rack-attack 4.3.1 → 5.4.2

data/spec/acceptance/blocking_ip_spec.rb

@@ -0,0 +1,38 @@
+require_relative "../spec_helper"
+
+describe "Blocking an IP" do
+  before do
+    Rack::Attack.blocklist_ip("1.2.3.4")
+  end
+
+  it "forbids request if IP matches" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 403, last_response.status
+  end
+
+  it "succeeds if IP doesn't match" do
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "notifies when the request is blocked" do
+    notified = false
+    notification_type = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notified = true
+      notification_type = request.env["rack.attack.match_type"]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    refute notified
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert notified
+    assert_equal :blocklist, notification_type
+  end
+end

data/spec/acceptance/blocking_spec.rb

@@ -0,0 +1,41 @@
+require_relative "../spec_helper"
+
+describe "#blocklist" do
+  before do
+    Rack::Attack.blocklist("block 1.2.3.4") do |request|
+      request.ip == "1.2.3.4"
+    end
+  end
+
+  it "forbids request if blocklist condition is true" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 403, last_response.status
+  end
+
+  it "succeeds if blocklist condition is false" do
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "notifies when the request is blocked" do
+    notification_matched = nil
+    notification_type = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notification_matched = request.env["rack.attack.matched"]
+      notification_type = request.env["rack.attack.match_type"]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_nil notification_matched
+    assert_nil notification_type
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal "block 1.2.3.4", notification_matched
+    assert_equal :blocklist, notification_type
+  end
+end

data/spec/acceptance/blocking_subnet_spec.rb

@@ -0,0 +1,44 @@
+require_relative "../spec_helper"
+
+describe "Blocking an IP subnet" do
+  before do
+    Rack::Attack.blocklist_ip("1.2.3.4/31")
+  end
+
+  it "forbids request if IP is inside the subnet" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 403, last_response.status
+  end
+
+  it "forbids request for another IP in the subnet" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.5"
+
+    assert_equal 403, last_response.status
+  end
+
+  it "succeeds if IP is outside the subnet" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.6"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "notifies when the request is blocked" do
+    notified = false
+    notification_type = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notified = true
+      notification_type = request.env["rack.attack.match_type"]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    refute notified
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert notified
+    assert_equal :blocklist, notification_type
+  end
+end

data/spec/acceptance/cache_store_config_for_allow2ban_spec.rb

@@ -0,0 +1,126 @@
+require_relative "../spec_helper"
+require "minitest/stub_const"
+
+describe "Cache store config when using allow2ban" do
+  before do
+    Rack::Attack.blocklist("allow2ban pentesters") do |request|
+      Rack::Attack::Allow2Ban.filter(request.ip, maxretry: 2, findtime: 30, bantime: 60) do
+        request.path.include?("scarce-resource")
+      end
+    end
+  end
+
+  it "gives semantic error if no store was configured" do
+    assert_raises(Rack::Attack::MissingStoreError) do
+      get "/scarce-resource"
+    end
+  end
+
+  it "gives semantic error if store is missing #read method" do
+    raised_exception = nil
+
+    fake_store_class = Class.new do
+      def write(key, value)
+      end
+
+      def increment(key, count, options = {})
+      end
+    end
+
+    Object.stub_const(:FakeStore, fake_store_class) do
+      Rack::Attack.cache.store = FakeStore.new
+
+      raised_exception = assert_raises(Rack::Attack::MisconfiguredStoreError) do
+        get "/scarce-resource"
+      end
+    end
+
+    assert_equal "Configured store FakeStore doesn't respond to #read method", raised_exception.message
+  end
+
+  it "gives semantic error if store is missing #write method" do
+    raised_exception = nil
+
+    fake_store_class = Class.new do
+      def read(key)
+      end
+
+      def increment(key, count, options = {})
+      end
+    end
+
+    Object.stub_const(:FakeStore, fake_store_class) do
+      Rack::Attack.cache.store = FakeStore.new
+
+      raised_exception = assert_raises(Rack::Attack::MisconfiguredStoreError) do
+        get "/scarce-resource"
+      end
+    end
+
+    assert_equal "Configured store FakeStore doesn't respond to #write method", raised_exception.message
+  end
+
+  it "gives semantic error if store is missing #increment method" do
+    raised_exception = nil
+
+    fake_store_class = Class.new do
+      def read(key)
+      end
+
+      def write(key, value)
+      end
+    end
+
+    Object.stub_const(:FakeStore, fake_store_class) do
+      Rack::Attack.cache.store = FakeStore.new
+
+      raised_exception = assert_raises(Rack::Attack::MisconfiguredStoreError) do
+        get "/scarce-resource"
+      end
+    end
+
+    assert_equal "Configured store FakeStore doesn't respond to #increment method", raised_exception.message
+  end
+
+  it "works with any object that responds to #read, #write and #increment" do
+    fake_store_class = Class.new do
+      attr_accessor :backend
+
+      def initialize
+        @backend = {}
+      end
+
+      def read(key)
+        @backend[key]
+      end
+
+      def write(key, value, _options = {})
+        @backend[key] = value
+      end
+
+      def increment(key, _count, _options = {})
+        @backend[key] ||= 0
+        @backend[key] += 1
+      end
+    end
+
+    Object.stub_const(:FakeStore, fake_store_class) do
+      Rack::Attack.cache.store = FakeStore.new
+
+      get "/"
+      assert_equal 200, last_response.status
+
+      get "/scarce-resource"
+      assert_equal 200, last_response.status
+
+      get "/scarce-resource"
+      assert_equal 200, last_response.status
+
+      get "/scarce-resource"
+      assert_equal 403, last_response.status
+
+      get "/"
+      assert_equal 403, last_response.status
+    end
+  end
+end

data/spec/acceptance/cache_store_config_for_fail2ban_spec.rb

@@ -0,0 +1,121 @@
+require_relative "../spec_helper"
+require "minitest/stub_const"
+
+describe "Cache store config when using fail2ban" do
+  before do
+    Rack::Attack.blocklist("fail2ban pentesters") do |request|
+      Rack::Attack::Fail2Ban.filter(request.ip, maxretry: 2, findtime: 30, bantime: 60) do
+        request.path.include?("private-place")
+      end
+    end
+  end
+
+  it "gives semantic error if no store was configured" do
+    assert_raises(Rack::Attack::MissingStoreError) do
+      get "/private-place"
+    end
+  end
+
+  it "gives semantic error if store is missing #read method" do
+    raised_exception = nil
+
+    fake_store_class = Class.new do
+      def write(key, value)
+      end
+
+      def increment(key, count, options = {})
+      end
+    end
+
+    Object.stub_const(:FakeStore, fake_store_class) do
+      Rack::Attack.cache.store = FakeStore.new
+
+      raised_exception = assert_raises(Rack::Attack::MisconfiguredStoreError) do
+        get "/private-place"
+      end
+    end
+
+    assert_equal "Configured store FakeStore doesn't respond to #read method", raised_exception.message
+  end
+
+  it "gives semantic error if store is missing #write method" do
+    raised_exception = nil
+
+    fake_store_class = Class.new do
+      def read(key)
+      end
+
+      def increment(key, count, options = {})
+      end
+    end
+
+    Object.stub_const(:FakeStore, fake_store_class) do
+      Rack::Attack.cache.store = FakeStore.new
+
+      raised_exception = assert_raises(Rack::Attack::MisconfiguredStoreError) do
+        get "/private-place"
+      end
+    end
+
+    assert_equal "Configured store FakeStore doesn't respond to #write method", raised_exception.message
+  end
+
+  it "gives semantic error if store is missing #increment method" do
+    raised_exception = nil
+
+    fake_store_class = Class.new do
+      def read(key)
+      end
+
+      def write(key, value)
+      end
+    end
+
+    Object.stub_const(:FakeStore, fake_store_class) do
+      Rack::Attack.cache.store = FakeStore.new
+
+      raised_exception = assert_raises(Rack::Attack::MisconfiguredStoreError) do
+        get "/private-place"
+      end
+    end
+
+    assert_equal "Configured store FakeStore doesn't respond to #increment method", raised_exception.message
+  end
+
+  it "works with any object that responds to #read, #write and #increment" do
+    FakeStore = Class.new do
+      attr_accessor :backend
+
+      def initialize
+        @backend = {}
+      end
+
+      def read(key)
+        @backend[key]
+      end
+
+      def write(key, value, _options = {})
+        @backend[key] = value
+      end
+
+      def increment(key, _count, _options = {})
+        @backend[key] ||= 0
+        @backend[key] += 1
+      end
+    end
+
+    Rack::Attack.cache.store = FakeStore.new
+
+    get "/"
+    assert_equal 200, last_response.status
+
+    get "/private-place"
+    assert_equal 403, last_response.status
+
+    get "/private-place"
+    assert_equal 403, last_response.status
+
+    get "/"
+    assert_equal 403, last_response.status
+  end
+end

data/spec/acceptance/cache_store_config_for_throttle_spec.rb

@@ -0,0 +1,48 @@
+require_relative "../spec_helper"
+
+describe "Cache store config when throttling without Rails" do
+  before do
+    Rack::Attack.throttle("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+  end
+
+  it "gives semantic error if no store was configured" do
+    assert_raises(Rack::Attack::MissingStoreError) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    end
+  end
+
+  it "gives semantic error if incompatible store was configured" do
+    Rack::Attack.cache.store = Object.new
+
+    assert_raises(Rack::Attack::MisconfiguredStoreError) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    end
+  end
+
+  it "works with any object that responds to #increment" do
+    basic_store_class = Class.new do
+      attr_accessor :counts
+
+      def initialize
+        @counts = {}
+      end
+
+      def increment(key, _count, _options)
+        @counts[key] ||= 0
+        @counts[key] += 1
+      end
+    end
+
+    Rack::Attack.cache.store = basic_store_class.new
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 429, last_response.status
+  end
+end

data/spec/acceptance/cache_store_config_with_rails_spec.rb

@@ -0,0 +1,31 @@
+require_relative "../spec_helper"
+require "minitest/stub_const"
+require "ostruct"
+
+describe "Cache store config with Rails" do
+  before do
+    Rack::Attack.throttle("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+  end
+
+  it "fails when Rails.cache is not set" do
+    Object.stub_const(:Rails, OpenStruct.new(cache: nil)) do
+      assert_raises(Rack::Attack::MissingStoreError) do
+        get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      end
+    end
+  end
+
+  it "works when Rails.cache is set" do
+    Object.stub_const(:Rails, OpenStruct.new(cache: ActiveSupport::Cache::MemoryStore.new)) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+      assert_equal 200, last_response.status
+
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+      assert_equal 429, last_response.status
+    end
+  end
+end