decidim-cdtb 0.5.5 → 0.5.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 47f434b218d1fb88fbf6a390e15eca202aa3e667c4d4736a21e559809045a4c2
-  data.tar.gz: d9f75458764ad9876bd895fdf2b5bb3c921026ae25ce2b0fa2eeeb72bfbbc146
+  metadata.gz: 303e4725f5b7dde9f45b5bb2c866d3cbdb118ef35f81effbd47b58767a0c1657
+  data.tar.gz: b95307923329f47530efe27d6cb77f8b9009e6a5ce70b575771116ef87e4a195
 SHA512:
-  metadata.gz: 07f9b4824276022f7f5f6b971317209865e63e80ecc43131b40d54580075afae4cdfce1c0de1f93137595f89a34c150d9945371fc2f034cf14acd89c0c89e90a
-  data.tar.gz: adf5a07bfcb857aa18f602537e67fd5c3376352452550e69d32aa5014ce65f1b6c631b128fdf989913b950a7dca8beb3193cc68d69aad5aaa2093539846b09c1
+  metadata.gz: fb14724b3a4cf851bddeebb2404bd2473b740feda827ffb9a1ac15a2b3abe9826211b06aa95bcdede13b52d7fb12d542eaf4deac6c13143c044562dc259b4e11
+  data.tar.gz: 38da29e0a9190ae671923376168c4f45719fc3c8feb5ecf306a420485222d26da217ddfd63712eb6363bb12c22fd8a39e1cf199c64d63f1ca032f04e12992f75

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 ## [Unreleased]
 
-## [0.5.5] - 2025-08-03 (patch - Esqueletic pero frenetic)
+## [0.5.6] - 2025-08-11 (minor - Escola de monstres, gràcies!)
+
+- Wrap RackAttack IP related parsing into IpParser.
+- Allow to extend Rack::Request.ip_filter regex used internally by Rack::Request.trusted_proxy?(ip).
+
+## [0.5.5] - 2025-08-03 (patch - Esquelètic pero frenètic)
 
 - Fix params in Users::Remover task
 

data/Gemfile.lock

@@ -141,7 +141,7 @@ GIT
 PATH
   remote: .
   specs:
-    decidim-cdtb (0.5.5)
+    decidim-cdtb (0.5.6)
       decidim (>= 0.28.0)
       rails (>= 6)
       ruby-progressbar

data/README.md

@@ -67,6 +67,18 @@ Fixes YouTube embeds to Decidim v0.28 format in different places, which at the m
 bin/rake cdtb:embeds:fix_youtube
 ```
 
+### Logging
+
+#### IP logging
+
+See `config/initializers/ip_filtering.rb` to learn how to add conditions to `Rack::Request.trusted_proxy?(ip)`.
+
+Example, to add your 10.2.0.4 proxy as a trusted proxy define the following ENV var:
+
+```
+# don't forget the OR at the beginnig
+RACK_RQ_IP_FILTER_EXT="|\A10\.2\.0\.4\Z"
+```
 
 ### Migrate ActiveStorage service from S3 to local
 

data/config/initializers/cdtb_rack_attack.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require "cdtb/ip_parser"
+
+unless ENV["CDTB_RACK_ATTACK_DISABLED"].to_i.positive? || %w[development test].include?(Rails.env)
+  require "rack/attack"
+  Cdtb::IpParser.decorate_rack_request
+
+  limit= ENV.fetch("RACK_ATTACK_THROTTLE_LIMIT", 30)
+  period= ENV.fetch("RACK_ATTACK_THROTTLE_PERIOD", 60)
+  Rails.logger.info("Configuring Rack::Attack.throttle with limit for requests by ip: #{limit}, period: #{period}")
+  Rack::Attack.throttle("cdtb:requests by ip", limit: limit.to_i, period: period.to_i) do |request|
+    # ignore requests to assets
+    next if request.path.start_with?("/rails/active_storage")
+
+    Cdtb::IpParser.extract_ip(request)
+  end
+
+  if ENV.key?("RACK_ATTACK_THROTTLE_RANGE_LIMIT") && ENV["RACK_ATTACK_THROTTLE_RANGE_LIMIT"].to_i.positive?
+    limit= ENV.fetch("RACK_ATTACK_THROTTLE_RANGE_LIMIT", 30)
+    period= ENV.fetch("RACK_ATTACK_THROTTLE_RANGE_PERIOD", 60)
+    Rails.logger.info("Configuring Rack::Attack.throttle with limit for IP Ranges: #{limit}, period: #{period}")
+    Rack::Attack.throttle("cdtb:requests by ip range", limit: limit.to_i, period: period.to_i) do |request|
+      # ignore requests to assets
+      next if request.path.start_with?("/rails/active_storage")
+
+      ip= Cdtb::IpParser.extract_ip(request)
+      # rubocop: disable Lint/UselessAssignment
+      range_32bit= ip.split(".")[0, 2]
+      # rubocop: enable Lint/UselessAssignment
+    end
+  end
+
+  Rack::Attack.blocklist("cdtb:block all /.well-known/traffic-advice") do |request|
+    request.path.start_with?("/.well-known/traffic-advice")
+  end
+
+  Rack::Attack.blocklist("cdtb:block all PHP RQs") do |request|
+    request.path.end_with?("*.php")
+  end
+
+  if ENV["RACK_ATTACK_BLOCKED_IPS"].present?
+    blocked_ips_and_subnets= ENV["RACK_ATTACK_BLOCKED_IPS"].split(",")
+    Rack::Attack.blocklist("cdtb:block all unaccepted IPs") do |request|
+      ip= Cdtb::IpParser.extract_ip(request)
+      blocked_ips_and_subnets.any? { |ip_or_subnet| ip.start_with?(ip_or_subnet) }
+    end
+  end
+end

data/config/initializers/ip_filtering.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# Used internally by Rack::Request.trusted_proxy?(ip)
+if ENV.key?("RACK_RQ_IP_FILTER_EXT") && ENV["RACK_RQ_IP_FILTER_EXT"].present?
+  ORIGINAL_REGEX= /\A127\.0\.0\.1\Z|\A(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.|\A::1\Z|\Afd[0-9a-f]{2}:.+|\Alocalhost\Z|\Aunix\Z|\Aunix:/i
+  Rack::Request.ip_filter = lambda do |ip|
+    regex_str= ORIGINAL_REGEX.to_s
+    regex_str << ENV.fetch("RACK_RQ_IP_FILTER_EXT", nil)
+    /#{regex_str}/i.match?(ip)
+  end
+end

data/lib/cdtb/ip_parser.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Cdtb
+  # Parses IPs from Rack::Request objects, discarding the port.
+  module IpParser
+    def self.decorate_rack_request
+      Rack::Request.class_eval do
+        include Cdtb::IpParser
+
+        alias_method :original_ip_method, :ip
+
+        def ip
+          extract_ip(self)
+        end
+      end
+    end
+
+    def self.extract_ip(request)
+      # Take the IP either from the remote addr or from the forwarded for header
+      # If Rack::Request is decorated use the original method.
+      ip= defined?(request.original_ip_method) ? request.original_ip_method : request.ip
+      Rails.logger.info { ">>>>>>>>>>>>>>>>>>>> Request IP: #{ip}" }
+      Rails.logger.info { ">>>>>>>>>>>>>>>>>>>> X-Forwarded-For: #{request.get_header("HTTP_X_FORWARDED_FOR")}" }
+
+      num_colons= ip.scan(":").length
+      if [1, 6].include?(num_colons)
+        # is an IP (v4 or v6) with port
+        ip.rpartition(":").first
+      else
+        # standard inet4 or inet6 IP without port
+        ip
+      end
+    end
+
+    def extract_ip(request)
+      ::Cdtb::IpParser.extract_ip(request)
+    end
+  end
+end

data/lib/decidim/cdtb/version.rb

@@ -2,7 +2,7 @@
 
 module Decidim
   module Cdtb
-    VERSION = "0.5.5"
+    VERSION = "0.5.6"
     DECIDIM_MIN_VERSION = ">= 0.28.0"
   end
 end

data/lib/tasks/participatory_spaces.rake

@@ -6,7 +6,7 @@ require "decidim/cdtb/tasks"
 namespace :cdtb do
   namespace :participatory_spaces do
     desc <<~EODESC
-      Add content blocks to a participatory processes
+      Add content blocks to participatory processes
     EODESC
     task :add_content_blocks, [:content_block_names] => :environment do |_task, args|
       unless Decidim.version >= "0.28"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: decidim-cdtb
 version: !ruby/object:Gem::Version
-  version: 0.5.5
+  version: 0.5.6
 platform: ruby
 authors:
 - Oliver Valls
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-08-06 00:00:00.000000000 Z
+date: 2026-05-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: decidim
@@ -86,8 +86,10 @@ files:
 - Rakefile
 - app/jobs/application_job.rb
 - app/jobs/cdtb/fix_nickname_job.rb
-- config/initializers/rack_attack.rb
+- config/initializers/cdtb_rack_attack.rb
+- config/initializers/ip_filtering.rb
 - decidim-cdtb.gemspec
+- lib/cdtb/ip_parser.rb
 - lib/decidim/cdtb.rb
 - lib/decidim/cdtb/engine.rb
 - lib/decidim/cdtb/fixes/nickname_fixer.rb

data/config/initializers/rack_attack.rb

@@ -1,51 +0,0 @@
-# frozen_string_literal: true
-
-unless ENV["CDTB_RACK_ATTACK_DISABLED"].to_i.positive? || %w[development test].include?(Rails.env)
-  require "rack/attack"
-
-  def extract_ip(request)
-    x_forwarded_for= request.get_header("HTTP_X_FORWARDED_FOR")
-    Rails.logger.info { ">>>>>>>>>>>>>>>>>>>> X-Forwarded-For: #{x_forwarded_for}" }
-    if x_forwarded_for.present?
-      x_forwarded_for.split(":").first
-
-    else
-      request.ip
-    end
-  end
-
-  limit= ENV.fetch("RACK_ATTACK_THROTTLE_LIMIT", 30)
-  period= ENV.fetch("RACK_ATTACK_THROTTLE_PERIOD", 60)
-  Rails.logger.info("Configuring Rack::Attack.throttle with limit: #{limit}, period: #{period}")
-  Rack::Attack.throttle("cdtb: requests by ip", limit: limit.to_i, period: period.to_i) do |request|
-    # ignore requests to assets
-    next if request.path.start_with?("/rails/active_storage")
-
-    extract_ip(request)
-  end
-
-  limit= ENV.fetch("RACK_ATTACK_THROTTLE_RANGE_LIMIT", 30)
-  period= ENV.fetch("RACK_ATTACK_THROTTLE_RANGE_PERIOD", 60)
-  Rails.logger.info("Configuring Rack::Attack.throttle with limits for IP Ranges: #{limit}, period: #{period}")
-  Rack::Attack.throttle("cdtb: requests by ip range", limit: limit.to_i, period: period.to_i) do |request|
-    # ignore requests to assets
-    next if request.path.start_with?("/rails/active_storage")
-
-    ip= extract_ip(request)
-    # rubocop: disable Lint/UselessAssignment
-    range_32bit= ip.split(".")[0, 2]
-    # rubocop: enable Lint/UselessAssignment
-  end
-
-  Rack::Attack.blocklist("cdtb: block all /.well-known/traffic-advice") do |request|
-    request.path.start_with?("/.well-known/traffic-advice")
-  end
-
-  if ENV["RACK_ATTACK_BLOCKED_IPS"].present?
-    blocked_ips_and_subnets= ENV["RACK_ATTACK_BLOCKED_IPS"].split(",")
-    Rack::Attack.blocklist("cdtb:block all unaccepted IPs") do |request|
-      ip= extract_ip(request)
-      blocked_ips_and_subnets.any? { |ip_or_subnet| ip.start_with?(ip_or_subnet) }
-    end
-  end
-end