rack-attack 5.0.1 → 5.4.2

data/Rakefile

@@ -2,6 +2,9 @@ require "rubygems"
 require "bundler/setup"
 require 'bundler/gem_tasks'
 require 'rake/testtask'
+require "rubocop/rake_task"
+
+RuboCop::RakeTask.new
 
 namespace :test do
   Rake::TestTask.new(:units) do |t|
@@ -10,11 +13,15 @@ namespace :test do
 
   Rake::TestTask.new(:integration) do |t|
     t.pattern = "spec/integration/*_spec.rb"
-    t.warning = false
+  end
+
+  Rake::TestTask.new(:acceptance) do |t|
+    t.pattern = "spec/acceptance/**/*_spec.rb"
   end
 end
 
-desc 'Run tests'
-task :test => %w[test:units test:integration]
+Rake::TestTask.new(:test) do |t|
+  t.pattern = "spec/**/*_spec.rb"
+end
 
-task :default => :test
+task :default => [:rubocop, :test]

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/rack/attack.rb

@@ -1,24 +1,30 @@
 require 'rack'
 require 'forwardable'
+require 'rack/attack/path_normalizer'
+require 'rack/attack/request'
+require "ipaddr"
 
 class Rack::Attack
-  autoload :Cache,           'rack/attack/cache'
-  autoload :PathNormalizer,  'rack/attack/path_normalizer'
-  autoload :Check,           'rack/attack/check'
-  autoload :Throttle,        'rack/attack/throttle'
-  autoload :Safelist,       'rack/attack/safelist'
-  autoload :Blocklist,       'rack/attack/blocklist'
-  autoload :Track,           'rack/attack/track'
-  autoload :StoreProxy,      'rack/attack/store_proxy'
-  autoload :DalliProxy,      'rack/attack/store_proxy/dalli_proxy'
-  autoload :MemCacheProxy,   'rack/attack/store_proxy/mem_cache_proxy'
-  autoload :RedisStoreProxy, 'rack/attack/store_proxy/redis_store_proxy'
-  autoload :Fail2Ban,        'rack/attack/fail2ban'
-  autoload :Allow2Ban,       'rack/attack/allow2ban'
-  autoload :Request,         'rack/attack/request'
+  class MisconfiguredStoreError < StandardError; end
+  class MissingStoreError < StandardError; end
+
+  autoload :Cache,                'rack/attack/cache'
+  autoload :Check,                'rack/attack/check'
+  autoload :Throttle,             'rack/attack/throttle'
+  autoload :Safelist,             'rack/attack/safelist'
+  autoload :Blocklist,            'rack/attack/blocklist'
+  autoload :Track,                'rack/attack/track'
+  autoload :StoreProxy,           'rack/attack/store_proxy'
+  autoload :DalliProxy,           'rack/attack/store_proxy/dalli_proxy'
+  autoload :MemCacheProxy,        'rack/attack/store_proxy/mem_cache_proxy'
+  autoload :MemCacheStoreProxy,   'rack/attack/store_proxy/mem_cache_store_proxy'
+  autoload :RedisProxy,           'rack/attack/store_proxy/redis_proxy'
+  autoload :RedisStoreProxy,      'rack/attack/store_proxy/redis_store_proxy'
+  autoload :RedisCacheStoreProxy, 'rack/attack/store_proxy/redis_cache_store_proxy'
+  autoload :Fail2Ban,             'rack/attack/fail2ban'
+  autoload :Allow2Ban,            'rack/attack/allow2ban'
 
   class << self
-
     attr_accessor :notifier, :blocklisted_response, :throttled_response
 
     def safelist(name, &block)
@@ -34,6 +40,18 @@ class Rack::Attack
       self.blocklists[name] = Blocklist.new(name, block)
     end
 
+    def blocklist_ip(ip_address)
+      @ip_blocklists ||= []
+      ip_blocklist_proc = lambda { |request| IPAddr.new(ip_address).include?(IPAddr.new(request.ip)) }
+      @ip_blocklists << Blocklist.new(nil, ip_blocklist_proc)
+    end
+
+    def safelist_ip(ip_address)
+      @ip_safelists ||= []
+      ip_safelist_proc = lambda { |request| IPAddr.new(ip_address).include?(IPAddr.new(request.ip)) }
+      @ip_safelists << Safelist.new(nil, ip_safelist_proc)
+    end
+
     def blacklist(name, &block)
       warn "[DEPRECATION] 'Rack::Attack.blacklist' is deprecated.  Please use 'blocklist' instead."
       blocklist(name, &block)
@@ -47,9 +65,12 @@ class Rack::Attack
       self.tracks[name] = Track.new(name, options, block)
     end
 
-    def safelists; @safelists ||= {}; end
+    def safelists;  @safelists  ||= {}; end
+
     def blocklists; @blocklists ||= {}; end
+
     def throttles;  @throttles  ||= {}; end
+
     def tracks;     @tracks     ||= {}; end
 
     def whitelists
@@ -62,70 +83,84 @@ class Rack::Attack
       blocklists
     end
 
-    def safelisted?(req)
-      safelists.any? do |name, safelist|
-        safelist[req]
-      end
+    def safelisted?(request)
+      ip_safelists.any? { |safelist| safelist.matched_by?(request) } ||
+        safelists.any? { |_name, safelist| safelist.matched_by?(request) }
     end
 
-    def whitelisted?(req)
+    def whitelisted?(request)
       warn "[DEPRECATION] 'Rack::Attack.whitelisted?' is deprecated.  Please use 'safelisted?' instead."
-      safelisted?(req)
+      safelisted?(request)
     end
 
-    def blocklisted?(req)
-      blocklists.any? do |name, blocklist|
-        blocklist[req]
-      end
+    def blocklisted?(request)
+      ip_blocklists.any? { |blocklist| blocklist.matched_by?(request) } ||
+        blocklists.any? { |_name, blocklist| blocklist.matched_by?(request) }
     end
 
-    def blacklisted?(req)
+    def blacklisted?(request)
       warn "[DEPRECATION] 'Rack::Attack.blacklisted?' is deprecated.  Please use 'blocklisted?' instead."
-      blocklisted?(req)
+      blocklisted?(request)
     end
 
-    def throttled?(req)
-      throttles.any? do |name, throttle|
-        throttle[req]
+    def throttled?(request)
+      throttles.any? do |_name, throttle|
+        throttle.matched_by?(request)
       end
     end
 
-    def tracked?(req)
-      tracks.each_value do |tracker|
-        tracker[req]
+    def tracked?(request)
+      tracks.each_value do |track|
+        track.matched_by?(request)
       end
     end
 
-    def instrument(req)
-      notifier.instrument('rack.attack', req) if notifier
+    def instrument(request)
+      notifier.instrument('rack.attack', request) if notifier
     end
 
     def cache
       @cache ||= Cache.new
     end
 
-    def clear!
+    def clear_configuration
       @safelists, @blocklists, @throttles, @tracks = {}, {}, {}, {}
+      @ip_blocklists = []
+      @ip_safelists = []
+    end
+
+    def clear!
+      warn "[DEPRECATION] Rack::Attack.clear! is deprecated. Please use Rack::Attack.clear_configuration instead"
+      clear_configuration
     end
 
     def blacklisted_response=(res)
       warn "[DEPRECATION] 'Rack::Attack.blacklisted_response=' is deprecated.  Please use 'blocklisted_response=' instead."
-      self.blocklisted_response=(res)
+      self.blocklisted_response = res
     end
 
     def blacklisted_response
       warn "[DEPRECATION] 'Rack::Attack.blacklisted_response' is deprecated.  Please use 'blocklisted_response' instead."
-      self.blocklisted_response
+      blocklisted_response
     end
 
+    private
+
+    def ip_blocklists
+      @ip_blocklists ||= []
+    end
+
+    def ip_safelists
+      @ip_safelists ||= []
+    end
   end
 
   # Set defaults
   @notifier             = ActiveSupport::Notifications if defined?(ActiveSupport::Notifications)
-  @blocklisted_response = lambda {|env| [403, {'Content-Type' => 'text/plain'}, ["Forbidden\n"]] }
-  @throttled_response   = lambda {|env|
+  @blocklisted_response = lambda { |_env| [403, { 'Content-Type' => 'text/plain' }, ["Forbidden\n"]] }
+  @throttled_response   = lambda { |env|
     retry_after = (env['rack.attack.match_data'] || {})[:period]
-    [429, {'Content-Type' => 'text/plain', 'Retry-After' => retry_after.to_s}, ["Retry later\n"]]
+    [429, { 'Content-Type' => 'text/plain', 'Retry-After' => retry_after.to_s }, ["Retry later\n"]]
   }
 
   def initialize(app)
@@ -134,23 +169,20 @@ class Rack::Attack
 
   def call(env)
     env['PATH_INFO'] = PathNormalizer.normalize_path(env['PATH_INFO'])
-    req = Rack::Attack::Request.new(env)
+    request = Rack::Attack::Request.new(env)
 
-    if safelisted?(req)
+    if safelisted?(request)
       @app.call(env)
-    elsif blocklisted?(req)
+    elsif blocklisted?(request)
       self.class.blocklisted_response.call(env)
-    elsif throttled?(req)
+    elsif throttled?(request)
       self.class.throttled_response.call(env)
     else
-      tracked?(req)
+      tracked?(request)
       @app.call(env)
     end
   end
 
   extend Forwardable
-  def_delegators self, :safelisted?,
-                       :blocklisted?,
-                       :throttled?,
-                       :tracked?
+  def_delegators self, :safelisted?, :blocklisted?, :throttled?, :tracked?
 end

data/lib/rack/attack/allow2ban.rb

@@ -3,11 +3,12 @@ module Rack
     class Allow2Ban < Fail2Ban
       class << self
         protected
+
         def key_prefix
           'allow2ban'
         end
 
-        # everything the same here except we return only return true
+        # everything is the same here except we only return true
         # (blocking the request) if they have tripped the limit.
         def fail!(discriminator, bantime, findtime, maxretry)
           count = cache.count("#{key_prefix}:count:#{discriminator}", findtime)

data/lib/rack/attack/blocklist.rb

@@ -5,7 +5,6 @@ module Rack
         super
         @type = :blocklist
       end
-
     end
   end
 end

data/lib/rack/attack/cache.rb

@@ -1,8 +1,8 @@
 module Rack
   class Attack
     class Cache
-
       attr_accessor :prefix
+      attr_reader :last_epoch_time
 
       def initialize
         self.store = ::Rails.cache if defined?(::Rails.cache)
@@ -20,6 +20,9 @@ module Rack
       end
 
       def read(unprefixed_key)
+        enforce_store_presence!
+        enforce_store_method_presence!(:read)
+
         store.read("#{prefix}:#{unprefixed_key}")
       end
 
@@ -39,22 +42,38 @@ module Rack
       private
 
       def key_and_expiry(unprefixed_key, period)
-        epoch_time = Time.now.to_i
-        # Add 1 to expires_in to avoid timing error: http://git.io/i1PHXA
-        expires_in = (period - (epoch_time % period) + 1).to_i
-        ["#{prefix}:#{(epoch_time / period).to_i}:#{unprefixed_key}", expires_in]
+        @last_epoch_time = Time.now.to_i
+        # Add 1 to expires_in to avoid timing error: https://git.io/i1PHXA
+        expires_in = (period - (@last_epoch_time % period) + 1).to_i
+        ["#{prefix}:#{(@last_epoch_time / period).to_i}:#{unprefixed_key}", expires_in]
       end
 
       def do_count(key, expires_in)
+        enforce_store_presence!
+        enforce_store_method_presence!(:increment)
+
         result = store.increment(key, 1, :expires_in => expires_in)
 
         # NB: Some stores return nil when incrementing uninitialized values
         if result.nil?
+          enforce_store_method_presence!(:write)
+
           store.write(key, 1, :expires_in => expires_in)
         end
         result || 1
       end
 
+      def enforce_store_presence!
+        if store.nil?
+          raise Rack::Attack::MissingStoreError
+        end
+      end
+
+      def enforce_store_method_presence!(method_name)
+        if !store.respond_to?(method_name)
+          raise Rack::Attack::MisconfiguredStoreError, "Configured store #{store.class.name} doesn't respond to ##{method_name} method"
+        end
+      end
     end
   end
 end

data/lib/rack/attack/check.rb

@@ -7,17 +7,15 @@ module Rack
         @type = options.fetch(:type, nil)
       end
 
-      def [](req)
-        block[req].tap {|match|
+      def matched_by?(request)
+        block.call(request).tap do |match|
           if match
-            req.env["rack.attack.matched"] = name
-            req.env["rack.attack.match_type"] = type
-            Rack::Attack.instrument(req)
+            request.env["rack.attack.matched"] = name
+            request.env["rack.attack.match_type"] = type
+            Rack::Attack.instrument(request)
           end
-        }
+        end
       end
-
     end
   end
 end
-

data/lib/rack/attack/fail2ban.rb

@@ -27,6 +27,7 @@ module Rack
         end
 
         protected
+
         def key_prefix
           'fail2ban'
         end
@@ -40,8 +41,8 @@ module Rack
           true
         end
 
-
         private
+
         def ban!(discriminator, bantime)
           cache.write("#{key_prefix}:ban:#{discriminator}", 1, bantime)
         end

data/lib/rack/attack/path_normalizer.rb

@@ -1,8 +1,7 @@
 class Rack::Attack
-
   # When using Rack::Attack with a Rails app, developers expect the request path
   # to be normalized. In particular, trailing slashes are stripped.
-  # (See http://git.io/v0rrR for implementation.)
+  # (See https://git.io/v0rrR for implementation.)
   #
   # Look for an ActionDispatch utility class that Rails folks would expect
   # to normalize request paths. If unavailable, use a fallback class that
@@ -15,13 +14,9 @@ class Rack::Attack
   end
 
   PathNormalizer = if defined?(::ActionDispatch::Journey::Router::Utils)
-                 # For Rails 4+ apps
-                 ::ActionDispatch::Journey::Router::Utils
-               elsif defined?(::Journey::Router::Utils)
-                 # for Rails 3.2
-                 ::Journey::Router::Utils
-               else
-                 FallbackPathNormalizer
-               end
-
+                     # For Rails apps
+                     ::ActionDispatch::Journey::Router::Utils
+                   else
+                     FallbackPathNormalizer
+                   end
 end

data/lib/rack/attack/safelist.rb

@@ -5,7 +5,6 @@ module Rack
         super
         @type = :safelist
       end
-
     end
   end
 end

data/lib/rack/attack/store_proxy.rb

@@ -1,10 +1,7 @@
 module Rack
   class Attack
     module StoreProxy
-      PROXIES = [DalliProxy, MemCacheProxy, RedisStoreProxy]
-
-      ACTIVE_SUPPORT_WRAPPER_CLASSES = Set.new(['ActiveSupport::Cache::MemCacheStore', 'ActiveSupport::Cache::RedisStore']).freeze
-      ACTIVE_SUPPORT_CLIENTS = Set.new(['Redis::Store', 'Dalli::Client', 'MemCache']).freeze
+      PROXIES = [DalliProxy, MemCacheStoreProxy, MemCacheProxy, RedisStoreProxy, RedisProxy, RedisCacheStoreProxy].freeze
 
       def self.build(store)
         client = unwrap_active_support_stores(store)
@@ -12,17 +9,11 @@ module Rack
         klass ? klass.new(client) : client
       end
 
-
-      private
       def self.unwrap_active_support_stores(store)
         # ActiveSupport::Cache::RedisStore doesn't expose any way to set an expiry,
         # so use the raw Redis::Store instead.
-        # We also want to use the underlying Dalli client instead of ::ActiveSupport::Cache::MemCacheStore,
-        # and the MemCache client if using Rails 3.x
-
-        client = store.instance_variable_get(:@data)
-        if ACTIVE_SUPPORT_WRAPPER_CLASSES.include?(store.class.to_s) && ACTIVE_SUPPORT_CLIENTS.include?(client.class.to_s)
-          client
+        if store.class.name == 'ActiveSupport::Cache::RedisStore'
+          store.instance_variable_get(:@data)
         else
           store
         end