rack-attack 4.3.1 → 5.4.2

data/lib/rack/attack/{blacklist.rb → safelist.rb}

@@ -1,12 +1,10 @@
 module Rack
   class Attack
-    class Blacklist < Check
+    class Safelist < Check
       def initialize(name, block)
         super
-        @type = :blacklist
+        @type = :safelist
       end
-
     end
   end
 end
-

data/lib/rack/attack/store_proxy.rb

@@ -1,22 +1,23 @@
 module Rack
   class Attack
     module StoreProxy
-      PROXIES = [DalliProxy, RedisStoreProxy]
+      PROXIES = [DalliProxy, MemCacheStoreProxy, MemCacheProxy, RedisStoreProxy, RedisProxy, RedisCacheStoreProxy].freeze
 
       def self.build(store)
-        # RedisStore#increment needs different behavior, so detect that
-        # (method has an arity of 2; must call #expire separately
-        if defined?(::ActiveSupport::Cache::RedisStore) && store.is_a?(::ActiveSupport::Cache::RedisStore)
-          # ActiveSupport::Cache::RedisStore doesn't expose any way to set an expiry,
-          # so use the raw Redis::Store instead
-          store = store.instance_variable_get(:@data)
-        end
-
-        klass = PROXIES.find { |proxy| proxy.handle?(store) }
-
-        klass ? klass.new(store) : store
+        client = unwrap_active_support_stores(store)
+        klass = PROXIES.find { |proxy| proxy.handle?(client) }
+        klass ? klass.new(client) : client
       end
 
+      def self.unwrap_active_support_stores(store)
+        # ActiveSupport::Cache::RedisStore doesn't expose any way to set an expiry,
+        # so use the raw Redis::Store instead.
+        if store.class.name == 'ActiveSupport::Cache::RedisStore'
+          store.instance_variable_get(:@data)
+        else
+          store
+        end
+      end
     end
   end
 end

data/lib/rack/attack/store_proxy/dalli_proxy.rb

@@ -28,14 +28,14 @@ module Rack
         rescue Dalli::DalliError
         end
 
-        def write(key, value, options={})
+        def write(key, value, options = {})
           with do |client|
             client.set(key, value, options.fetch(:expires_in, 0), raw: true)
           end
         rescue Dalli::DalliError
         end
 
-        def increment(key, amount, options={})
+        def increment(key, amount, options = {})
           with do |client|
             client.incr(key, amount, options.fetch(:expires_in, 0), amount)
           end
@@ -58,7 +58,6 @@ module Rack
             end
           end
         end
-
       end
     end
   end

data/lib/rack/attack/store_proxy/mem_cache_proxy.rb

@@ -0,0 +1,50 @@
+module Rack
+  class Attack
+    module StoreProxy
+      class MemCacheProxy < SimpleDelegator
+        def self.handle?(store)
+          defined?(::MemCache) && store.is_a?(::MemCache)
+        end
+
+        def initialize(store)
+          super(store)
+          stub_with_if_missing
+        end
+
+        def read(key)
+          # Second argument: reading raw value
+          get(key, true)
+        rescue MemCache::MemCacheError
+        end
+
+        def write(key, value, options = {})
+          # Third argument: writing raw value
+          set(key, value, options.fetch(:expires_in, 0), true)
+        rescue MemCache::MemCacheError
+        end
+
+        def increment(key, amount, _options = {})
+          incr(key, amount)
+        rescue MemCache::MemCacheError
+        end
+
+        def delete(key, _options = {})
+          with do |client|
+            client.delete(key)
+          end
+        rescue MemCache::MemCacheError
+        end
+
+        private
+
+        def stub_with_if_missing
+          unless __getobj__.respond_to?(:with)
+            class << self
+              def with; yield __getobj__; end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rack/attack/store_proxy/mem_cache_store_proxy.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'delegate'
+
+module Rack
+  class Attack
+    module StoreProxy
+      class MemCacheStoreProxy < SimpleDelegator
+        def self.handle?(store)
+          defined?(::Dalli) && defined?(::ActiveSupport::Cache::MemCacheStore) && store.is_a?(::ActiveSupport::Cache::MemCacheStore)
+        end
+
+        def write(name, value, options = {})
+          super(name, value, options.merge!(raw: true))
+        end
+      end
+    end
+  end
+end

data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb

@@ -0,0 +1,35 @@
+require 'delegate'
+
+module Rack
+  class Attack
+    module StoreProxy
+      class RedisCacheStoreProxy < SimpleDelegator
+        def self.handle?(store)
+          store.class.name == "ActiveSupport::Cache::RedisCacheStore"
+        end
+
+        def increment(name, amount = 1, options = {})
+          # RedisCacheStore#increment ignores options[:expires_in].
+          #
+          # So in order to workaround this we use RedisCacheStore#write (which sets expiration) to initialize
+          # the counter. After that we continue using the original RedisCacheStore#increment.
+          if options[:expires_in] && !read(name)
+            write(name, amount, options)
+
+            amount
+          else
+            super
+          end
+        end
+
+        def read(name, options = {})
+          super(name, options.merge!(raw: true))
+        end
+
+        def write(name, value, options = {})
+          super(name, value, options.merge!(raw: true))
+        end
+      end
+    end
+  end
+end

data/lib/rack/attack/store_proxy/redis_proxy.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require 'delegate'
+
+module Rack
+  class Attack
+    module StoreProxy
+      class RedisProxy < SimpleDelegator
+        def initialize(*args)
+          if Gem::Version.new(Redis::VERSION) < Gem::Version.new("3")
+            warn 'RackAttack requires Redis gem >= 3.0.0.'
+          end
+
+          super(*args)
+        end
+
+        def self.handle?(store)
+          defined?(::Redis) && store.is_a?(::Redis)
+        end
+
+        def read(key)
+          get(key)
+        rescue Redis::BaseError
+        end
+
+        def write(key, value, options = {})
+          if (expires_in = options[:expires_in])
+            setex(key, expires_in, value)
+          else
+            set(key, value)
+          end
+        rescue Redis::BaseError
+        end
+
+        def increment(key, amount, options = {})
+          count = nil
+
+          pipelined do
+            count = incrby(key, amount)
+            expire(key, options[:expires_in]) if options[:expires_in]
+          end
+
+          count.value if count
+        rescue Redis::BaseError
+        end
+
+        def delete(key, _options = {})
+          del(key)
+        rescue Redis::BaseError
+        end
+      end
+    end
+  end
+end

data/lib/rack/attack/store_proxy/redis_store_proxy.rb

@@ -3,43 +3,24 @@ require 'delegate'
 module Rack
   class Attack
     module StoreProxy
-      class RedisStoreProxy < SimpleDelegator
+      class RedisStoreProxy < RedisProxy
         def self.handle?(store)
           defined?(::Redis::Store) && store.is_a?(::Redis::Store)
         end
 
-        def initialize(store)
-          super(store)
-        end
-
         def read(key)
-          self.get(key, raw: true)
+          get(key, raw: true)
         rescue Redis::BaseError
         end
 
-        def write(key, value, options={})
+        def write(key, value, options = {})
           if (expires_in = options[:expires_in])
-            self.setex(key, expires_in, value, raw: true)
+            setex(key, expires_in, value, raw: true)
           else
-            self.set(key, value, raw: true)
+            set(key, value, raw: true)
           end
         rescue Redis::BaseError
         end
-
-        def increment(key, amount, options={})
-          count = nil
-          self.pipelined do
-            count = self.incrby(key, amount)
-            self.expire(key, options[:expires_in]) if options[:expires_in]
-          end
-          count.value if count
-        rescue Redis::BaseError
-        end
-
-        def delete(key, options={})
-          self.del(key)
-        rescue Redis::BaseError
-        end
       end
     end
   end

data/lib/rack/attack/throttle.rb

@@ -1,7 +1,8 @@
 module Rack
   class Attack
     class Throttle
-      MANDATORY_OPTIONS = [:limit, :period]
+      MANDATORY_OPTIONS = [:limit, :period].freeze
+
       attr_reader :name, :limit, :period, :block, :type
       def initialize(name, options, block)
         @name, @block = name, block
@@ -17,29 +18,32 @@ module Rack
         Rack::Attack.cache
       end
 
-      def [](req)
-        discriminator = block[req]
+      def matched_by?(request)
+        discriminator = block.call(request)
         return false unless discriminator
 
-        current_period = period.respond_to?(:call) ? period.call(req) : period
-        current_limit  = limit.respond_to?(:call) ? limit.call(req) : limit
+        current_period = period.respond_to?(:call) ? period.call(request) : period
+        current_limit  = limit.respond_to?(:call) ? limit.call(request) : limit
         key            = "#{name}:#{discriminator}"
         count          = cache.count(key, current_period)
+        epoch_time     = cache.last_epoch_time
 
         data = {
           :count => count,
           :period => current_period,
-          :limit => current_limit
+          :limit => current_limit,
+          :epoch_time => epoch_time
         }
-        (req.env['rack.attack.throttle_data'] ||= {})[name] = data
+
+        (request.env['rack.attack.throttle_data'] ||= {})[name] = data
 
         (count > current_limit).tap do |throttled|
           if throttled
-            req.env['rack.attack.matched']             = name
-            req.env['rack.attack.match_discriminator'] = discriminator
-            req.env['rack.attack.match_type']          = type
-            req.env['rack.attack.match_data']          = data
-            Rack::Attack.instrument(req)
+            request.env['rack.attack.matched']             = name
+            request.env['rack.attack.match_discriminator'] = discriminator
+            request.env['rack.attack.match_type']          = type
+            request.env['rack.attack.match_data']          = data
+            Rack::Attack.instrument(request)
           end
         end
       end

data/lib/rack/attack/track.rb

@@ -1,8 +1,6 @@
 module Rack
   class Attack
     class Track
-      extend Forwardable
-
       attr_reader :filter
 
       def initialize(name, options = {}, block)
@@ -15,7 +13,9 @@ module Rack
         end
       end
 
-      def_delegator :@filter, :[]
+      def matched_by?(request)
+        filter.matched_by?(request)
+      end
     end
   end
 end

data/lib/rack/attack/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class Attack
-    VERSION = '4.3.1'
+    VERSION = '5.4.2'
   end
 end

data/spec/acceptance/allow2ban_spec.rb

@@ -0,0 +1,71 @@
+require_relative "../spec_helper"
+require "timecop"
+
+describe "allow2ban" do
+  before do
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+
+    Rack::Attack.blocklist("allow2ban pentesters") do |request|
+      Rack::Attack::Allow2Ban.filter(request.ip, maxretry: 2, findtime: 30, bantime: 60) do
+        request.path.include?("scarce-resource")
+      end
+    end
+  end
+
+  it "returns OK for many requests that doesn't match the filter" do
+    get "/"
+    assert_equal 200, last_response.status
+
+    get "/"
+    assert_equal 200, last_response.status
+  end
+
+  it "returns OK for first request that matches the filter" do
+    get "/scarce-resource"
+    assert_equal 200, last_response.status
+  end
+
+  it "forbids all access after reaching maxretry limit" do
+    get "/scarce-resource"
+    assert_equal 200, last_response.status
+
+    get "/scarce-resource"
+    assert_equal 200, last_response.status
+
+    get "/scarce-resource"
+    assert_equal 403, last_response.status
+
+    get "/"
+    assert_equal 403, last_response.status
+  end
+
+  it "restores access after bantime elapsed" do
+    get "/scarce-resource"
+    assert_equal 200, last_response.status
+
+    get "/scarce-resource"
+    assert_equal 200, last_response.status
+
+    get "/"
+    assert_equal 403, last_response.status
+
+    Timecop.travel(60) do
+      get "/"
+
+      assert_equal 200, last_response.status
+    end
+  end
+
+  it "does not forbid all access if maxrety condition is met but not within the findtime timespan" do
+    get "/scarce-resource"
+    assert_equal 200, last_response.status
+
+    Timecop.travel(31) do
+      get "/scarce-resource"
+      assert_equal 200, last_response.status
+
+      get "/"
+      assert_equal 200, last_response.status
+    end
+  end
+end