fix(middleware): ensure headers are wrapped with Rack::Headers

Add `Rack::Headers` wrapping to middleware to
prevent header manipulation issues. Added a test
to verify cookies remain as an array when flagged
if already in array format.

Author: deril

lib/secure_headers/middleware.rb

@@ -9,6 +9,7 @@ def initialize(app)
     def call(env)
       req = Rack::Request.new(env)
       status, headers, response = @app.call(env)
+      headers = Rack::Headers[headers]
 
       config = SecureHeaders.config_for(req)
       flag_cookies!(headers, override_secure(env, config.cookies)) unless config.cookies == OPT_OUT

spec/lib/secure_headers/middleware_spec.rb

@@ -83,16 +83,26 @@ module SecureHeaders
       end
 
       it "flags cookies with a combination of SameSite configurations" do
-        cookie_middleware = Middleware.new(lambda { |env| [200, env.merge("Set-Cookie" => ["_session=foobar", "_guest=true"]), "app"] })
+        cookie_middleware = Middleware.new(lambda { |env| [200, env.merge("Set-Cookie" => "_session=foobar\n_guest=true"), "app"] })
 
-        Configuration.default { |config| config.cookies = { samesite: { lax: { except: ["_session"] }, strict: { only: ["_session"] } }, httponly: OPT_OUT, secure: OPT_OUT} }
+        Configuration.default { |config| config.cookies = { samesite: { lax: { except: ["_session"] }, strict: { only: ["_session"] } }, httponly: OPT_OUT, secure: OPT_OUT } }
         request = Rack::Request.new("HTTPS" => "on")
         _, env = cookie_middleware.call request.env
 
         expect(env["Set-Cookie"]).to match("_session=foobar; SameSite=Strict")
         expect(env["Set-Cookie"]).to match("_guest=true; SameSite=Lax")
       end
 
+      it "keeps cookies as array after flagging if they are already an array" do
+        cookie_middleware = Middleware.new(lambda { |env| [200, env.merge("Set-Cookie" => ["_session=foobar", "_guest=true"]), "app"] })
+
+        Configuration.default { |config| config.cookies = { samesite: { lax: { except: ["_session"] }, strict: { only: ["_session"] } }, httponly: OPT_OUT, secure: OPT_OUT } }
+        request = Rack::Request.new("HTTPS" => "on")
+        _, env = cookie_middleware.call request.env
+
+        expect(env["Set-Cookie"]).to match_array(["_session=foobar; SameSite=Strict", "_guest=true; SameSite=Lax"])
+      end
+
       it "disables secure cookies for non-https requests" do
         Configuration.default { |config| config.cookies = { secure: true, httponly: OPT_OUT, samesite: OPT_OUT } }