rack-attack 4.1.1 → 4.2.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of rack-attack might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +7 -6
  3. data/lib/rack/attack.rb +3 -3
  4. data/lib/rack/attack/throttle.rb +7 -5
  5. data/lib/rack/attack/version.rb +1 -1
  6. data/spec/rack_attack_throttle_spec.rb +24 -1
  7. metadata +3 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 5fcafc0f62e4bc044a43ebff9f20d2059db798be
4
- data.tar.gz: 19ef91c505bac94a8e9e7cb0e9e672ce2c3f6aa7
3
+ metadata.gz: e99e6a7757d11626b6b7d078abe43e9fe123cc36
4
+ data.tar.gz: 77b5a17a9de1acd9692805e2e634d165d66f1506
5
5
  SHA512:
6
- metadata.gz: 51e6cbf5836d2edef0186e310eadc05ab859db5ba03bc3243250e9c0e739961d4a58c96021db8a0966afaa9b94cbf23e43cffb6689e4e6902b04170a575af6ab
7
- data.tar.gz: afd3639047fe6ac3c6e749d1efc1ceccd0d6100a9ae43d4947d48f09e4af2df48b94d66e879551d8ff6ccd1260467d5d5ad90604f0d942f0d9b61a5ce78cd71b
6
+ metadata.gz: 75e2f1b7c760cc33323618edf03dd6fb3f661b73d2ed2d2ce67e80f632942c369d4e4336c479ae68e99805c2c2910a51b54dc4fab545b54d295536c28811ca20
7
+ data.tar.gz: 5da774caa95cfe83eaeb1c42d759ac0761fc76c5c6137681101f658680b3bba9edde35862f9a84cd0a1f530ae294142663a619c3940fedc761345b0be5cd3542
data/README.md CHANGED
@@ -73,9 +73,9 @@ def call(env)
73
73
  if whitelisted?(req)
74
74
  @app.call(env)
75
75
  elsif blacklisted?(req)
76
- blacklisted_response[env]
76
+ self.class.blacklisted_response.call(env)
77
77
  elsif throttled?(req)
78
- throttled_response[env]
78
+ self.class.throttled_response.call(env)
79
79
  else
80
80
  tracked?(req)
81
81
  @app.call(env)
@@ -181,10 +181,11 @@ Rack::Attack.throttle('logins/email', :limit => 6, :period => 60.seconds) do |re
181
181
  req.params['email'] if req.path == '/login' && req.post?
182
182
  end
183
183
 
184
- # You can also set a limit using a proc instead of a number. For
185
- # instance, after Rack::Auth::Basic has authenticated the user:
186
- limit_based_on_proc = proc {|req| req.env["REMOTE_USER"] == "admin" ? 100 : 1}
187
- Rack::Attack.throttle('req/ip', :limit => limit_based_on_proc, :period => 1.second) do |req|
184
+ # You can also set a limit and period using a proc. For instance, after
185
+ # Rack::Auth::Basic has authenticated the user:
186
+ limit_proc = proc {|req| req.env["REMOTE_USER"] == "admin" ? 100 : 1}
187
+ period_proc = proc {|req| req.env["REMOTE_USER"] == "admin" ? 1.second : 1.minute}
188
+ Rack::Attack.throttle('req/ip', :limit => limit_proc, :period => period_proc) do |req|
188
189
  req.ip
189
190
  end
190
191
  ```
data/lib/rack/attack.rb CHANGED
@@ -82,7 +82,7 @@ class Rack::Attack
82
82
  @notifier = ActiveSupport::Notifications if defined?(ActiveSupport::Notifications)
83
83
  @blacklisted_response = lambda {|env| [403, {'Content-Type' => 'text/plain'}, ["Forbidden\n"]] }
84
84
  @throttled_response = lambda {|env|
85
- retry_after = env['rack.attack.match_data'][:period] rescue nil
85
+ retry_after = (env['rack.attack.match_data'] || {})[:period]
86
86
  [429, {'Content-Type' => 'text/plain', 'Retry-After' => retry_after.to_s}, ["Retry later\n"]]
87
87
  }
88
88
 
@@ -96,9 +96,9 @@ class Rack::Attack
96
96
  if whitelisted?(req)
97
97
  @app.call(env)
98
98
  elsif blacklisted?(req)
99
- self.class.blacklisted_response[env]
99
+ self.class.blacklisted_response.call(env)
100
100
  elsif throttled?(req)
101
- self.class.throttled_response[env]
101
+ self.class.throttled_response.call(env)
102
102
  else
103
103
  tracked?(req)
104
104
  @app.call(env)
data/lib/rack/attack/throttle.rb CHANGED
@@ -9,7 +9,7 @@ module Rack
9
9
  raise ArgumentError.new("Must pass #{opt.inspect} option") unless options[opt]
10
10
  end
11
11
  @limit = options[:limit]
12
- @period = options[:period].to_i
12
+ @period = options[:period].respond_to?(:call) ? options[:period] : options[:period].to_i
13
13
  @type = options.fetch(:type, :throttle)
14
14
  end
15
15
 
@@ -21,12 +21,14 @@ module Rack
21
21
  discriminator = block[req]
22
22
  return false unless discriminator
23
23
 
24
- key = "#{name}:#{discriminator}"
25
- count = cache.count(key, period)
26
- current_limit = limit.respond_to?(:call) ? limit.call(req) : limit
24
+ current_period = period.respond_to?(:call) ? period.call(req) : period
25
+ current_limit = limit.respond_to?(:call) ? limit.call(req) : limit
26
+ key = "#{name}:#{discriminator}"
27
+ count = cache.count(key, current_period)
28
+
27
29
  data = {
28
30
  :count => count,
29
- :period => period,
31
+ :period => current_period,
30
32
  :limit => current_limit
31
33
  }
32
34
  (req.env['rack.attack.throttle_data'] ||= {})[name] = data
data/lib/rack/attack/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Rack
2
2
  class Attack
3
- VERSION = '4.1.1'
3
+ VERSION = '4.2.0'
4
4
  end
5
5
  end
data/spec/rack_attack_throttle_spec.rb CHANGED
@@ -44,7 +44,30 @@ describe 'Rack::Attack.throttle with limit as proc' do
44
44
  before do
45
45
  @period = 60 # Use a long period; failures due to cache key rotation less likely
46
46
  Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
47
- Rack::Attack.throttle('ip/sec', :limit => lambda {|req| 1}, :period => @period) { |req| req.ip }
47
+ Rack::Attack.throttle('ip/sec', :limit => lambda { |req| 1 }, :period => @period) { |req| req.ip }
48
+ end
49
+
50
+ allow_ok_requests
51
+
52
+ describe 'a single request' do
53
+ before { get '/', {}, 'REMOTE_ADDR' => '1.2.3.4' }
54
+ it 'should set the counter for one request' do
55
+ key = "rack::attack:#{Time.now.to_i/@period}:ip/sec:1.2.3.4"
56
+ Rack::Attack.cache.store.read(key).must_equal 1
57
+ end
58
+
59
+ it 'should populate throttle data' do
60
+ data = { :count => 1, :limit => 1, :period => @period }
61
+ last_request.env['rack.attack.throttle_data']['ip/sec'].must_equal data
62
+ end
63
+ end
64
+ end
65
+
66
+ describe 'Rack::Attack.throttle with period as proc' do
67
+ before do
68
+ @period = 60 # Use a long period; failures due to cache key rotation less likely
69
+ Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
70
+ Rack::Attack.throttle('ip/sec', :limit => lambda { |req| 1 }, :period => lambda { |req| @period }) { |req| req.ip }
48
71
  end
49
72
 
50
73
  allow_ok_requests
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-attack
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.1.1
4
+ version: 4.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Aaron Suggs
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-09-11 00:00:00.000000000 Z
11
+ date: 2014-10-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rack
@@ -204,3 +204,4 @@ test_files:
204
204
  - spec/rack_attack_throttle_spec.rb
205
205
  - spec/rack_attack_track_spec.rb
206
206
  - spec/spec_helper.rb
207
+ has_rdoc: