parse the cookie to determine existing flags

Author: stve

lib/secure_headers/headers/cookie.rb

@@ -9,12 +9,6 @@ class Cookie
     SAMESITE_LAX_REGEXP =/;\s*SameSite=Lax\s*(;|$)/i.freeze
     SAMESITE_STRICT_REGEXP =/;\s*SameSite=Strict\s*(;|$)/i.freeze
 
-    REGEXES = {
-      secure: SECURE_REGEXP,
-      httponly: HTTPONLY_REGEXP,
-      samesite: SAMESITE_REGEXP,
-    }
-
     class << self
       def validate_config!(config)
         return if config.nil? || config == OPT_OUT
@@ -84,6 +78,13 @@ def validate_config!(config)
     def initialize(cookie, config)
       @raw_cookie = cookie
       @config = config
+      @attributes = {
+        "secure" => nil,
+        "httponly" => nil,
+        "samesite" => nil,
+      }
+
+      parse(cookie)
     end
 
     def to_s
@@ -113,7 +114,7 @@ def parsed_cookie
     end
 
     def already_flagged?(attribute)
-      raw_cookie =~ REGEXES[attribute]
+      @attributes[attribute.to_s]
     end
 
     def flag_cookie?(attribute)
@@ -169,5 +170,18 @@ def flag_samesite_enforcement?(mode)
         false
       end
     end
+
+    def parse(cookie)
+      return unless cookie
+
+      cookie.split(/[;,]\s?/).each do |pairs|
+        name, values = pairs.split('=',2)
+        name = CGI.unescape(name)
+
+        if @attributes.has_key?(name.downcase)
+          @attributes[name.downcase] = values || true
+        end
+      end
+    end
   end
 end

spec/lib/secure_headers/cookie_spec.rb

@@ -97,6 +97,12 @@ module SecureHeaders
         cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] }, lax: { only: ["_additional_session"] } })
         expect(cookie.to_s).to match(Cookie::SAMESITE_STRICT_REGEXP)
       end
+
+      it "ignores configuration if the cookie is already flagged" do
+        raw_cookie = "_session=thisisatest; SameSite=Strict"
+        cookie = Cookie.new(raw_cookie, samesite: { lax: true })
+        expect(cookie.to_s).to eq(raw_cookie)
+      end
     end
   end