rack-ai 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 70c4c59ceaa3a8fd55136f31d5935e0f701f83086a48c09f3ff7b8f012961d4b
-  data.tar.gz: a74d4964324bdec31e68fe9a9d73ce343091159817f8707a4cf99a871fe5ce03
+  metadata.gz: a73e35063e7e68e0af7c74603df68d971a2da7837b06d66c1721abc183929604
+  data.tar.gz: 9cca59b691a9a532944175d18c0b2b61e2c7d2e32c9a199b032180d7fbaea836
 SHA512:
-  metadata.gz: 5272d46f9facd1245c5e953033bc5e1c2994ab4b528efc1ae69b6fbed599c836159d34970110bac8c0044e0a6bd576c9976da9dbe2d81df3ab20d73ca9d4ff33
-  data.tar.gz: e67d23491fc329a4eb251f33f22c7c541cbde6af5298c29289914801f4793372f6384dc0912df026b605f2fb0f837659bc45a8c67e411046809418421be10be5
+  metadata.gz: ce2759602f6428f04102889998d096aa776a403f62c3751bc26c8a7ae47040e0f658e55823108135f930c34261339d9a40c9bd3d9341e6a7114ea2e7e2042d63
+  data.tar.gz: 9f77a8725714b6107fdf069f3b1fc1d4a1124cb37264ed45932929e4bcca221fee49dccbb053245571e664e60dee76761983fe763ded8606c3b6ec83f78dd50b

data/CHANGELOG.md

@@ -7,25 +7,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.4.0] - 2025-01-11
+
 ### Added
-- Rate limiting feature with configurable windows and thresholds
-- Anomaly detection with baseline learning and risk scoring
-- Enhanced logging system with JSON/structured output formats
-- Comprehensive example application demonstrating all features
-- Advanced error handling and edge case coverage
-- Performance optimizations and memory management
+- **New Security Scanner Feature**: Advanced security threat detection with pattern matching for SQL injection, XSS, path traversal, and command injection
+- **Rate Limiter Feature**: Built-in rate limiting with client identification, configurable windows, and penalty periods
+- **Enhanced Logger**: Improved logging system with proper method delegation and structured output
+- **Comprehensive Test Coverage**: Added complete test suites for new features with 96 passing tests
 
 ### Changed
-- Removed OStruct dependency to eliminate Ruby 3.5+ warnings
-- Improved configuration system with better validation
-- Enhanced middleware initialization and provider setup
-- Better test coverage and mocking strategies
+- **Improved Error Handling**: Enhanced configuration validation with safe method access patterns
+- **Better Code Quality**: Fixed potential null pointer exceptions in classification and moderation features
+- **Enhanced Security**: Added defensive programming patterns throughout the codebase
 
 ### Fixed
-- Configuration validation issues
-- Provider initialization edge cases
-- Test suite stability and reliability
-- Memory leaks in long-running applications
+- Logger method delegation issues - now properly uses structured logging
+- Configuration access safety in classification feature routing checks
+- Moderation feature configuration validation for toxicity thresholds
+- Syntax errors in security scanner regex patterns
+
+### Security
+- Advanced threat detection patterns for multiple attack vectors
+- Improved rate limiting with client fingerprinting
+- Enhanced input validation and sanitization
 
 ## [0.3.0] - 2024-01-16
 

data/lib/rack/ai/features/classification.rb

@@ -48,9 +48,9 @@ module Rack
           when :spam
             :block
           when :suspicious
-            @config.routing.smart_routing_enabled ? :route : :allow
+            smart_routing_enabled? ? :route : :allow
           when :bot
-            @config.routing.smart_routing_enabled ? :route : :allow
+            smart_routing_enabled? ? :route : :allow
           when :human
             :allow
           else
@@ -58,6 +58,12 @@ module Rack
           end
         end
 
+        def smart_routing_enabled?
+          @config.respond_to?(:routing) && 
+            @config.routing.respond_to?(:smart_routing_enabled) && 
+            @config.routing.smart_routing_enabled
+        end
+
         def generate_request_id(env)
           "#{Time.now.to_i}-#{env.object_id}"
         end

data/lib/rack/ai/features/moderation.rb

@@ -17,7 +17,9 @@ module Rack
         end
 
         def process_response?
-          @config.moderation.check_response
+          @config.respond_to?(:moderation) && 
+            @config.moderation.respond_to?(:check_response) && 
+            @config.moderation.check_response
         end
 
         def process_request(env)
@@ -27,11 +29,11 @@ module Rack
           result = @provider.moderate_content(content.join(" "))
           
           # Apply toxicity threshold
-          threshold = @config.moderation.toxicity_threshold
+          threshold = get_toxicity_threshold
           max_score = result[:category_scores]&.values&.max || 0.0
           
           result[:action] = if result[:flagged] && max_score > threshold
-                             @config.moderation.block_on_violation ? :block : :flag
+                             should_block_on_violation? ? :block : :flag
                            else
                              :allow
                            end
@@ -87,6 +89,18 @@ module Rack
           content.compact.reject(&:empty?)
         end
 
+        def get_toxicity_threshold
+          return 0.7 unless @config.respond_to?(:moderation)
+          return 0.7 unless @config.moderation.respond_to?(:toxicity_threshold)
+          @config.moderation.toxicity_threshold
+        end
+
+        def should_block_on_violation?
+          return true unless @config.respond_to?(:moderation)
+          return true unless @config.moderation.respond_to?(:block_on_violation)
+          @config.moderation.block_on_violation
+        end
+
         def extract_content_from_response(body)
           return "" unless body.respond_to?(:each)
           

data/lib/rack/ai/features/rate_limiter.rb

@@ -0,0 +1,145 @@
+# frozen_string_literal: true
+
+require 'digest'
+
+module Rack
+  module AI
+    module Features
+      class RateLimiter
+        attr_reader :name, :config
+
+        def initialize(config)
+          @name = :rate_limiter
+          @config = config
+          @cache = {}
+          @cleanup_interval = 300 # 5 minutes
+          @last_cleanup = Time.now
+        end
+
+        def enabled?
+          @config.feature_enabled?(:rate_limiter)
+        end
+
+        def process_response?
+          false
+        end
+
+        def process_request(env)
+          return { processed: false, reason: "disabled" } unless enabled?
+
+          client_id = extract_client_id(env)
+          current_time = Time.now
+          
+          cleanup_expired_entries if should_cleanup?
+          
+          # Get or initialize client data
+          client_data = @cache[client_id] ||= {
+            requests: [],
+            blocked_until: nil
+          }
+
+          # Check if client is currently blocked
+          if client_data[:blocked_until] && current_time < client_data[:blocked_until]
+            return {
+              processed: true,
+              action: :block,
+              reason: "rate_limited",
+              blocked_until: client_data[:blocked_until],
+              feature: @name,
+              timestamp: current_time.iso8601
+            }
+          end
+
+          # Clean old requests
+          window_start = current_time - rate_limit_window
+          client_data[:requests].reject! { |req_time| req_time < window_start }
+
+          # Check rate limit
+          if client_data[:requests].size >= max_requests_per_window
+            # Block client for penalty duration
+            client_data[:blocked_until] = current_time + penalty_duration
+            
+            return {
+              processed: true,
+              action: :block,
+              reason: "rate_limit_exceeded",
+              requests_count: client_data[:requests].size,
+              blocked_until: client_data[:blocked_until],
+              feature: @name,
+              timestamp: current_time.iso8601
+            }
+          end
+
+          # Record this request
+          client_data[:requests] << current_time
+
+          {
+            processed: true,
+            action: :allow,
+            requests_count: client_data[:requests].size,
+            remaining_requests: max_requests_per_window - client_data[:requests].size,
+            feature: @name,
+            timestamp: current_time.iso8601
+          }
+        end
+
+        private
+
+        def extract_client_id(env)
+          # Try multiple identification methods
+          client_ip = env['HTTP_X_FORWARDED_FOR']&.split(',')&.first&.strip ||
+                     env['HTTP_X_REAL_IP'] ||
+                     env['REMOTE_ADDR'] ||
+                     'unknown'
+          
+          user_agent = env['HTTP_USER_AGENT'] || 'unknown'
+          
+          # Create a hash of IP + User Agent for better identification
+          Digest::SHA256.hexdigest("#{client_ip}:#{user_agent}")[0..16]
+        end
+
+        def rate_limit_window
+          get_config_value(:rate_limit_window, 60) # 1 minute default
+        end
+
+        def max_requests_per_window
+          get_config_value(:max_requests_per_window, 100) # 100 requests per minute default
+        end
+
+        def penalty_duration
+          get_config_value(:penalty_duration, 300) # 5 minutes default
+        end
+
+        def get_config_value(key, default)
+          return default unless @config.respond_to?(:rate_limiter)
+          return default unless @config.rate_limiter.respond_to?(key)
+          @config.rate_limiter.public_send(key)
+        end
+
+        def should_cleanup?
+          Time.now - @last_cleanup > @cleanup_interval
+        end
+
+        def cleanup_expired_entries
+          current_time = Time.now
+          window_start = current_time - rate_limit_window
+          
+          @cache.each do |client_id, data|
+            # Remove expired requests
+            data[:requests].reject! { |req_time| req_time < window_start }
+            
+            # Remove expired blocks
+            data[:blocked_until] = nil if data[:blocked_until] && current_time >= data[:blocked_until]
+            
+            # Remove empty entries
+            if data[:requests].empty? && data[:blocked_until].nil?
+              @cache.delete(client_id)
+            end
+          end
+          
+          @last_cleanup = current_time
+        end
+      end
+    end
+  end
+end

data/lib/rack/ai/features/security_scanner.rb

@@ -0,0 +1,326 @@
+# frozen_string_literal: true
+
+module Rack
+  module AI
+    module Features
+      class SecurityScanner
+        attr_reader :name, :config
+
+        def initialize(config)
+          @name = :security_scanner
+          @config = config
+        end
+
+        def enabled?
+          @config.feature_enabled?(:security_scanner)
+        end
+
+        def process_response?
+          false
+        end
+
+        def process_request(env)
+          return { processed: false, reason: "disabled" } unless enabled?
+
+          threats = []
+          risk_score = 0.0
+
+          # Check for various security threats
+          threats.concat(check_sql_injection(env))
+          threats.concat(check_xss_attempts(env))
+          threats.concat(check_path_traversal(env))
+          threats.concat(check_command_injection(env))
+          threats.concat(check_suspicious_headers(env))
+          threats.concat(check_malicious_user_agents(env))
+
+          # Calculate overall risk score
+          risk_score = calculate_risk_score(threats)
+          threat_level = determine_threat_level(risk_score)
+
+          {
+            processed: true,
+            action: determine_action(threat_level),
+            threats: threats,
+            risk_score: risk_score,
+            threat_level: threat_level,
+            feature: @name,
+            timestamp: Time.now.iso8601
+          }
+        end
+
+        private
+
+        def check_sql_injection(env)
+          threats = []
+          patterns = [
+            /union\s+select/i,
+            /drop\s+table/i,
+            /insert\s+into/i,
+            /delete\s+from/i,
+            /update\s+.*set/i,
+            /exec\s*\(/i,
+            /script\s*>/i,
+            /'.*or.*'.*='/i,
+            /1=1/i,
+            /admin'--/i
+          ]
+
+          check_patterns_in_request(env, patterns, 'sql_injection').each do |threat|
+            threats << threat
+          end
+
+          threats
+        end
+
+        def check_xss_attempts(env)
+          threats = []
+          patterns = [
+            /<script[^>]*>.*?<\/script>/i,
+            /javascript:/i,
+            /on\w+\s*=/i,
+            /<iframe[^>]*>/i,
+            /<object[^>]*>/i,
+            /<embed[^>]*>/i,
+            /eval\s*\(/i,
+            /alert\s*\(/i,
+            /document\.cookie/i
+          ]
+
+          check_patterns_in_request(env, patterns, 'xss_attempt').each do |threat|
+            threats << threat
+          end
+
+          threats
+        end
+
+        def check_path_traversal(env)
+          threats = []
+          patterns = [
+            /\.\.\//,
+            /\.\.\\/,
+            /%2e%2e%2f/i,
+            /%2e%2e%5c/i,
+            /etc\/passwd/i,
+            /windows\/system32/i
+          ]
+
+          check_patterns_in_request(env, patterns, 'path_traversal').each do |threat|
+            threats << threat
+          end
+
+          threats
+        end
+
+        def check_command_injection(env)
+          threats = []
+          patterns = [
+            /;\s*cat\s+/i,
+            /;\s*ls\s+/i,
+            /;\s*rm\s+/i,
+            /;\s*wget\s+/i,
+            /;\s*curl\s+/i,
+            /\|\s*nc\s+/i,
+            /&&\s*whoami/i,
+            /`.*`/,
+            /\$\(.*\)/
+          ]
+
+          check_patterns_in_request(env, patterns, 'command_injection').each do |threat|
+            threats << threat
+          end
+
+          threats
+        end
+
+        def check_suspicious_headers(env)
+          threats = []
+          
+          # Check for suspicious User-Agent patterns
+          user_agent = env['HTTP_USER_AGENT']
+          if user_agent
+            suspicious_agents = [
+              /sqlmap/i,
+              /nikto/i,
+              /nessus/i,
+              /burp/i,
+              /w3af/i,
+              /acunetix/i,
+              /netsparker/i
+            ]
+
+            suspicious_agents.each do |pattern|
+              if user_agent.match?(pattern)
+                threats << {
+                  type: 'suspicious_user_agent',
+                  pattern: pattern.source,
+                  value: user_agent,
+                  severity: 'high'
+                }
+              end
+            end
+          end
+
+          # Check for suspicious headers
+          suspicious_headers = %w[
+            HTTP_X_FORWARDED_HOST
+            HTTP_X_ORIGINAL_URL
+            HTTP_X_REWRITE_URL
+          ]
+
+          suspicious_headers.each do |header|
+            if env[header] && env[header].include?('..')
+              threats << {
+                type: 'suspicious_header',
+                header: header,
+                value: env[header],
+                severity: 'medium'
+              }
+            end
+          end
+
+          threats
+        end
+
+        def check_malicious_user_agents(env)
+          threats = []
+          user_agent = env['HTTP_USER_AGENT']
+          return threats unless user_agent
+
+          # Check for bot patterns that might be malicious
+          malicious_patterns = [
+            /python-requests/i,
+            /curl/i,
+            /wget/i,
+            /libwww/i,
+            /lwp-trivial/i,
+            /^$/  # Empty user agent
+          ]
+
+          malicious_patterns.each do |pattern|
+            if user_agent.match?(pattern)
+              threats << {
+                type: 'potentially_malicious_bot',
+                pattern: pattern.source,
+                value: user_agent,
+                severity: 'low'
+              }
+            end
+          end
+
+          threats
+        end
+
+        def check_patterns_in_request(env, patterns, threat_type)
+          threats = []
+          
+          # Check query string
+          if env['QUERY_STRING']
+            patterns.each do |pattern|
+              if env['QUERY_STRING'].match?(pattern)
+                threats << {
+                  type: threat_type,
+                  location: 'query_string',
+                  pattern: pattern.source,
+                  value: env['QUERY_STRING'],
+                  severity: 'high'
+                }
+              end
+            end
+          end
+
+          # Check POST data
+          if %w[POST PUT PATCH].include?(env['REQUEST_METHOD']) && env['rack.input']
+            begin
+              body = env['rack.input'].read
+              env['rack.input'].rewind if env['rack.input'].respond_to?(:rewind)
+              
+              patterns.each do |pattern|
+                if body.match?(pattern)
+                  threats << {
+                    type: threat_type,
+                    location: 'request_body',
+                    pattern: pattern.source,
+                    value: body[0..200], # Truncate for logging
+                    severity: 'high'
+                  }
+                end
+              end
+            rescue => e
+              # Log error but don't fail
+              Utils::Logger.warn("Error reading request body for security scan", { error: e.message })
+            end
+          end
+
+          # Check headers
+          env.each do |key, value|
+            next unless key.start_with?('HTTP_')
+            next unless value.is_a?(String)
+
+            patterns.each do |pattern|
+              if value.match?(pattern)
+                threats << {
+                  type: threat_type,
+                  location: 'headers',
+                  header: key,
+                  pattern: pattern.source,
+                  value: value,
+                  severity: 'medium'
+                }
+              end
+            end
+          end
+
+          threats
+        end
+
+        def calculate_risk_score(threats)
+          return 0.0 if threats.empty?
+
+          score = 0.0
+          threats.each do |threat|
+            case threat[:severity]
+            when 'high'
+              score += 0.4
+            when 'medium'
+              score += 0.2
+            when 'low'
+              score += 0.1
+            end
+          end
+
+          [score, 1.0].min # Cap at 1.0
+        end
+
+        def determine_threat_level(risk_score)
+          case risk_score
+          when 0.0...0.2
+            :low
+          when 0.2...0.5
+            :medium
+          when 0.5...0.8
+            :high
+          else
+            :critical
+          end
+        end
+
+        def determine_action(threat_level)
+          case threat_level
+          when :critical, :high
+            :block
+          when :medium
+            get_config_value(:medium_threat_action, :flag)
+          else
+            :allow
+          end
+        end
+
+        def get_config_value(key, default)
+          return default unless @config.respond_to?(:security_scanner)
+          return default unless @config.security_scanner.respond_to?(key)
+          @config.security_scanner.public_send(key)
+        end
+      end
+    end
+  end
+end

data/lib/rack/ai/utils/logger.rb

@@ -13,23 +13,24 @@ module Rack
           end
 
           def debug(message, metadata = {})
-            puts "[DEBUG] #{message} #{metadata}" if ENV['RACK_AI_DEBUG']
+            return unless ENV['RACK_AI_DEBUG']
+            log(:debug, message, metadata)
           end
 
           def info(message, metadata = {})
-            puts "[INFO] #{message} #{metadata}"
+            log(:info, message, metadata)
           end
 
           def warn(message, metadata = {})
-            puts "[WARN] #{message} #{metadata}"
+            log(:warn, message, metadata)
           end
 
           def error(message, metadata = {})
-            puts "[ERROR] #{message} #{metadata}"
+            log(:error, message, metadata)
           end
 
           def fatal(message, metadata = {})
-            puts "[FATAL] #{message} #{metadata}"
+            log(:fatal, message, metadata)
           end
 
           private

data/lib/rack/ai/version.rb

@@ -2,6 +2,6 @@
 
 module Rack
   module AI
-    VERSION = "0.3.0"
+    VERSION = "0.4.0"
   end
 end

data/lib/rack/ai.rb

@@ -16,6 +16,8 @@ require_relative "ai/features/logging"
 require_relative "ai/features/enhancement"
 require_relative "ai/features/rate_limiting"
 require_relative "ai/features/anomaly_detection"
+require_relative "ai/features/rate_limiter"
+require_relative "ai/features/security_scanner"
 require_relative "ai/utils/logger"
 require_relative "ai/utils/metrics"
 require_relative "ai/utils/sanitizer"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-ai
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Ahmet KAHRAMAN
@@ -254,9 +254,11 @@ files:
 - lib/rack/ai/features/enhancement.rb
 - lib/rack/ai/features/logging.rb
 - lib/rack/ai/features/moderation.rb
+- lib/rack/ai/features/rate_limiter.rb
 - lib/rack/ai/features/rate_limiting.rb
 - lib/rack/ai/features/routing.rb
 - lib/rack/ai/features/security.rb
+- lib/rack/ai/features/security_scanner.rb
 - lib/rack/ai/middleware.rb
 - lib/rack/ai/providers/base.rb
 - lib/rack/ai/providers/huggingface.rb