switch from regex matchers to string equality matchers

stve · stve · commit f11c7e5c7c26 · 2016-04-13T11:29:01.000-04:00
diff --git a/lib/secure_headers/headers/cookie.rb b/lib/secure_headers/headers/cookie.rb
@@ -3,11 +3,6 @@
 module SecureHeaders
   class CookiesConfigError < StandardError; end
   class Cookie
-    SECURE_REGEXP = /;\s*secure\s*(;|$)/i.freeze
-    HTTPONLY_REGEXP =/;\s*HttpOnly\s*(;|$)/i.freeze
-    SAMESITE_REGEXP =/;\s*SameSite\s*(;|$)/i.freeze
-    SAMESITE_LAX_REGEXP =/;\s*SameSite=Lax\s*(;|$)/i.freeze
-    SAMESITE_STRICT_REGEXP =/;\s*SameSite=Strict\s*(;|$)/i.freeze
 
     class << self
       def validate_config!(config)
diff --git a/spec/lib/secure_headers/headers/cookie_spec.rb b/spec/lib/secure_headers/headers/cookie_spec.rb
@@ -11,7 +11,7 @@ module SecureHeaders
 
     it "preserves existing attributes" do
       cookie = Cookie.new("_session=thisisatest; secure", secure: true)
-      expect(cookie.to_s).to match(Cookie::SECURE_REGEXP)
+      expect(cookie.to_s).to eq("_session=thisisatest; secure")
     end
 
     it "prevents duplicate flagging of attributes" do
@@ -23,19 +23,19 @@ module SecureHeaders
       context "when configured with a boolean" do
         it "flags cookies as Secure" do
           cookie = Cookie.new(raw_cookie, secure: true)
-          expect(cookie.to_s).to match(Cookie::SECURE_REGEXP)
+          expect(cookie.to_s).to eq("_session=thisisatest; secure")
         end
       end
 
       context "when configured with a Hash" do
         it "flags cookies as Secure when whitelisted" do
           cookie = Cookie.new(raw_cookie, secure: { only: ["_session"]})
-          expect(cookie.to_s).to match(Cookie::SECURE_REGEXP)
+          expect(cookie.to_s).to eq("_session=thisisatest; secure")
         end
 
         it "does not flag cookies as Secure when excluded" do
           cookie = Cookie.new(raw_cookie, secure: { except: ["_session"] })
-          expect(cookie.to_s).not_to match(Cookie::SECURE_REGEXP)
+          expect(cookie.to_s).to eq("_session=thisisatest")
         end
       end
     end
@@ -44,58 +44,58 @@ module SecureHeaders
       context "when configured with a boolean" do
         it "flags cookies as HttpOnly" do
           cookie = Cookie.new(raw_cookie, httponly: true)
-          expect(cookie.to_s).to match(Cookie::HTTPONLY_REGEXP)
+          expect(cookie.to_s).to eq("_session=thisisatest; HttpOnly")
         end
       end
 
       context "when configured with a Hash" do
         it "flags cookies as HttpOnly when whitelisted" do
           cookie = Cookie.new(raw_cookie, httponly: { only: ["_session"]})
-          expect(cookie.to_s).to match(Cookie::HTTPONLY_REGEXP)
+          expect(cookie.to_s).to eq("_session=thisisatest; HttpOnly")
         end
 
         it "does not flag cookies as HttpOnly when excluded" do
           cookie = Cookie.new(raw_cookie, httponly: { except: ["_session"] })
-          expect(cookie.to_s).not_to match(Cookie::HTTPONLY_REGEXP)
+          expect(cookie.to_s).to eq("_session=thisisatest")
         end
       end
     end
 
     context "SameSite cookies" do
       it "flags SameSite=Lax" do
         cookie = Cookie.new(raw_cookie, samesite: { lax: { only: ["_session"] } })
-        expect(cookie.to_s).to match(Cookie::SAMESITE_LAX_REGEXP)
+        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
       end
 
       it "flags SameSite=Lax when configured with a boolean" do
         cookie = Cookie.new(raw_cookie, samesite: { lax: true})
-        expect(cookie.to_s).to match(Cookie::SAMESITE_LAX_REGEXP)
+        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
       end
 
       it "does not flag cookies as SameSite=Lax when excluded" do
         cookie = Cookie.new(raw_cookie, samesite: { lax: { except: ["_session"] } })
-        expect(cookie.to_s).not_to match(Cookie::SAMESITE_LAX_REGEXP)
+        expect(cookie.to_s).to eq("_session=thisisatest")
       end
 
       it "flags SameSite=Strict" do
         cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] } })
-        expect(cookie.to_s).to match(Cookie::SAMESITE_STRICT_REGEXP)
+        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
       end
 
       it "does not flag cookies as SameSite=Strict when excluded" do
         cookie = Cookie.new(raw_cookie, samesite: { strict: { except: ["_session"] } })
-        expect(cookie.to_s).not_to match(Cookie::SAMESITE_STRICT_REGEXP)
+        expect(cookie.to_s).to eq("_session=thisisatest")
       end
 
       it "flags SameSite=Strict when configured with a boolean" do
         cookie = Cookie.new(raw_cookie, samesite: { strict: true})
-        expect(cookie.to_s).to match(Cookie::SAMESITE_STRICT_REGEXP)
+        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
       end
 
       it "flags properly when both lax and strict are configured" do
         raw_cookie = "_session=thisisatest"
         cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] }, lax: { only: ["_additional_session"] } })
-        expect(cookie.to_s).to match(Cookie::SAMESITE_STRICT_REGEXP)
+        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
       end
 
       it "ignores configuration if the cookie is already flagged" do
diff --git a/spec/lib/secure_headers/middleware_spec.rb b/spec/lib/secure_headers/middleware_spec.rb
@@ -46,7 +46,7 @@ module SecureHeaders
           end
           request = Rack::Request.new("HTTPS" => "on")
           _, env = cookie_middleware.call request.env
-          expect(env['Set-Cookie']).to match(SecureHeaders::Cookie::SECURE_REGEXP)
+          expect(env['Set-Cookie']).to eq("foo=bar; secure")
         end
       end
 
@@ -57,7 +57,7 @@ module SecureHeaders
           end
           request = Rack::Request.new("HTTPS" => "on")
           _, env = cookie_middleware.call request.env
-          expect(env['Set-Cookie']).not_to match(SecureHeaders::Cookie::SECURE_REGEXP)
+          expect(env['Set-Cookie']).to eq("foo=bar")
         end
       end
     end
@@ -68,8 +68,7 @@ module SecureHeaders
         request = Rack::Request.new("HTTPS" => "on")
         _, env = cookie_middleware.call request.env
 
-        expect(env['Set-Cookie']).to match(SecureHeaders::Cookie::SECURE_REGEXP)
-        expect(env['Set-Cookie']).to match(SecureHeaders::Cookie::HTTPONLY_REGEXP)
+        expect(env['Set-Cookie']).to eq("foo=bar; secure; HttpOnly")
       end
 
       it "flags cookies with a combination of SameSite configurations" do
@@ -88,7 +87,7 @@ module SecureHeaders
 
         request = Rack::Request.new("HTTPS" => "off")
         _, env = cookie_middleware.call request.env
-        expect(env['Set-Cookie']).not_to match(SecureHeaders::Cookie::SECURE_REGEXP)
+        expect(env['Set-Cookie']).to eq("foo=bar")
       end
     end
   end
