safe_cookies 0.1.5 → 0.1.6

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    MjI5NWM4ZWE1M2UzNWFjNjFkNzc2M2EzN2U4NzJhZTgzNjQ0NmQ1NQ==
+    M2M1NGJkNGIyYmRhNmQ5OWZmYjU2MTVmMTEwZTc3NzRjNzRlNzE5Zg==
   data.tar.gz: !binary |-
-    OGNlMjkzMmI2MTFhZTFlNzA3MDZmMmYxOWQ3YmQ1ZGE4Njg0OWZlOA==
+    MTNiNGMwMjcyMzBkMmQzYzhmODVkNWIzYzg0N2FiNGZmNWE0ZTFkNQ==
 SHA512:
   metadata.gz: !binary |-
-    MjU5MGUyMzQyNTI2MzE5OTkzYjBkOTI4NjQ1ZjQxOTk4NGQzOTkxMDEyNDk3
-    YmQ3YjJjZDBhYTU3ZjBhNzgzMGYwNzdmNzcyZTFmYWY1NzQ0N2RhZDUyYzA1
-    NjJlZDc4NjdiMWU2M2NhOWY5YzBmNWFkNWNmY2Y1OTgxNjI1YjQ=
+    YjAyZWNhNTExNWFmZjk3MzAzYmVmYmY1NDAwZDQ4YzA1YWJkOTk0NTAzMDc0
+    OWE3YTM5YmZiMTYzMDg0ZmRiZjFhZGNiMTE5OWU3MWNjZTQ4MGRkNTNlYWNk
+    ZDhlYmM1Y2RjNWE1ZmRlYTY5OGJlYmIxZjJmMTUzODc5NzE1OTI=
   data.tar.gz: !binary |-
-    Yjg4YTA3OGYyY2RhYmJkZTAyYmNiNjE2ZGRjNTc4MTA0NDJjMTc1ZjA3Mjcy
-    MjFhYjlhOGY1ZjQyYTE3OTEzODE3ZmU3YmE5YzIxOTNhOWE4NTg5M2M3ZTk4
-    ZWMzMzVmODk4MWE3MDdjN2RkZjI1N2UwN2EyOTVlNmM0MmMwMjk=
+    NThmZjk3M2M5ZGY5YmZiMmI5ZjRkMzA3MWUyOTRlZWMzMmEwY2VjZTRkMWFj
+    OWZjZDk5OGJlMDM0MGE2MDQ0NmM4NTgyMDA4Y2VjYzY5NzEyNjJjZjMzOTE3
+    YWEzYjlmNzkwZjQyZmRhZWI5YzhmNzcyZjlmMmE3NTIxZTRjODE=

data/README.md

@@ -8,22 +8,18 @@ This Gem brings a middleware that will make all cookies secure. In detail, it wi
 
 ## Installation
 
+### Step 1
 Add this line to your application's Gemfile:
 
     gem 'safe_cookies'
 
-Then run:
-
-    $ bundle
-
-Or install it yourself as:
+Then run `bundle`.
 
-    $ gem install safe_cookies
+Though this gem is aimed at Rails applications, you may even use it without Rails. Install it then with
+`gem install safe_cookies`.
 
 
-## Usage
-
-### Step 1
+### Step 2
 **Rails 3**: add the following line in config/application.rb:
 
     class Application < Rails::Application
@@ -39,9 +35,9 @@ Or install it yourself as:
       config.middleware.insert_before ActionController::Session::CookieStore, SafeCookies::Middleware
     end
 
-### Step 2
+### Step 3
 Register cookies, either just after the lines you added in step 1 or in in an initializer
-(e.g. config/initializers/safe_cookies.rb):
+(e.g. in `config/initializers/safe_cookies.rb):
 
     SafeCookies.configure do |config|
       config.register_cookie :remember_token, :expire_after => 1.year
@@ -55,25 +51,29 @@ not made http-only. It will rewrite the `remember_token` with an expiry of one y
 `last_action` cookie with an expiry of 30 days, making both of them secure and http-only.
 Available options are: `:expire_after (required), :path, :secure, :http_only`.
 
-### Step 3
-Override `SafeCookies::Middleware#handle_unknown_cookies(cookies)` (see "Dealing with unregistered cookies" below).
+### Step 4 (only for Rails 2)
+Override `SafeCookies::Middleware#handle_unknown_cookies(cookies)` (see "Dealing with unregistered
+cookies" below).
 
 
 ## Dealing with unregistered cookies
 
-The middleware is not able to secure cookies without knowing their properties (most important: their
-expiry). Unfortunately, the [client won't ever tell us](http://tools.ietf.org/html/rfc6265#section-4.2.2)
-if the cookie was originally sent with flags such as "secure" or which expiry date it currently has.
+The middleware is not able to secure cookies without knowing their attributes (most important: their
+expiry). Unfortunately, [the client won't ever tell us](http://tools.ietf.org/html/rfc6265#section-4.2.2)
+if it stores the cookie with flags such as "secure" or which expiry date it currently has.
 Therefore, it is important to register all cookies that users may come with, specifying their properties.
 Unregistered cookies cannot be secured.
 
-If a request brings a cookie that is not registered, the middleware will raise
+If a request brings a cookie that is not registered, the middleware will raise a
 `SafeCookies::UnknownCookieError`. Rails 3+ should handle the exception as any other in your application,
 but by default, **you will not be notified from Rails 2 applications** and the user will see a standard
 500 Server Error. Override `SafeCookies::Middleware#handle_unknown_cookies(cookies)` in the config
 initializer for customized exception handling (like, notifying you per email).
 
-You should not ignore an unregistered cookie, but instead register it.
+You should register any cookie that your application has to do with. However, there are cookies that you
+do not control, like Google's `__utma` & co. You can tell the middleware to ignore those with the
+`config.ignore_cookie` directive, which takes either a String or a Regex parameter. Be careful when using
+regular expressions!
 
 
 ## Fix cookie paths

data/lib/safe_cookies/configuration.rb

@@ -13,12 +13,13 @@ module SafeCookies
   end
 
   class Configuration
-    attr_reader :registered_cookies, :fix_cookie_paths, :correct_cookie_paths_timestamp
+    attr_reader :registered_cookies, :fix_cookie_paths, :correct_cookie_paths_timestamp, :ignored_cookies
 
     def initialize
       self.registered_cookies = {}
       self.insecure_cookies = []
       self.scriptable_cookies = []
+      self.ignored_cookies = []
     end
     
     # Register cookies you expect to receive. The middleware will rewrite all
@@ -45,6 +46,14 @@ module SafeCookies
       scriptable_cookies << name if options[:http_only] == false
     end
     
+    # Ignore cookies that you don't control like this:
+    #
+    #   ignore_cookie 'ignored_cookie'
+    #   ignore_cookie /^__utm/
+    def ignore_cookie(name_or_regex)
+      self.ignored_cookies << name_or_regex
+    end
+    
     def fix_paths(options = {})
       options.has_key?(:for_cookies_secured_before) or raise MissingOptionError.new("Was told to fix paths without the :for_cookies_secured_before timestamp.")
 
@@ -63,7 +72,7 @@ module SafeCookies
     private
     
     attr_accessor :insecure_cookies, :scriptable_cookies
-    attr_writer :registered_cookies, :fix_cookie_paths, :correct_cookie_paths_timestamp
+    attr_writer :registered_cookies, :fix_cookie_paths, :correct_cookie_paths_timestamp, :ignored_cookies
 
   end
 

data/lib/safe_cookies/cookie_path_fix.rb

@@ -2,23 +2,24 @@ module SafeCookies
   module CookiePathFix
   
     # Previously, the SafeCookies gem would not set a path when rewriting
-    # cookies. Browsers then would assume and store the current "directory",
-    # leading to multiple cookies per domain.
+    # cookies. Browsers then would assume and store the current "directory"
+    # (see below), leading to multiple cookies per domain.
     #
-    # If cookies had been secured before the configured datetime, the method
-    # `fix_cookie_paths` deletes all cookies coming with the request, and the
+    # If the cookies were secured before the configured datetime, this method
+    # instructs the client to delete all cookies it sent with the request + the
     # SECURED_COOKIE_NAME helper cookie.
     # The middleware still sees the request cookies and will rewrite them as
-    # if it hadn't seen them before.
-  
-    def fix_cookie_paths
+    # if it hadn't seen them before, setting them on the correct path (root,
+    # per default).
+    def delete_cookies_on_bad_path
       registered_cookies_in_request.keys.each do |registered_cookie|
         delete_cookie_for_current_directory(registered_cookie)
       end
       delete_cookie_for_current_directory(SafeCookies::SECURED_COOKIE_NAME)
     
-      # Delete this cookie here, so the middleware will secure all cookies anew.
-      request_cookies.delete(SafeCookies::SECURED_COOKIE_NAME)
+      # Delete this cookie here, so the middleware believes it hasn't secured
+      # the cookies yet.
+      @request.cookies.delete(SafeCookies::SECURED_COOKIE_NAME)
     end
       
     private
@@ -51,7 +52,8 @@ module SafeCookies
     end
   
     def current_directory_is_root?
-      !@request.path[%r(^/[^/]+/[^\?]+), 0] # roughly: "there are not three slashes"
+      # in words: "there are not three slashes before any query params"
+      !@request.path[%r(^/[^/]+/[^\?]+), 0]
     end
   
     def secured_old_cookies_timestamp

data/lib/safe_cookies/helpers.rb

@@ -9,8 +9,9 @@ module SafeCookies
       cookies = cookies.join("\n") if cookies.is_a?(Array)
     
       if cookies and cookies.length > 0
-        @application_cookies = cookies
+        @application_cookies_string = cookies
       end
+      # else, @application_cookies_string will be `nil`
     end
   
     def secure(cookie)
@@ -47,7 +48,7 @@ module SafeCookies
     # getters
 
     def stored_application_cookie_names
-      store_cookie = request_cookies[STORE_COOKIE_NAME] || ""
+      store_cookie = @request.cookies[STORE_COOKIE_NAME] || ""
       store_cookie.split(KNOWN_COOKIES_DIVIDER)
     end
 
@@ -61,16 +62,17 @@ module SafeCookies
       known += stored_application_cookie_names
       known += @configuration.registered_cookies.keys
     end
-
+    
+    # returns the request cookies minus ignored cookies
     def request_cookies
-      @request.cookies
+      Util.except!(@request.cookies.dup, *@configuration.ignored_cookies)
     end
 
 
     # boolean
 
     def cookies_have_been_rewritten_before?
-      request_cookies.has_key? SECURED_COOKIE_NAME
+      @request.cookies.has_key? SECURED_COOKIE_NAME
     end
 
     def should_be_secure?(cookie)

data/lib/safe_cookies/util.rb

@@ -1,17 +1,22 @@
-module SafeCookies
-  class Util
-    class << self
-      
-      def slice(hash, *allowed_keys)
-        sliced_hash = hash.select { |key, value|
-          allowed_keys.include? key
-        }
+class SafeCookies::Util
+  class << self
+    
+    def slice(hash, *allowed_keys)
+      sliced_hash = hash.select { |key, _value|
+        allowed_keys.include? key
+      }
 
-        # Normalize the result of Hash#select
-        # (Ruby 1.8 returns an Array, Ruby 1.9 returns a Hash)
-        Hash[sliced_hash]
+      # Normalize the result of Hash#select
+      # (Ruby 1.8 returns an Array, Ruby 1.9 returns a Hash)
+      Hash[sliced_hash]
+    end
+    
+    # rejected_keys may be of type String or Regex
+    def except!(hash, *rejected_keys)
+      hash.delete_if do |key, _value|
+        rejected_keys.any? { |rejected| rejected === key }
       end
-      
     end
+    
   end
-end
+end

data/lib/safe_cookies/version.rb

@@ -1,3 +1,3 @@
 module SafeCookies
-  VERSION = '0.1.5'
+  VERSION = '0.1.6'
 end

data/lib/safe_cookies.rb

@@ -9,8 +9,6 @@ require "rack"
 # Naming:
 # - application_cookies: cookies received from the application. The 'Set-Cookie' header is a string
 # - request_cookies: cookies received from the client. Rack::Request#cookies returns a Hash of { 'name' => 'value' }
-# - response_cookies: cookies to be sent to the client
-#   (= application_cookies + any cookies set in the middleware)
 
 module SafeCookies
 
@@ -39,13 +37,14 @@ module SafeCookies
       @request = Rack::Request.new(env)
       ensure_no_unknown_cookies_in_request!
 
+      # calling the next middleware
       status, @headers, body = @app.call(env)
       cache_application_cookies_string
       
-      remove_application_cookies_from_request_cookies
-      rewrite_application_cookies
+      enhance_application_cookies!
       store_application_cookie_names
-      fix_cookie_paths if fix_cookie_paths?
+      
+      delete_cookies_on_bad_path if fix_cookie_paths?
       rewrite_request_cookies unless cookies_have_been_rewritten_before?
 
       [ status, @headers, body ]
@@ -54,9 +53,11 @@ module SafeCookies
     private
     
     def reset_instance_variables
-      @request, @headers, @application_cookies = nil
+      @request, @headers, @application_cookies_string = nil
     end
-
+    
+    # Make sure we get notified if a client comes with an unregistered cookie,
+    # because we do not want any cookie not to be secured.
     def ensure_no_unknown_cookies_in_request!
       request_cookie_names = request_cookies.keys.map(&:to_s)
       unknown_cookie_names = request_cookie_names - known_cookie_names
@@ -65,19 +66,11 @@ module SafeCookies
         handle_unknown_cookies(unknown_cookie_names)
       end
     end
-
-    def remove_application_cookies_from_request_cookies
-      if @application_cookies
-        application_cookie_names = @application_cookies.scan(COOKIE_NAME_REGEX)
-        application_cookie_names.each do |cookie|
-          request_cookies.delete(cookie)
-        end
-      end
-    end
-
-    def rewrite_application_cookies
-      if @application_cookies
-        cookies = @application_cookies.split("\n")
+    
+    # Overwrites @header['Set-Cookie']
+    def enhance_application_cookies!
+      if @application_cookies_string
+        cookies = @application_cookies_string.split("\n")
       
         # On Rack 1.1, cookie values sometimes contain trailing newlines.
         # Example => ["foo=1; path=/\n", "bar=2; path=/"]
@@ -96,23 +89,33 @@ module SafeCookies
         @headers['Set-Cookie'] = cookies.join("\n")
       end
     end
-
+    
+    # Store the names of cookies that are set by the application. We are already
+    # securing those and therefore do not need to rewrite them.
     def store_application_cookie_names
-      if @application_cookies
-        application_cookie_names = stored_application_cookie_names + @application_cookies.scan(COOKIE_NAME_REGEX)
+      if @application_cookies_string
+        application_cookie_names = stored_application_cookie_names + @application_cookies_string.scan(COOKIE_NAME_REGEX)
         application_cookies_string = application_cookie_names.uniq.join(KNOWN_COOKIES_DIVIDER)
 
         set_cookie!(STORE_COOKIE_NAME, application_cookies_string, :expire_after => HELPER_COOKIES_LIFETIME)
       end
     end
     
-    # This method takes all cookies sent with the request and rewrites them,
+    # This method takes the cookies sent with the request and rewrites them,
     # making them both secure and http-only (unless specified otherwise in
     # the configuration).
     # With the SECURED_COOKIE_NAME cookie we remember the exact time that we
     # rewrote the cookies.
     def rewrite_request_cookies
-      if request_cookies.any?
+      cookies_to_rewrite = request_cookies || []
+      
+      # don't rewrite request cookies that the application is setting in the response
+      if @application_cookies_string
+        application_cookie_names = @application_cookies_string.scan(COOKIE_NAME_REGEX)
+        Util.except!(cookies_to_rewrite, *application_cookie_names)
+      end
+      
+      if cookies_to_rewrite.any?
         registered_cookies_in_request.each do |cookie_name, options|
           value = request_cookies[cookie_name]
 
@@ -124,6 +127,7 @@ module SafeCookies
       end
     end
     
+    # API method
     def handle_unknown_cookies(cookie_names)
       raise SafeCookies::UnknownCookieError.new("Request for '#{@request.url}' had unknown cookies: #{cookie_names.join(', ')}")
     end

data/spec/safe_cookies_spec.rb

@@ -7,7 +7,7 @@ describe SafeCookies::Middleware do
   let(:app) { stub 'application' }
   let(:env) { { 'HTTPS' => 'on' } }
   
-  it 'should rewrite registered request cookies as secure and http-only, but only once' do
+  it 'rewrites registered request cookies as secure and http-only, but only once' do
     SafeCookies.configure do |config|
       config.register_cookie('foo', :expire_after => 3600)
     end
@@ -35,7 +35,7 @@ describe SafeCookies::Middleware do
     headers['Set-Cookie'].to_s.should == ''
   end
 
-  it 'should not make cookies secure if the request was not secure' do
+  it 'doesn’t make cookies secure if the request was not secure' do
     stub_app_call(app, :application_cookies => 'filter-settings=sort_by_date')
     env['HTTPS'] = 'off'
     
@@ -43,7 +43,7 @@ describe SafeCookies::Middleware do
     headers['Set-Cookie'].should include("filter-settings=sort_by_date")
     headers['Set-Cookie'].should_not match(/\bsecure\b/i)
   end
-
+  
   it 'expires the secured_old_cookies helper cookie in ten years' do
     Timecop.freeze(Time.parse('2013-09-17 17:53'))
 
@@ -59,43 +59,47 @@ describe SafeCookies::Middleware do
     headers['Set-Cookie'].should =~ /secured_old_cookies.*expires=Fri, 15 Sep 2023 \d\d:\d\d:\d\d/
   end
   
-  it 'sets cookies on the root path' do
-    SafeCookies.configure do |config|
-      config.register_cookie('my_old_cookie', :expire_after => 3600)
-    end
+  context 'cookie attributes' do
+
+    it 'sets cookies on the root path' do
+      SafeCookies.configure do |config|
+        config.register_cookie('my_old_cookie', :expire_after => 3600)
+      end
     
-    set_request_cookies(env, 'my_old_cookie=foobar')
-    stub_app_call(app)
+      set_request_cookies(env, 'my_old_cookie=foobar')
+      stub_app_call(app)
 
-    code, headers, response = subject.call(env)
+      code, headers, response = subject.call(env)
 
-    cookies = headers['Set-Cookie'].split("\n")
-    cookies.each do |cookie|
-      cookie.should include('; path=/;')
+      cookies = headers['Set-Cookie'].split("\n")
+      cookies.each do |cookie|
+        cookie.should include('; path=/;')
+      end
     end
-  end
   
-  it 'should not alter cookie options coming from the application' do
-    stub_app_call(app, :application_cookies => 'cookie=data; path=/; expires=next_week')
+    it 'should not alter cookie attributes coming from the application' do
+      stub_app_call(app, :application_cookies => 'cookie=data; path=/; expires=next_week')
   
-    code, headers, response = subject.call(env)
-    headers['Set-Cookie'].should =~ %r(cookie=data; path=/; expires=next_week; secure; HttpOnly)
-  end
+      code, headers, response = subject.call(env)
+      headers['Set-Cookie'].should =~ %r(cookie=data; path=/; expires=next_week; secure; HttpOnly)
+    end
   
-  it 'should respect cookie options set in the configuration' do
-    Timecop.freeze
+    it 'should respect cookie attributes set in the configuration' do
+      Timecop.freeze
     
-    SafeCookies.configure do |config|
-      config.register_cookie('foo', :expire_after => 3600, :path => '/special/path')
-    end
+      SafeCookies.configure do |config|
+        config.register_cookie('foo', :expire_after => 3600, :path => '/special/path')
+      end
 
-    stub_app_call(app)
-    set_request_cookies(env, 'foo=bar')
-    env['PATH_INFO'] = '/special/path/subfolder'
+      stub_app_call(app)
+      set_request_cookies(env, 'foo=bar')
+      env['PATH_INFO'] = '/special/path/subfolder'
   
-    code, headers, response = subject.call(env)
-    expected_expiry = Rack::Utils.rfc2822((Time.now + 3600).gmtime) # a special date format needed here
-    headers['Set-Cookie'].should =~ %r(foo=bar; path=/special/path; expires=#{expected_expiry}; secure; HttpOnly)
+      code, headers, response = subject.call(env)
+      expected_expiry = Rack::Utils.rfc2822((Time.now + 3600).gmtime) # a special date format needed here
+      headers['Set-Cookie'].should =~ %r(foo=bar; path=/special/path; expires=#{expected_expiry}; secure; HttpOnly)
+    end
+    
   end
   
   context 'cookies set by the application' do
@@ -173,18 +177,46 @@ describe SafeCookies::Middleware do
       headers['Set-Cookie'].should =~ /js-data=json;.* secure/
       headers['Set-Cookie'].should_not =~ /js-data=json;.* HttpOnly/
     end
-  
+    
+  end
+
+  context 'ignored cookies' do
+    
+    before do
+      stub_app_call(app)
+      set_request_cookies(env, '__utma=123', '__utmz=456')
+    end
+
+    it 'does not rewrite ignored cookies given as string' do
+      SafeCookies.configure do |config|
+        config.ignore_cookie '__utma'
+        config.ignore_cookie '__utmz'
+      end
+
+      code, headers, response = subject.call(env)
+      headers['Set-Cookie'].should_not =~ /__utm/
+    end
+
+    it 'does not rewrite ignored cookies given as regex' do
+      SafeCookies.configure do |config|
+        config.ignore_cookie /^__utm/
+      end
+      
+      code, headers, response = subject.call(env)
+      headers['Set-Cookie'].should_not =~ /__utm/
+    end
+    
   end
 
   context 'unknown request cookies' do
     
-    it 'should raise an error if there is an unknown cookie' do
+    it 'raises an error if there is an unknown cookie' do
       set_request_cookies(env, 'foo=bar')
     
       expect{ subject.call(env) }.to raise_error(SafeCookies::UnknownCookieError)
     end
     
-    it 'should not raise an error if the (unregistered) cookie was initially set by the application' do
+    it 'does not raise an error if the (unregistered) cookie was initially set by the application' do
       # application sets cookie
       stub_app_call(app, :application_cookies => 'foo=bar; path=/some/path; secure')
       
@@ -204,7 +236,7 @@ describe SafeCookies::Middleware do
       other_subject.call(env)
     end
     
-    it 'should not raise an error if the cookie is listed in the cookie configuration' do
+    it 'does not raise an error if the cookie is listed in the cookie configuration' do
       SafeCookies.configure do |config|
         config.register_cookie('foo', :expire_after => 3600)
       end
@@ -214,7 +246,18 @@ describe SafeCookies::Middleware do
       
       subject.call(env)
     end
-  
+    
+    it 'does not raise an error if the cookie is ignored' do
+      SafeCookies.configure do |config|
+        config.ignore_cookie '__utma'
+      end
+
+      stub_app_call(app)
+      set_request_cookies(env, '__utma=tracking')
+      
+      subject.call(env)
+    end
+    
     it 'allows overwriting the error mechanism' do
       stub_app_call(app)
       set_request_cookies(env, 'foo=bar')

data/spec/util_spec.rb

@@ -0,0 +1,27 @@
+require 'spec_helper'
+
+describe SafeCookies::Util do
+  
+  describe '.except!' do
+    
+    before do
+      @hash = { 'a' => 1, 'ab' => 2, 'b' => 3 }
+    end
+
+    it 'deletes the given keys from the original hash' do
+      SafeCookies::Util.except!(@hash, 'a')
+      @hash.should == { 'ab' => 2, 'b' => 3 }
+    end
+    
+    it 'deletes all keys that match the regex' do
+      SafeCookies::Util.except!(@hash, /b/)
+      @hash.should == { 'a' => 1 }
+    end
+    
+    it 'returns the original hash' do
+      SafeCookies::Util.except!(@hash, /(?!)/).should == @hash
+    end
+    
+  end
+
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: safe_cookies
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 0.1.6
 platform: ruby
 authors:
 - Dominik Schöler
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-10-18 00:00:00.000000000 Z
+date: 2013-10-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -89,6 +89,7 @@ files:
 - spec/cookie_path_fix_spec.rb
 - spec/safe_cookies_spec.rb
 - spec/spec_helper.rb
+- spec/util_spec.rb
 homepage: http://www.makandra.de
 licenses: []
 metadata: {}
@@ -117,3 +118,4 @@ test_files:
 - spec/cookie_path_fix_spec.rb
 - spec/safe_cookies_spec.rb
 - spec/spec_helper.rb
+- spec/util_spec.rb