From 89893e4f5bf8ff6ba60e8bd62f79e936c30f1484 Mon Sep 17 00:00:00 2001
From: Keming <kemingy94@gmail.com>
Date: Thu, 3 Oct 2024 12:11:34 +0800
Subject: [PATCH] chore: fix secure alert about set_cookie (#376)

Signed-off-by: Keming <kemingy94@gmail.com>
---
 pyproject.toml                          |  2 +-
 spectree/plugins/starlette_plugin.py    |  4 +---
 tests/flask_imports/dry_plugin_flask.py | 12 +++++++++---
 tests/quart_imports/dry_plugin_quart.py | 12 +++++++++---
 tests/test_config.py                    |  2 +-
 tests/test_response.py                  |  2 +-
 6 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index f2f4040e..725ba7a9 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -64,7 +64,7 @@ line-length = 88
 [tool.ruff.lint]
 select = ["E", "F", "B", "G", "I", "SIM", "TID", "PL", "RUF"]
 ignore = ["E501", "PLR2004", "RUF012"]
-[tool.ruff.pylint]
+[tool.ruff.lint.pylint]
 max-args = 12
 max-branches = 15
 
diff --git a/spectree/plugins/starlette_plugin.py b/spectree/plugins/starlette_plugin.py
index 856adf58..e1111e0a 100644
--- a/spectree/plugins/starlette_plugin.py
+++ b/spectree/plugins/starlette_plugin.py
@@ -197,9 +197,7 @@ def parse_route(app, prefix=""):
         return routes
 
     def bypass(self, func, method):
-        if method in ["HEAD", "OPTIONS"]:
-            return True
-        return False
+        return method in ["HEAD", "OPTIONS"]
 
     def parse_func(self, route):
         for method in route.methods or ["GET"]:
diff --git a/tests/flask_imports/dry_plugin_flask.py b/tests/flask_imports/dry_plugin_flask.py
index bcc41a1b..f1a2cd67 100644
--- a/tests/flask_imports/dry_plugin_flask.py
+++ b/tests/flask_imports/dry_plugin_flask.py
@@ -9,7 +9,9 @@
 
 @pytest.mark.parametrize("response_format", ["json", "xml"])
 def test_flask_skip_validation(client, response_format: str):
-    client.set_cookie(key="pub", value="abcdefg")
+    client.set_cookie(
+        key="pub", value="abcdefg", secure=True, httponly=True, samesite="Strict"
+    )
     assert response_format in ("json", "xml")
     resp = client.post(
         f"/api/user_skip/flask?order=1&response_format={response_format}",
@@ -31,7 +33,9 @@ def test_flask_skip_validation(client, response_format: str):
 
 
 def test_flask_return_model(client):
-    client.set_cookie(key="pub", value="abcdefg")
+    client.set_cookie(
+        key="pub", value="abcdefg", secure=True, httponly=True, samesite="Strict"
+    )
 
     resp = client.post(
         "/api/user_model/flask?order=1",
@@ -134,7 +138,9 @@ def test_flask_validate_basic(client):
     ],
 )
 def test_flask_validate_post_data(client, fragment):
-    client.set_cookie(key="pub", value="abcdefg")
+    client.set_cookie(
+        key="pub", value="abcdefg", secure=True, httponly=True, samesite="Strict"
+    )
     resp = client.post(
         f"/api/{fragment}/flask?order=1",
         json=dict(name="flask", limit=10),
diff --git a/tests/quart_imports/dry_plugin_quart.py b/tests/quart_imports/dry_plugin_quart.py
index d33ffd09..531aebdb 100644
--- a/tests/quart_imports/dry_plugin_quart.py
+++ b/tests/quart_imports/dry_plugin_quart.py
@@ -7,7 +7,9 @@
 
 @pytest.mark.parametrize("response_format", ["json", "xml"])
 def test_quart_skip_validation(client, response_format: str):
-    client.set_cookie("quart", "pub", "abcdefg")
+    client.set_cookie(
+        "quart", "pub", "abcdefg", secure=True, httponly=True, samesite="Strict"
+    )
 
     resp = asyncio.run(
         client.post(
@@ -32,7 +34,9 @@ def test_quart_skip_validation(client, response_format: str):
 
 
 def test_quart_return_model(client):
-    client.set_cookie("quart", "pub", "abcdefg")
+    client.set_cookie(
+        "quart", "pub", "abcdefg", secure=True, httponly=True, samesite="Strict"
+    )
 
     resp = asyncio.run(
         client.post(
@@ -129,7 +133,9 @@ def test_quart_validate(client):
     assert resp.status_code == 422
     assert resp.headers.get("X-Error") == "Validation Error"
 
-    client.set_cookie("quart", "pub", "abcdefg")
+    client.set_cookie(
+        "quart", "pub", "abcdefg", secure=True, httponly=True, samesite="Strict"
+    )
     for fragment in ("user", "user_annotated"):
         resp = asyncio.run(
             client.post(
diff --git a/tests/test_config.py b/tests/test_config.py
index bc1f4e8e..7389b711 100644
--- a/tests/test_config.py
+++ b/tests/test_config.py
@@ -40,7 +40,7 @@ def test_config_contact():
         Configuration(contact={"name": "John", "url": "url"})
 
 
-@pytest.mark.skipif(EmailFieldType == str, reason="email-validator is not installled")
+@pytest.mark.skipif(EmailFieldType is str, reason="email-validator is not installled")
 def test_config_contact_invalid_email():
     with pytest.raises(ValidationError):
         Configuration(contact={"name": "John", "email": "hello"})
diff --git a/tests/test_response.py b/tests/test_response.py
index 1eca99ea..5eca065f 100644
--- a/tests/test_response.py
+++ b/tests/test_response.py
@@ -43,7 +43,7 @@ def test_init_response():
     expect_400_model = gen_list_model(JSON)
     assert resp.has_model()
     assert resp.find_model(200) is None
-    assert type(resp.find_model(400)) == type(expect_400_model) and get_type_hints(
+    assert type(resp.find_model(400)) is type(expect_400_model) and get_type_hints(
         resp.find_model(400)
     ) == get_type_hints(expect_400_model)
     assert resp.find_model(401) == DemoModel