      current_directory_is_not_root = @request.path[%r(^/[^/]+/[^\?]+), 0]
-      
-      if current_directory_is_not_root
+      unless current_directory_is_root?
         one_week = (7 * 24 * 60 * 60)
         set_cookie!(cookie_name, "", :path => nil, :expire_after => -one_week)
       end
     end
-    
+  
+    def current_directory_is_root?
+      !@request.path[%r(^/[^/]+/[^\?]+), 0] # roughly: "there are not three slashes"
+    end
+  
     def secured_old_cookies_timestamp
-      Time.rfc2822(@request.cookies[SafeCookies::SECURED_COOKIE_NAME])
+      Time.rfc2822(request_cookies[SafeCookies::SECURED_COOKIE_NAME])
     rescue ArgumentError
       # If we cannot parse the secured_old_cookies time,
       # assume it was before we noticed the bug to ensure
       # broken cookie paths will be fixed.
       Time.parse "2013-08-25 0:00"
     end
+
   end
-end
+end

data/lib/safe_cookies/helpers.rb

@@ -0,0 +1,96 @@
+module SafeCookies
+  module Helpers
+  
+    KNOWN_COOKIES_DIVIDER = '|'
+  
+    def cache_application_cookies_string
+      cookies = @headers['Set-Cookie']
+      # Rack 1.1 returns an Array
+      cookies = cookies.join("\n") if cookies.is_a?(Array)
+    
+      if cookies and cookies.length > 0
+        @application_cookies = cookies
+      end
+    end
+  
+    def secure(cookie)
+      # Regexp from https://github.com/tobmatth/rack-ssl-enforcer/
+      if should_be_secure?(cookie) and cookie !~ /(^|;\s)secure($|;)/
+        "#{cookie}; secure"
+      else
+        cookie
+      end
+    end
+
+    def http_only(cookie)
+      if should_be_http_only?(cookie) and cookie !~ /(^|;\s)HttpOnly($|;)/
+        "#{cookie}; HttpOnly"
+      else
+        cookie
+      end
+    end
+
+    def set_cookie!(name, value, options)
+      options = options.dup
+      expire_after = options.delete(:expire_after)
+
+      options[:expires] = Time.now + expire_after if expire_after
+      options[:path] = '/' unless options.has_key?(:path) # allow setting path = nil
+      options[:value] = value
+      options[:secure] = should_be_secure?(name)
+      options[:httponly] = should_be_http_only?(name)
+
+      Rack::Utils.set_cookie_header!(@headers, name, options)
+    end
+  
+  
+    # getters
+
+    def stored_application_cookie_names
+      store_cookie = request_cookies[STORE_COOKIE_NAME] || ""
+      store_cookie.split(KNOWN_COOKIES_DIVIDER)
+    end
+
+    # returns those of the registered cookies that appear in the request
+    def registered_cookies_in_request
+      Util.slice(@configuration.registered_cookies, *request_cookies.keys)
+    end
+
+    def known_cookie_names
+      known = [STORE_COOKIE_NAME, SECURED_COOKIE_NAME]
+      known += stored_application_cookie_names
+      known += @configuration.registered_cookies.keys
+    end
+
+    def request_cookies
+      @request.cookies
+    end
+
+
+    # boolean
+
+    def cookies_have_been_rewritten_before?
+      request_cookies.has_key? SECURED_COOKIE_NAME
+    end
+
+    def should_be_secure?(cookie)
+      cookie_name = cookie.split('=').first.strip
+      ssl? and not @configuration.insecure_cookie?(cookie_name)
+    end
+
+    def ssl?
+      if @request.respond_to?(:ssl?)
+        @request.ssl?
+      else
+        # older Rack versions
+        @request.scheme == 'https'
+      end
+    end
+
+    def should_be_http_only?(cookie)
+      cookie_name = cookie.split('=').first.strip
+      not @configuration.scriptable_cookie?(cookie_name)
+    end  
+
+  end
+end

data/lib/safe_cookies/version.rb

@@ -1,3 +1,3 @@
 module SafeCookies
-  VERSION = '0.1.4'
+  VERSION = '0.1.5'
 end

data/lib/safe_cookies.rb

@@ -1,23 +1,31 @@
 # -*- encoding: utf-8 -*-
 require "safe_cookies/configuration"
 require "safe_cookies/cookie_path_fix"
+require "safe_cookies/helpers"
 require "safe_cookies/util"
 require "safe_cookies/version"
 require "rack"
 
+# Naming:
+# - application_cookies: cookies received from the application. The 'Set-Cookie' header is a string
+# - request_cookies: cookies received from the client. Rack::Request#cookies returns a Hash of { 'name' => 'value' }
+# - response_cookies: cookies to be sent to the client
+#   (= application_cookies + any cookies set in the middleware)
+
 module SafeCookies
 
   UnknownCookieError = Class.new(StandardError)
   
-  CACHE_COOKIE_NAME = '_safe_cookies__known_cookies'
+  STORE_COOKIE_NAME = '_safe_cookies__known_cookies'
   SECURED_COOKIE_NAME = 'secured_old_cookies'
   HELPER_COOKIES_LIFETIME = 10 * 365 * 24 * 60 * 60 # 10 years
 
   class Middleware
     
     include CookiePathFix
+    include Helpers
     
-    KNOWN_COOKIES_DIVIDER = '|'
+    COOKIE_NAME_REGEX = /(?=^|\n)[^\n;,=]+/i
 
 
     def initialize(app)
@@ -29,14 +37,16 @@ module SafeCookies
       reset_instance_variables
       
       @request = Rack::Request.new(env)
-      ensure_no_unknown_cookies!
+      ensure_no_unknown_cookies_in_request!
 
       status, @headers, body = @app.call(env)
-
-      fix_cookie_paths if fix_cookie_paths?
-      rewrite_request_cookies unless cookies_have_been_rewritten_before
-      cache_application_cookies
+      cache_application_cookies_string
+      
+      remove_application_cookies_from_request_cookies
       rewrite_application_cookies
+      store_application_cookie_names
+      fix_cookie_paths if fix_cookie_paths?
+      rewrite_request_cookies unless cookies_have_been_rewritten_before?
 
       [ status, @headers, body ]
     end
@@ -44,63 +54,31 @@ module SafeCookies
     private
     
     def reset_instance_variables
-      @request, @headers = nil
+      @request, @headers, @application_cookies = nil
     end
 
-    def secure(cookie)
-      # Regexp from https://github.com/tobmatth/rack-ssl-enforcer/
-      if should_be_secure?(cookie) and cookie !~ /(^|;\s)secure($|;)/
-        "#{cookie}; secure"
-      else
-        cookie
+    def ensure_no_unknown_cookies_in_request!
+      request_cookie_names = request_cookies.keys.map(&:to_s)
+      unknown_cookie_names = request_cookie_names - known_cookie_names
+      
+      if unknown_cookie_names.any?
+        handle_unknown_cookies(unknown_cookie_names)
       end
     end
 
-    def http_only(cookie)
-      if should_be_http_only?(cookie) and cookie !~ /(^|;\s)HttpOnly($|;)/
-        "#{cookie}; HttpOnly"
-      else
-        cookie
-      end
-    end
-    
-    # This method takes all cookies sent with the request and rewrites them,
-    # making them both secure and http-only (unless specified otherwise in
-    # the configuration).
-    # With the SECURED_COOKIE_NAME cookie we remember the exact time that we
-    # rewrote the cookies.
-    def rewrite_request_cookies
-      if @request.cookies.any?
-        registered_cookies_in_request.each do |registered_cookie, options|
-          value = @request.cookies[registered_cookie]
-
-          set_cookie!(registered_cookie, value, options)
+    def remove_application_cookies_from_request_cookies
+      if @application_cookies
+        application_cookie_names = @application_cookies.scan(COOKIE_NAME_REGEX)
+        application_cookie_names.each do |cookie|
+          request_cookies.delete(cookie)
         end
-      
-        formatted_now = Rack::Utils.rfc2822(Time.now.gmtime)
-        set_cookie!(SECURED_COOKIE_NAME, formatted_now, :expire_after => HELPER_COOKIES_LIFETIME)
       end
     end
 
-    def set_cookie!(name, value, options)
-      options = options.dup
-      expire_after = options.delete(:expire_after)
-
-      options[:expires] = Time.now + expire_after if expire_after
-      options[:path] = '/' unless options.has_key?(:path) # allow setting path = nil
-      options[:value] = value
-      options[:secure] = should_be_secure?(name)
-      options[:httponly] = should_be_http_only?(name)
-
-      Rack::Utils.set_cookie_header!(@headers, name, options)
-    end
-
     def rewrite_application_cookies
-      cookies = @headers['Set-Cookie']
-      if cookies
-        # Rails 2.3 / Rack 1.1 offers an array which is actually nice.
-        cookies = cookies.split("\n") unless cookies.is_a?(Array)
-
+      if @application_cookies
+        cookies = @application_cookies.split("\n")
+      
         # On Rack 1.1, cookie values sometimes contain trailing newlines.
         # Example => ["foo=1; path=/\n", "bar=2; path=/"]
         # Note that they also mess up browsers, when this array is merged
@@ -118,69 +96,36 @@ module SafeCookies
         @headers['Set-Cookie'] = cookies.join("\n")
       end
     end
-    
-    def should_be_secure?(cookie)
-      cookie_name = cookie.split('=').first.strip
-      ssl? and not @configuration.insecure_cookie?(cookie_name)
-    end
-    
-    def ssl?
-      if @request.respond_to?(:ssl?)
-        @request.ssl?
-      else
-        # older Rack versions
-        @request.scheme == 'https'
-      end
-    end
-    
-    def should_be_http_only?(cookie)
-      cookie_name = cookie.split('=').first.strip
-      not @configuration.scriptable_cookie?(cookie_name)
-    end
-    
-    def ensure_no_unknown_cookies!
-      request_cookies = @request.cookies.keys.map(&:to_s)
-      unknown_cookies = request_cookies - known_cookies
-      
-      if unknown_cookies.any?
-        handle_unknown_cookies(unknown_cookies)
+
+    def store_application_cookie_names
+      if @application_cookies
+        application_cookie_names = stored_application_cookie_names + @application_cookies.scan(COOKIE_NAME_REGEX)
+        application_cookies_string = application_cookie_names.uniq.join(KNOWN_COOKIES_DIVIDER)
+
+        set_cookie!(STORE_COOKIE_NAME, application_cookies_string, :expire_after => HELPER_COOKIES_LIFETIME)
       end
     end
     
-    def handle_unknown_cookies(cookies)
-      raise SafeCookies::UnknownCookieError.new("Request for '#{@request.url}' had unknown cookies: #{cookies.join(', ')}")
-    end
-    
-    def cache_application_cookies
-      new_application_cookies = @headers['Set-Cookie']
+    # This method takes all cookies sent with the request and rewrites them,
+    # making them both secure and http-only (unless specified otherwise in
+    # the configuration).
+    # With the SECURED_COOKIE_NAME cookie we remember the exact time that we
+    # rewrote the cookies.
+    def rewrite_request_cookies
+      if request_cookies.any?
+        registered_cookies_in_request.each do |cookie_name, options|
+          value = request_cookies[cookie_name]
+
+          set_cookie!(cookie_name, value, options)
+        end
       
-      if new_application_cookies
-        new_application_cookies = new_application_cookies.join("\n") if new_application_cookies.is_a?(Array)
-        application_cookies = cached_application_cookies + new_application_cookies.scan(/(?=^|\n)[^\n;,=]+/i)
-        application_cookies_string = application_cookies.uniq.join(KNOWN_COOKIES_DIVIDER)
-        
-        set_cookie!(CACHE_COOKIE_NAME, application_cookies_string, :expire_after => HELPER_COOKIES_LIFETIME)
+        formatted_now = Rack::Utils.rfc2822(Time.now.gmtime)
+        set_cookie!(SECURED_COOKIE_NAME, formatted_now, :expire_after => HELPER_COOKIES_LIFETIME)
       end
     end
     
-    def cached_application_cookies
-      cache_cookie = @request.cookies[CACHE_COOKIE_NAME] || ""
-      cache_cookie.split(KNOWN_COOKIES_DIVIDER)
-    end
-    
-    def known_cookies
-      known = [CACHE_COOKIE_NAME, SECURED_COOKIE_NAME]
-      known += cached_application_cookies
-      known += @configuration.registered_cookies.keys
-    end
-    
-    def cookies_have_been_rewritten_before
-      @request.cookies.has_key? SECURED_COOKIE_NAME
-    end
-    
-    # returns those of the registered cookies that appear in the request
-    def registered_cookies_in_request
-      Util.slice(@configuration.registered_cookies, *@request.cookies.keys)
+    def handle_unknown_cookies(cookie_names)
+      raise SafeCookies::UnknownCookieError.new("Request for '#{@request.url}' had unknown cookies: #{cookie_names.join(', ')}")
     end
 
   end

data/safe_cookies.gemspec

@@ -18,4 +18,5 @@ Gem::Specification.new do |gem|
   gem.add_dependency('rack')
   gem.add_development_dependency('rspec')
   gem.add_development_dependency('timecop')
+  gem.add_development_dependency('debugger')
 end

data/spec/configuration_spec.rb

@@ -26,53 +26,30 @@ describe SafeCookies::Middleware do
     
     describe 'register_cookie' do
       
-      context 'cookie name formatting' do
-
-        let(:set_cookie) do
-          # These tests for the Configuration module require an integration with
-          # the middleware itself. Therefore, we need to actually use it.
-          
-          app = stub('app')
-          env = { 'HTTPS' => 'on' }
-          stub_app_call(app, :application_cookies => 'cookie_name=value')
-
-          middleware = described_class.new(app)
-          code, headers, response = middleware.call(env)
-          headers['Set-Cookie']
-        end
-                
-        it 'understands cookies registered as symbol' do
-          SafeCookies.configure do |config|
-            config.register_cookie(:cookie_name, :expire_after => nil)
-          end
-          
-          set_cookie.should =~ /cookie_name=value;.* secure; HttpOnly/
-        end
-        
-        it 'understands cookies registered as string' do
+      it 'raises an error if a cookie is registered without passing its expiry' do
+        registration_without_expiry = lambda do
           SafeCookies.configure do |config|
-            config.register_cookie('cookie_name', :expire_after => nil)
+            config.register_cookie('filter', :some => :option)
           end
-          
-          set_cookie.should =~ /cookie_name=value;.* secure; HttpOnly/
         end
         
+        expect(&registration_without_expiry).to raise_error(SafeCookies::MissingOptionError)
       end
       
-      it 'raises an error if a cookie is registered without passing its expiry' do
-        registration_without_expiry = lambda do
+      it 'raises an error if the cookie name is not a String, because the middleware’s logic depends on strings' do
+        registration_as_symbol = lambda do
           SafeCookies.configure do |config|
             config.register_cookie(:filter, :some => :option)
           end
         end
         
-        expect(&registration_without_expiry).to raise_error(SafeCookies::MissingOptionError)
+        expect(&registration_as_symbol).to raise_error(RuntimeError, /must be a string/i)
       end
       
       it 'allows nil as expiry (means session cookie)' do
         registration_with_nil_expiry = lambda do
           SafeCookies.configure do |config|
-            config.register_cookie(:filter, :expire_after => nil)
+            config.register_cookie('filter', :expire_after => nil)
           end
         end
         

data/spec/safe_cookies_spec.rb

@@ -70,7 +70,6 @@ describe SafeCookies::Middleware do
     code, headers, response = subject.call(env)
 
     cookies = headers['Set-Cookie'].split("\n")
-    cookies.size.should == 3 # my_old_cookie and secured_old_cookies and _known_cookies
     cookies.each do |cookie|
       cookie.should include('; path=/;')
     end
@@ -124,7 +123,6 @@ describe SafeCookies::Middleware do
       SafeCookies.configure do |config|
         config.register_cookie('javascript-cookie', :expire_after => 3600, :http_only => false)
       end
-    
       stub_app_call(app, :application_cookies => 'javascript-cookie=xss')
     
       code, headers, response = subject.call(env)
@@ -132,11 +130,16 @@ describe SafeCookies::Middleware do
       headers['Set-Cookie'].should_not =~ /javascript-cookie=.*HttpOnly/i
     end
   
-    it 'should prefer the application cookie over a client cookie' do
+    it 'does not rewrite a client cookie when the application is setting a cookie with the same name' do
+      SafeCookies.configure do |config|
+        config.register_cookie('cookie', :expire_after => 3600)
+      end
+
       stub_app_call(app, :application_cookies => 'cookie=from_application')
-      set_request_cookies(env, 'cookie=from_client,_safe_cookies__known_cookies=cookie')
+      set_request_cookies(env, 'cookie=from_client')
     
       code, headers, response = subject.call(env)
+
       headers['Set-Cookie'].should include("cookie=from_application")
       headers['Set-Cookie'].should_not include("cookie=from_client")
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: safe_cookies
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.1.5
 platform: ruby
 authors:
 - Dominik Schöler
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-09-25 00:00:00.000000000 Z
+date: 2013-10-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -52,6 +52,20 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: debugger
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Make all cookies `secure` and `HttpOnly`.
 email:
 - dominik.schoeler@makandra.de
@@ -67,6 +81,7 @@ files:
 - lib/safe_cookies.rb
 - lib/safe_cookies/configuration.rb
 - lib/safe_cookies/cookie_path_fix.rb
+- lib/safe_cookies/helpers.rb
 - lib/safe_cookies/util.rb
 - lib/safe_cookies/version.rb
 - safe_cookies.gemspec