rack-attack 5.0.1 → 5.4.2

data/lib/rack/attack/store_proxy/dalli_proxy.rb

@@ -28,14 +28,14 @@ module Rack
         rescue Dalli::DalliError
         end
 
-        def write(key, value, options={})
+        def write(key, value, options = {})
           with do |client|
             client.set(key, value, options.fetch(:expires_in, 0), raw: true)
           end
         rescue Dalli::DalliError
         end
 
-        def increment(key, amount, options={})
+        def increment(key, amount, options = {})
           with do |client|
             client.incr(key, amount, options.fetch(:expires_in, 0), amount)
           end
@@ -58,7 +58,6 @@ module Rack
             end
           end
         end
-
       end
     end
   end

data/lib/rack/attack/store_proxy/mem_cache_proxy.rb

@@ -14,21 +14,21 @@ module Rack
         def read(key)
           # Second argument: reading raw value
           get(key, true)
-          rescue MemCache::MemCacheError
+        rescue MemCache::MemCacheError
         end
 
-        def write(key, value, options={})
+        def write(key, value, options = {})
           # Third argument: writing raw value
           set(key, value, options.fetch(:expires_in, 0), true)
         rescue MemCache::MemCacheError
         end
 
-        def increment(key, amount, options={})
+        def increment(key, amount, _options = {})
           incr(key, amount)
         rescue MemCache::MemCacheError
         end
 
-        def delete(key, options={})
+        def delete(key, _options = {})
           with do |client|
             client.delete(key)
           end
@@ -44,7 +44,6 @@ module Rack
             end
           end
         end
-
       end
     end
   end

data/lib/rack/attack/store_proxy/mem_cache_store_proxy.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'delegate'
+
+module Rack
+  class Attack
+    module StoreProxy
+      class MemCacheStoreProxy < SimpleDelegator
+        def self.handle?(store)
+          defined?(::Dalli) && defined?(::ActiveSupport::Cache::MemCacheStore) && store.is_a?(::ActiveSupport::Cache::MemCacheStore)
+        end
+
+        def write(name, value, options = {})
+          super(name, value, options.merge!(raw: true))
+        end
+      end
+    end
+  end
+end

data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb

@@ -0,0 +1,35 @@
+require 'delegate'
+
+module Rack
+  class Attack
+    module StoreProxy
+      class RedisCacheStoreProxy < SimpleDelegator
+        def self.handle?(store)
+          store.class.name == "ActiveSupport::Cache::RedisCacheStore"
+        end
+
+        def increment(name, amount = 1, options = {})
+          # RedisCacheStore#increment ignores options[:expires_in].
+          #
+          # So in order to workaround this we use RedisCacheStore#write (which sets expiration) to initialize
+          # the counter. After that we continue using the original RedisCacheStore#increment.
+          if options[:expires_in] && !read(name)
+            write(name, amount, options)
+
+            amount
+          else
+            super
+          end
+        end
+
+        def read(name, options = {})
+          super(name, options.merge!(raw: true))
+        end
+
+        def write(name, value, options = {})
+          super(name, value, options.merge!(raw: true))
+        end
+      end
+    end
+  end
+end

data/lib/rack/attack/store_proxy/redis_proxy.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require 'delegate'
+
+module Rack
+  class Attack
+    module StoreProxy
+      class RedisProxy < SimpleDelegator
+        def initialize(*args)
+          if Gem::Version.new(Redis::VERSION) < Gem::Version.new("3")
+            warn 'RackAttack requires Redis gem >= 3.0.0.'
+          end
+
+          super(*args)
+        end
+
+        def self.handle?(store)
+          defined?(::Redis) && store.is_a?(::Redis)
+        end
+
+        def read(key)
+          get(key)
+        rescue Redis::BaseError
+        end
+
+        def write(key, value, options = {})
+          if (expires_in = options[:expires_in])
+            setex(key, expires_in, value)
+          else
+            set(key, value)
+          end
+        rescue Redis::BaseError
+        end
+
+        def increment(key, amount, options = {})
+          count = nil
+
+          pipelined do
+            count = incrby(key, amount)
+            expire(key, options[:expires_in]) if options[:expires_in]
+          end
+
+          count.value if count
+        rescue Redis::BaseError
+        end
+
+        def delete(key, _options = {})
+          del(key)
+        rescue Redis::BaseError
+        end
+      end
+    end
+  end
+end

data/lib/rack/attack/store_proxy/redis_store_proxy.rb

@@ -3,43 +3,24 @@ require 'delegate'
 module Rack
   class Attack
     module StoreProxy
-      class RedisStoreProxy < SimpleDelegator
+      class RedisStoreProxy < RedisProxy
         def self.handle?(store)
           defined?(::Redis::Store) && store.is_a?(::Redis::Store)
         end
 
-        def initialize(store)
-          super(store)
-        end
-
         def read(key)
-          self.get(key, raw: true)
+          get(key, raw: true)
         rescue Redis::BaseError
         end
 
-        def write(key, value, options={})
+        def write(key, value, options = {})
           if (expires_in = options[:expires_in])
-            self.setex(key, expires_in, value, raw: true)
+            setex(key, expires_in, value, raw: true)
           else
-            self.set(key, value, raw: true)
+            set(key, value, raw: true)
           end
         rescue Redis::BaseError
         end
-
-        def increment(key, amount, options={})
-          count = nil
-          self.pipelined do
-            count = self.incrby(key, amount)
-            self.expire(key, options[:expires_in]) if options[:expires_in]
-          end
-          count.value if count
-        rescue Redis::BaseError
-        end
-
-        def delete(key, options={})
-          self.del(key)
-        rescue Redis::BaseError
-        end
       end
     end
   end

data/lib/rack/attack/throttle.rb

@@ -1,7 +1,8 @@
 module Rack
   class Attack
     class Throttle
-      MANDATORY_OPTIONS = [:limit, :period]
+      MANDATORY_OPTIONS = [:limit, :period].freeze
+
       attr_reader :name, :limit, :period, :block, :type
       def initialize(name, options, block)
         @name, @block = name, block
@@ -17,29 +18,32 @@ module Rack
         Rack::Attack.cache
       end
 
-      def [](req)
-        discriminator = block[req]
+      def matched_by?(request)
+        discriminator = block.call(request)
         return false unless discriminator
 
-        current_period = period.respond_to?(:call) ? period.call(req) : period
-        current_limit  = limit.respond_to?(:call) ? limit.call(req) : limit
+        current_period = period.respond_to?(:call) ? period.call(request) : period
+        current_limit  = limit.respond_to?(:call) ? limit.call(request) : limit
         key            = "#{name}:#{discriminator}"
         count          = cache.count(key, current_period)
+        epoch_time     = cache.last_epoch_time
 
         data = {
           :count => count,
           :period => current_period,
-          :limit => current_limit
+          :limit => current_limit,
+          :epoch_time => epoch_time
         }
-        (req.env['rack.attack.throttle_data'] ||= {})[name] = data
+
+        (request.env['rack.attack.throttle_data'] ||= {})[name] = data
 
         (count > current_limit).tap do |throttled|
           if throttled
-            req.env['rack.attack.matched']             = name
-            req.env['rack.attack.match_discriminator'] = discriminator
-            req.env['rack.attack.match_type']          = type
-            req.env['rack.attack.match_data']          = data
-            Rack::Attack.instrument(req)
+            request.env['rack.attack.matched']             = name
+            request.env['rack.attack.match_discriminator'] = discriminator
+            request.env['rack.attack.match_type']          = type
+            request.env['rack.attack.match_data']          = data
+            Rack::Attack.instrument(request)
           end
         end
       end

data/lib/rack/attack/track.rb

@@ -1,8 +1,6 @@
 module Rack
   class Attack
     class Track
-      extend Forwardable
-
       attr_reader :filter
 
       def initialize(name, options = {}, block)
@@ -15,7 +13,9 @@ module Rack
         end
       end
 
-      def_delegator :@filter, :[]
+      def matched_by?(request)
+        filter.matched_by?(request)
+      end
     end
   end
 end

data/lib/rack/attack/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class Attack
-    VERSION = '5.0.1'
+    VERSION = '5.4.2'
   end
 end

data/spec/acceptance/allow2ban_spec.rb

@@ -0,0 +1,71 @@
+require_relative "../spec_helper"
+require "timecop"
+
+describe "allow2ban" do
+  before do
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+
+    Rack::Attack.blocklist("allow2ban pentesters") do |request|
+      Rack::Attack::Allow2Ban.filter(request.ip, maxretry: 2, findtime: 30, bantime: 60) do
+        request.path.include?("scarce-resource")
+      end
+    end
+  end
+
+  it "returns OK for many requests that doesn't match the filter" do
+    get "/"
+    assert_equal 200, last_response.status
+
+    get "/"
+    assert_equal 200, last_response.status
+  end
+
+  it "returns OK for first request that matches the filter" do
+    get "/scarce-resource"
+    assert_equal 200, last_response.status
+  end
+
+  it "forbids all access after reaching maxretry limit" do
+    get "/scarce-resource"
+    assert_equal 200, last_response.status
+
+    get "/scarce-resource"
+    assert_equal 200, last_response.status
+
+    get "/scarce-resource"
+    assert_equal 403, last_response.status
+
+    get "/"
+    assert_equal 403, last_response.status
+  end
+
+  it "restores access after bantime elapsed" do
+    get "/scarce-resource"
+    assert_equal 200, last_response.status
+
+    get "/scarce-resource"
+    assert_equal 200, last_response.status
+
+    get "/"
+    assert_equal 403, last_response.status
+
+    Timecop.travel(60) do
+      get "/"
+
+      assert_equal 200, last_response.status
+    end
+  end
+
+  it "does not forbid all access if maxrety condition is met but not within the findtime timespan" do
+    get "/scarce-resource"
+    assert_equal 200, last_response.status
+
+    Timecop.travel(31) do
+      get "/scarce-resource"
+      assert_equal 200, last_response.status
+
+      get "/"
+      assert_equal 200, last_response.status
+    end
+  end
+end

data/spec/acceptance/blocking_ip_spec.rb

@@ -0,0 +1,38 @@
+require_relative "../spec_helper"
+
+describe "Blocking an IP" do
+  before do
+    Rack::Attack.blocklist_ip("1.2.3.4")
+  end
+
+  it "forbids request if IP matches" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 403, last_response.status
+  end
+
+  it "succeeds if IP doesn't match" do
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "notifies when the request is blocked" do
+    notified = false
+    notification_type = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notified = true
+      notification_type = request.env["rack.attack.match_type"]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    refute notified
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert notified
+    assert_equal :blocklist, notification_type
+  end
+end

data/spec/acceptance/blocking_spec.rb

@@ -0,0 +1,41 @@
+require_relative "../spec_helper"
+
+describe "#blocklist" do
+  before do
+    Rack::Attack.blocklist("block 1.2.3.4") do |request|
+      request.ip == "1.2.3.4"
+    end
+  end
+
+  it "forbids request if blocklist condition is true" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 403, last_response.status
+  end
+
+  it "succeeds if blocklist condition is false" do
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "notifies when the request is blocked" do
+    notification_matched = nil
+    notification_type = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notification_matched = request.env["rack.attack.matched"]
+      notification_type = request.env["rack.attack.match_type"]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_nil notification_matched
+    assert_nil notification_type
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal "block 1.2.3.4", notification_matched
+    assert_equal :blocklist, notification_type
+  end
+end