RubyGems - rack-attack - Versions diffs - 2.2.1 → 2.3.0 - Mend

rack-attack 2.2.1 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rack-attack might be problematic. Click here for more details.

Files changed (11) hide show

checksums.yaml +7 -0
data/README.md +44 -10
data/lib/rack/attack.rb +1 -0
data/lib/rack/attack/allow2ban.rb +23 -0
data/lib/rack/attack/fail2ban.rb +10 -5
data/lib/rack/attack/throttle.rb +3 -3
data/lib/rack/attack/version.rb +1 -1
data/spec/allow2ban_spec.rb +121 -0
data/spec/rack_attack_throttle_spec.rb +21 -1
data/spec/spec_helper.rb +1 -1
metadata +56 -31

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: b294cc1911f079c5df74d5325e01fabd2a207498
+  data.tar.gz: 99306d1db94cfeab978bef7573e1455c0e2cc428
+SHA512:
+  metadata.gz: 12a543ddffa7cc24893c3ee302071738e8f9e39fe063e9b6610492c41d03ba5179c43bffe50ff182e880fd936a1d970ab9f6a0d6c536c2db77e89b555dd253d2
+  data.tar.gz: b439faf86fd536d941327aa03c0d4e2d344a527857f120e09e0ab0bdec9fbbcef686d716da9c56867d4ca277c20edf7d8313c6c79d7f01c4e09ff0d929092a7a

data/README.md CHANGED

@@ -4,7 +4,14 @@
 Rack::Attack is a rack middleware to protect your web app from bad clients.
 It allows *whitelisting*, *blacklisting*, *throttling*, and *tracking* based on arbitrary properties of the request.
-Throttle state is stored in a configurable cache (e.g. `Rails.cache`), presumably backed by memcached or redis (at least v3.0.0).
+Throttle state is stored in a configurable cache (e.g. `Rails.cache`), presumably backed by memcached or redis ([at least gem v3.0.0](https://rubygems.org/gems/redis)).
+See the [Backing & Hacking blog post](http://www.kickstarter.com/backing-and-hacking/rack-attack-protection-from-abusive-clients) introducing Rack::Attack.
+[![Gem Version](https://badge.fury.io/rb/rack-attack.png)](http://badge.fury.io/rb/rack-attack)
+[![Build Status](https://travis-ci.org/kickstarter/rack-attack.png?branch=master)](https://travis-ci.org/kickstarter/rack-attack)
+[![Code Climate](https://codeclimate.com/github/kickstarter/rack-attack.png)](https://codeclimate.com/github/kickstarter/rack-attack)
 ## Installation
@@ -15,7 +22,7 @@ Install the [rack-attack](http://rubygems.org/gems/rack-attack) gem; or add it t
     gem 'rack-attack'
 ```
 Tell your app to use the Rack::Attack middleware.
-For Rails 3 apps:
+For Rails 3+ apps:
 ```ruby
     # In config/application.rb
@@ -43,7 +50,7 @@ The Rack::Attack middleware compares each request against *whitelists*, *blackli
  * If the request matches any **whitelist**, it is allowed.
  * Otherwise, if the request matches any **blacklist**, it is blocked.
- * Otherwise, if the request matches any **throttle**, a counter is incremented in the Rack::Attack.cache. If the throttle limit is exceeded, the request is blocked.
+ * Otherwise, if the request matches any **throttle**, a counter is incremented in the Rack::Attack.cache. If any throttle's limit is exceeded, the request is blocked.
  * Otherwise, all **tracks** are checked, and the request is allowed.
 The algorithm is actually more concise in code: See [Rack::Attack.call](https://github.com/kickstarter/rack-attack/blob/master/lib/rack/attack.rb):
@@ -71,7 +78,7 @@ The algorithm is actually more concise in code: See [Rack::Attack.call](https://
 ## Usage
-Define whitelists, blacklists, throttles, and tracks as blocks that return truthy values if matched, falsy otherwise. In a Rails app
+Define whitelists, blacklists, throttles, and tracks as blocks that return truthy values if matched, falsy otherwise. In a Rails app
 these go in an initializer in `config/initializers/`.
 A [Rack::Request](http://rack.rubyforge.org/doc/classes/Rack/Request.html) object is passed to the block (named 'req' in the examples).
@@ -121,6 +128,24 @@ how the parameters work.
     end
 ```
+#### Allow2Ban
+`Allow2Ban.filter` works the same way as the `Fail2Ban.filter` except that it *allows* requests from misbehaving
+clients until such time as they reach maxretry at which they are cut off as per normal.
+```ruby
+    # Lockout IP addresses that are hammering your login page.
+    # After 20 requests in 1 minute, block all requests from that IP for 1 hour.
+    Rack::Attack.blacklist('allow2ban login scrapers') do |req|
+      # `filter` returns false value if request is to your login page (but still
+      # increments the count) so request below the limit are not blocked until
+      # they hit the limit.  At that point, filter will return true and block.
+      Rack::Attack::Allow2Ban.filter(req.ip, :maxretry => 20, :findtime => 1.minute, :bantime => 1.hour) do
+        # The count for the IP is incremented if the return value is truthy.
+        req.path = '/login' and req.method == 'post'
+      end
+    end
+```
 ### Throttles
 ```ruby
@@ -140,6 +165,13 @@ how the parameters work.
     Rack::Attack.throttle('logins/email', :limit => 6, :period => 60.seconds) do |req|
       req.params['email'] if req.path == '/login' && req.post?
     end
+    # You can also set a limit using a proc instead of a number. For
+    # instance, after Rack::Auth::Basic has authenticated the user:
+    limit_based_on_proc = proc {|req| req.env["REMOTE_USER"] == "admin" ? 100 : 1}
+    Rack::Attack.throttle('req/ip', :limit => limit_based_on_proc, :period => 1.second) do |req|
+      req.ip
+    end
 ```
 ### Tracks
@@ -204,9 +236,9 @@ You can subscribe to 'rack.attack' events and log it, graph it, etc:
 ## Testing
-A note on developing and testing apps using Rack::Attack - if you are using throttling in particular, you will
-need to enable the cache in your development environment. See [Caching with Rails](http://guides.rubyonrails.org/caching_with_rails.html)
-for more on how to do this.
+A note on developing and testing apps using Rack::Attack - if you are using throttling in particular, you will
+need to enable the cache in your development environment. See [Caching with Rails](http://guides.rubyonrails.org/caching_with_rails.html)
+for more on how to do this.
 ## Performance
@@ -230,10 +262,12 @@ It is impractical if not impossible to block abusive clients completely.
 Rack::Attack aims to let developers quickly mitigate abusive requests and rely
 less on short-term, one-off hacks to block a particular attack.
-See also: the [Backing & Hacking blog post](http://www.kickstarter.com/backing-and-hacking/rack-attack-protection-from-abusive-clients) introducing Rack::Attack.
+## Mailing list
-[![Build Status](https://travis-ci.org/kickstarter/rack-attack.png?branch=master)](https://travis-ci.org/kickstarter/rack-attack)
-[![Code Climate](https://codeclimate.com/github/kickstarter/rack-attack.png)](https://codeclimate.com/github/kickstarter/rack-attack)
+New releases of Rack::Attack are announced on
+<rack.attack.announce@librelist.com>. To subscribe, just send an email to
+<rack.attack.announce@librelist.com>. See the
+[archives](http://librelist.com/browser/rack.attack.announce/).
 ## License

data/lib/rack/attack.rb CHANGED

@@ -8,6 +8,7 @@ module Rack::Attack
   autoload :Track,     'rack/attack/track'
   autoload :StoreProxy,'rack/attack/store_proxy'
   autoload :Fail2Ban,  'rack/attack/fail2ban'
+  autoload :Allow2Ban,  'rack/attack/allow2ban'
   class << self

data/lib/rack/attack/allow2ban.rb ADDED

@@ -0,0 +1,23 @@
+module Rack
+  module Attack
+    class Allow2Ban < Fail2Ban
+      class << self
+        protected
+        def key_prefix
+          'allow2ban'
+        end
+        # everything the same here except we return only return true
+        # (blocking the request) if they have tripped the limit.
+        def fail!(discriminator, bantime, findtime, maxretry)
+          count = cache.count("#{key_prefix}:count:#{discriminator}", findtime)
+          if count >= maxretry
+            ban!(discriminator, bantime)
+          end
+          # we may not block them this time, but they're banned for next time
+          false
+        end
+      end
+    end
+  end
+end

data/lib/rack/attack/fail2ban.rb CHANGED

@@ -15,23 +15,28 @@ module Rack
           end
         end
-        private
+        protected
+        def key_prefix
+          'fail2ban'
+        end
         def fail!(discriminator, bantime, findtime, maxretry)
-          count = cache.count("fail2ban:count:#{discriminator}", findtime)
+          count = cache.count("#{key_prefix}:count:#{discriminator}", findtime)
           if count >= maxretry
             ban!(discriminator, bantime)
           end
-          # Return true for blacklist
           true
         end
+        private
         def ban!(discriminator, bantime)
-          cache.write("fail2ban:ban:#{discriminator}", 1, bantime)
+          cache.write("#{key_prefix}:ban:#{discriminator}", 1, bantime)
         end
         def banned?(discriminator)
-          cache.read("fail2ban:ban:#{discriminator}")
+          cache.read("#{key_prefix}:ban:#{discriminator}")
         end
         def cache

data/lib/rack/attack/throttle.rb CHANGED

@@ -22,14 +22,15 @@ module Rack
         key = "#{name}:#{discriminator}"
         count = cache.count(key, period)
+        current_limit = limit.respond_to?(:call) ? limit.call(req) : limit
         data = {
           :count => count,
           :period => period,
-          :limit => limit
+          :limit => current_limit
         }
         (req.env['rack.attack.throttle_data'] ||= {})[name] = data
-        (count > limit).tap do |throttled|
+        (count > current_limit).tap do |throttled|
           if throttled
             req.env['rack.attack.matched']    = name
             req.env['rack.attack.match_type'] = :throttle
@@ -38,7 +39,6 @@ module Rack
           end
         end
       end
     end
   end
 end

data/lib/rack/attack/version.rb CHANGED

@@ -1,5 +1,5 @@
 module Rack
   module Attack
-    VERSION = '2.2.1'
+    VERSION = '2.3.0'
   end
 end

data/spec/allow2ban_spec.rb ADDED

@@ -0,0 +1,121 @@
+require_relative 'spec_helper'
+describe 'Rack::Attack.Allow2Ban' do
+  before do
+    # Use a long findtime; failures due to cache key rotation less likely
+    @cache = Rack::Attack.cache
+    @findtime = 60
+    @bantime  = 60
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+    @f2b_options = {:bantime => @bantime, :findtime => @findtime, :maxretry => 2}
+    Rack::Attack.blacklist('pentest') do |req|
+      Rack::Attack::Allow2Ban.filter(req.ip, @f2b_options){req.query_string =~ /OMGHAX/}
+    end
+  end
+  describe 'discriminator has not been banned' do
+    describe 'making ok request' do
+      it 'succeeds' do
+        get '/', {}, 'REMOTE_ADDR' => '1.2.3.4'
+        last_response.status.must_equal 200
+      end
+    end
+    describe 'making qualifying request' do
+      describe 'when not at maxretry' do
+        before { get '/?foo=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4' }
+        it 'succeeds' do
+          last_response.status.must_equal 200
+        end
+        it 'increases fail count' do
+          key = "rack::attack:#{Time.now.to_i/@findtime}:allow2ban:count:1.2.3.4"
+          @cache.store.read(key).must_equal 1
+        end
+        it 'is not banned' do
+          key = "rack::attack:allow2ban:1.2.3.4"
+          @cache.store.read(key).must_be_nil
+        end
+      end
+      describe 'when at maxretry' do
+        before do
+          # maxretry is 2 - so hit with an extra failed request first
+          get '/?test=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4'
+          get '/?foo=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4'
+        end
+        it 'succeeds' do
+          last_response.status.must_equal 200
+        end
+        it 'increases fail count' do
+          key = "rack::attack:#{Time.now.to_i/@findtime}:allow2ban:count:1.2.3.4"
+          @cache.store.read(key).must_equal 2
+        end
+        it 'is banned' do
+          key = "rack::attack:allow2ban:ban:1.2.3.4"
+          @cache.store.read(key).must_equal 1
+        end
+      end
+    end
+  end
+  describe 'discriminator has been banned' do
+    before do
+      # maxretry is 2 - so hit enough times to get banned
+      get '/?test=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4'
+      get '/?foo=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4'
+    end
+    describe 'making request for other discriminator' do
+      it 'succeeds' do
+        get '/', {}, 'REMOTE_ADDR' => '2.2.3.4'
+        last_response.status.must_equal 200
+      end
+    end
+    describe 'making ok request' do
+      before do
+        get '/', {}, 'REMOTE_ADDR' => '1.2.3.4'
+      end
+      it 'fails' do
+        last_response.status.must_equal 401
+      end
+      it 'does not increase fail count' do
+        key = "rack::attack:#{Time.now.to_i/@findtime}:allow2ban:count:1.2.3.4"
+        @cache.store.read(key).must_equal 2
+      end
+      it 'is still banned' do
+        key = "rack::attack:allow2ban:ban:1.2.3.4"
+        @cache.store.read(key).must_equal 1
+      end
+    end
+    describe 'making failing request' do
+      before do
+        get '/?foo=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4'
+      end
+      it 'fails' do
+        last_response.status.must_equal 401
+      end
+      it 'does not increase fail count' do
+        key = "rack::attack:#{Time.now.to_i/@findtime}:allow2ban:count:1.2.3.4"
+        @cache.store.read(key).must_equal 2
+      end
+      it 'is still banned' do
+        key = "rack::attack:allow2ban:ban:1.2.3.4"
+        @cache.store.read(key).must_equal 1
+      end
+    end
+  end
+end

data/spec/rack_attack_throttle_spec.rb CHANGED

@@ -37,7 +37,27 @@ describe 'Rack::Attack.throttle' do
       last_response.headers['Retry-After'].must_equal @period.to_s
     end
   end
 end
+describe 'Rack::Attack.throttle with limit as proc' do
+  before do
+    @period = 60 # Use a long period; failures due to cache key rotation less likely
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+    Rack::Attack.throttle('ip/sec', :limit => lambda {|req| 1}, :period => @period) { |req| req.ip }
+  end
+  allow_ok_requests
+  describe 'a single request' do
+    before { get '/', {}, 'REMOTE_ADDR' => '1.2.3.4' }
+    it 'should set the counter for one request' do
+      key = "rack::attack:#{Time.now.to_i/@period}:ip/sec:1.2.3.4"
+      Rack::Attack.cache.store.read(key).must_equal 1
+    end
+    it 'should populate throttle data' do
+      data = { :count => 1, :limit => 1, :period => @period }
+      last_request.env['rack.attack.throttle_data']['ip/sec'].must_equal data
+    end
+  end
+end

data/spec/spec_helper.rb CHANGED

@@ -13,7 +13,7 @@ rescue LoadError
  #nothing to do here
 end
-class Minitest::Spec
+class MiniTest::Spec
   include Rack::Test::Methods

metadata CHANGED

@@ -1,110 +1,134 @@
 --- !ruby/object:Gem::Specification
 name: rack-attack
 version: !ruby/object:Gem::Version
-  version: 2.2.1
-  prerelease:
+  version: 2.3.0
 platform: ruby
 authors:
 - Aaron Suggs
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-08-13 00:00:00.000000000 Z
+date: 2013-10-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
-  requirement: &1 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *1
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: minitest
-  requirement: &2 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rack-test
-  requirement: &3 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *3
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
-  requirement: &4 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *4
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: activesupport
-  requirement: &5 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: 3.0.0
   type: :development
   prerelease: false
-  version_requirements: *5
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 3.0.0
 - !ruby/object:Gem::Dependency
   name: debugger
-  requirement: &6 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '1.5'
   type: :development
   prerelease: false
-  version_requirements: *6
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
 - !ruby/object:Gem::Dependency
   name: redis-activesupport
-  requirement: &7 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *7
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: dalli
-  requirement: &8 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *8
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: A rack middleware for throttling and blocking abusive requests
 email: aaron@ktheory.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- lib/rack/attack/allow2ban.rb
 - lib/rack/attack/blacklist.rb
 - lib/rack/attack/cache.rb
 - lib/rack/attack/check.rb
@@ -117,6 +141,7 @@ files:
 - lib/rack/attack.rb
 - Rakefile
 - README.md
+- spec/allow2ban_spec.rb
 - spec/fail2ban_spec.rb
 - spec/rack_attack_cache_spec.rb
 - spec/rack_attack_spec.rb
@@ -126,30 +151,30 @@ files:
 homepage: http://github.com/kickstarter/rack-attack
 licenses:
 - MIT
+metadata: {}
 post_install_message:
 rdoc_options:
 - --charset=UTF-8
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
   - - '>='
     - !ruby/object:Gem::Version
       version: 1.9.2
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
   - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 1.8.3
+rubygems_version: 2.1.6
 signing_key:
-specification_version: 3
+specification_version: 4
 summary: Block & throttle abusive requests
 test_files:
+- spec/allow2ban_spec.rb
 - spec/fail2ban_spec.rb
 - spec/rack_attack_cache_spec.rb
 - spec/rack_attack_spec.rb