RubyGems - rack-attack - Versions diffs - 5.0.1 → 5.4.2 - Mend

rack-attack 5.0.1 → 5.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (63) hide show

checksums.yaml +5 -5
data/README.md +190 -94
data/Rakefile +11 -4
data/bin/setup +8 -0
data/lib/rack/attack.rb +83 -51
data/lib/rack/attack/allow2ban.rb +2 -1
data/lib/rack/attack/blocklist.rb +0 -1
data/lib/rack/attack/cache.rb +24 -5
data/lib/rack/attack/check.rb +6 -8
data/lib/rack/attack/fail2ban.rb +2 -1
data/lib/rack/attack/path_normalizer.rb +6 -11
data/lib/rack/attack/safelist.rb +0 -1
data/lib/rack/attack/store_proxy.rb +3 -12
data/lib/rack/attack/store_proxy/dalli_proxy.rb +2 -3
data/lib/rack/attack/store_proxy/mem_cache_proxy.rb +4 -5
data/lib/rack/attack/store_proxy/mem_cache_store_proxy.rb +19 -0
data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb +35 -0
data/lib/rack/attack/store_proxy/redis_proxy.rb +54 -0
data/lib/rack/attack/store_proxy/redis_store_proxy.rb +5 -24
data/lib/rack/attack/throttle.rb +16 -12
data/lib/rack/attack/track.rb +3 -3
data/lib/rack/attack/version.rb +1 -1
data/spec/acceptance/allow2ban_spec.rb +71 -0
data/spec/acceptance/blocking_ip_spec.rb +38 -0
data/spec/acceptance/blocking_spec.rb +41 -0
data/spec/acceptance/blocking_subnet_spec.rb +44 -0
data/spec/acceptance/cache_store_config_for_allow2ban_spec.rb +126 -0
data/spec/acceptance/cache_store_config_for_fail2ban_spec.rb +121 -0
data/spec/acceptance/cache_store_config_for_throttle_spec.rb +48 -0
data/spec/acceptance/cache_store_config_with_rails_spec.rb +31 -0
data/spec/acceptance/customizing_blocked_response_spec.rb +41 -0
data/spec/acceptance/customizing_throttled_response_spec.rb +59 -0
data/spec/acceptance/extending_request_object_spec.rb +34 -0
data/spec/acceptance/fail2ban_spec.rb +76 -0
data/spec/acceptance/safelisting_ip_spec.rb +48 -0
data/spec/acceptance/safelisting_spec.rb +53 -0
data/spec/acceptance/safelisting_subnet_spec.rb +48 -0
data/spec/acceptance/stores/active_support_dalli_store_spec.rb +19 -0
data/spec/acceptance/stores/active_support_mem_cache_store_pooled_spec.rb +22 -0
data/spec/acceptance/stores/active_support_mem_cache_store_spec.rb +18 -0
data/spec/acceptance/stores/active_support_memory_store_spec.rb +16 -0
data/spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb +18 -0
data/spec/acceptance/stores/active_support_redis_cache_store_spec.rb +18 -0
data/spec/acceptance/stores/active_support_redis_store_spec.rb +18 -0
data/spec/acceptance/stores/connection_pool_dalli_client_spec.rb +22 -0
data/spec/acceptance/stores/dalli_client_spec.rb +19 -0
data/spec/acceptance/stores/redis_spec.rb +20 -0
data/spec/acceptance/stores/redis_store_spec.rb +18 -0
data/spec/acceptance/throttling_spec.rb +159 -0
data/spec/acceptance/track_spec.rb +27 -0
data/spec/acceptance/track_throttle_spec.rb +53 -0
data/spec/allow2ban_spec.rb +9 -8
data/spec/fail2ban_spec.rb +11 -9
data/spec/integration/offline_spec.rb +21 -23
data/spec/rack_attack_dalli_proxy_spec.rb +0 -2
data/spec/rack_attack_request_spec.rb +1 -1
data/spec/rack_attack_spec.rb +13 -14
data/spec/rack_attack_throttle_spec.rb +28 -18
data/spec/rack_attack_track_spec.rb +11 -8
data/spec/spec_helper.rb +35 -14
data/spec/support/cache_store_helper.rb +82 -0
metadata +150 -65
data/spec/integration/rack_attack_cache_spec.rb +0 -122

data/spec/acceptance/blocking_subnet_spec.rb ADDED Viewed

@@ -0,0 +1,44 @@
+require_relative "../spec_helper"
+describe "Blocking an IP subnet" do
+  before do
+    Rack::Attack.blocklist_ip("1.2.3.4/31")
+  end
+  it "forbids request if IP is inside the subnet" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 403, last_response.status
+  end
+  it "forbids request for another IP in the subnet" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.5"
+    assert_equal 403, last_response.status
+  end
+  it "succeeds if IP is outside the subnet" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.6"
+    assert_equal 200, last_response.status
+  end
+  it "notifies when the request is blocked" do
+    notified = false
+    notification_type = nil
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notified = true
+      notification_type = request.env["rack.attack.match_type"]
+    end
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+    refute notified
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert notified
+    assert_equal :blocklist, notification_type
+  end
+end

data/spec/acceptance/cache_store_config_for_allow2ban_spec.rb ADDED Viewed

@@ -0,0 +1,126 @@
+require_relative "../spec_helper"
+require "minitest/stub_const"
+describe "Cache store config when using allow2ban" do
+  before do
+    Rack::Attack.blocklist("allow2ban pentesters") do |request|
+      Rack::Attack::Allow2Ban.filter(request.ip, maxretry: 2, findtime: 30, bantime: 60) do
+        request.path.include?("scarce-resource")
+      end
+    end
+  end
+  it "gives semantic error if no store was configured" do
+    assert_raises(Rack::Attack::MissingStoreError) do
+      get "/scarce-resource"
+    end
+  end
+  it "gives semantic error if store is missing #read method" do
+    raised_exception = nil
+    fake_store_class = Class.new do
+      def write(key, value)
+      end
+      def increment(key, count, options = {})
+      end
+    end
+    Object.stub_const(:FakeStore, fake_store_class) do
+      Rack::Attack.cache.store = FakeStore.new
+      raised_exception = assert_raises(Rack::Attack::MisconfiguredStoreError) do
+        get "/scarce-resource"
+      end
+    end
+    assert_equal "Configured store FakeStore doesn't respond to #read method", raised_exception.message
+  end
+  it "gives semantic error if store is missing #write method" do
+    raised_exception = nil
+    fake_store_class = Class.new do
+      def read(key)
+      end
+      def increment(key, count, options = {})
+      end
+    end
+    Object.stub_const(:FakeStore, fake_store_class) do
+      Rack::Attack.cache.store = FakeStore.new
+      raised_exception = assert_raises(Rack::Attack::MisconfiguredStoreError) do
+        get "/scarce-resource"
+      end
+    end
+    assert_equal "Configured store FakeStore doesn't respond to #write method", raised_exception.message
+  end
+  it "gives semantic error if store is missing #increment method" do
+    raised_exception = nil
+    fake_store_class = Class.new do
+      def read(key)
+      end
+      def write(key, value)
+      end
+    end
+    Object.stub_const(:FakeStore, fake_store_class) do
+      Rack::Attack.cache.store = FakeStore.new
+      raised_exception = assert_raises(Rack::Attack::MisconfiguredStoreError) do
+        get "/scarce-resource"
+      end
+    end
+    assert_equal "Configured store FakeStore doesn't respond to #increment method", raised_exception.message
+  end
+  it "works with any object that responds to #read, #write and #increment" do
+    fake_store_class = Class.new do
+      attr_accessor :backend
+      def initialize
+        @backend = {}
+      end
+      def read(key)
+        @backend[key]
+      end
+      def write(key, value, _options = {})
+        @backend[key] = value
+      end
+      def increment(key, _count, _options = {})
+        @backend[key] ||= 0
+        @backend[key] += 1
+      end
+    end
+    Object.stub_const(:FakeStore, fake_store_class) do
+      Rack::Attack.cache.store = FakeStore.new
+      get "/"
+      assert_equal 200, last_response.status
+      get "/scarce-resource"
+      assert_equal 200, last_response.status
+      get "/scarce-resource"
+      assert_equal 200, last_response.status
+      get "/scarce-resource"
+      assert_equal 403, last_response.status
+      get "/"
+      assert_equal 403, last_response.status
+    end
+  end
+end

data/spec/acceptance/cache_store_config_for_fail2ban_spec.rb ADDED Viewed

@@ -0,0 +1,121 @@
+require_relative "../spec_helper"
+require "minitest/stub_const"
+describe "Cache store config when using fail2ban" do
+  before do
+    Rack::Attack.blocklist("fail2ban pentesters") do |request|
+      Rack::Attack::Fail2Ban.filter(request.ip, maxretry: 2, findtime: 30, bantime: 60) do
+        request.path.include?("private-place")
+      end
+    end
+  end
+  it "gives semantic error if no store was configured" do
+    assert_raises(Rack::Attack::MissingStoreError) do
+      get "/private-place"
+    end
+  end
+  it "gives semantic error if store is missing #read method" do
+    raised_exception = nil
+    fake_store_class = Class.new do
+      def write(key, value)
+      end
+      def increment(key, count, options = {})
+      end
+    end
+    Object.stub_const(:FakeStore, fake_store_class) do
+      Rack::Attack.cache.store = FakeStore.new
+      raised_exception = assert_raises(Rack::Attack::MisconfiguredStoreError) do
+        get "/private-place"
+      end
+    end
+    assert_equal "Configured store FakeStore doesn't respond to #read method", raised_exception.message
+  end
+  it "gives semantic error if store is missing #write method" do
+    raised_exception = nil
+    fake_store_class = Class.new do
+      def read(key)
+      end
+      def increment(key, count, options = {})
+      end
+    end
+    Object.stub_const(:FakeStore, fake_store_class) do
+      Rack::Attack.cache.store = FakeStore.new
+      raised_exception = assert_raises(Rack::Attack::MisconfiguredStoreError) do
+        get "/private-place"
+      end
+    end
+    assert_equal "Configured store FakeStore doesn't respond to #write method", raised_exception.message
+  end
+  it "gives semantic error if store is missing #increment method" do
+    raised_exception = nil
+    fake_store_class = Class.new do
+      def read(key)
+      end
+      def write(key, value)
+      end
+    end
+    Object.stub_const(:FakeStore, fake_store_class) do
+      Rack::Attack.cache.store = FakeStore.new
+      raised_exception = assert_raises(Rack::Attack::MisconfiguredStoreError) do
+        get "/private-place"
+      end
+    end
+    assert_equal "Configured store FakeStore doesn't respond to #increment method", raised_exception.message
+  end
+  it "works with any object that responds to #read, #write and #increment" do
+    FakeStore = Class.new do
+      attr_accessor :backend
+      def initialize
+        @backend = {}
+      end
+      def read(key)
+        @backend[key]
+      end
+      def write(key, value, _options = {})
+        @backend[key] = value
+      end
+      def increment(key, _count, _options = {})
+        @backend[key] ||= 0
+        @backend[key] += 1
+      end
+    end
+    Rack::Attack.cache.store = FakeStore.new
+    get "/"
+    assert_equal 200, last_response.status
+    get "/private-place"
+    assert_equal 403, last_response.status
+    get "/private-place"
+    assert_equal 403, last_response.status
+    get "/"
+    assert_equal 403, last_response.status
+  end
+end

data/spec/acceptance/cache_store_config_for_throttle_spec.rb ADDED Viewed

@@ -0,0 +1,48 @@
+require_relative "../spec_helper"
+describe "Cache store config when throttling without Rails" do
+  before do
+    Rack::Attack.throttle("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+  end
+  it "gives semantic error if no store was configured" do
+    assert_raises(Rack::Attack::MissingStoreError) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    end
+  end
+  it "gives semantic error if incompatible store was configured" do
+    Rack::Attack.cache.store = Object.new
+    assert_raises(Rack::Attack::MisconfiguredStoreError) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    end
+  end
+  it "works with any object that responds to #increment" do
+    basic_store_class = Class.new do
+      attr_accessor :counts
+      def initialize
+        @counts = {}
+      end
+      def increment(key, _count, _options)
+        @counts[key] ||= 0
+        @counts[key] += 1
+      end
+    end
+    Rack::Attack.cache.store = basic_store_class.new
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 200, last_response.status
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 429, last_response.status
+  end
+end

data/spec/acceptance/cache_store_config_with_rails_spec.rb ADDED Viewed

@@ -0,0 +1,31 @@
+require_relative "../spec_helper"
+require "minitest/stub_const"
+require "ostruct"
+describe "Cache store config with Rails" do
+  before do
+    Rack::Attack.throttle("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+  end
+  it "fails when Rails.cache is not set" do
+    Object.stub_const(:Rails, OpenStruct.new(cache: nil)) do
+      assert_raises(Rack::Attack::MissingStoreError) do
+        get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      end
+    end
+  end
+  it "works when Rails.cache is set" do
+    Object.stub_const(:Rails, OpenStruct.new(cache: ActiveSupport::Cache::MemoryStore.new)) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal 200, last_response.status
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal 429, last_response.status
+    end
+  end
+end

data/spec/acceptance/customizing_blocked_response_spec.rb ADDED Viewed

@@ -0,0 +1,41 @@
+require_relative "../spec_helper"
+describe "Customizing block responses" do
+  before do
+    Rack::Attack.blocklist("block 1.2.3.4") do |request|
+      request.ip == "1.2.3.4"
+    end
+  end
+  it "can be customized" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 403, last_response.status
+    Rack::Attack.blocklisted_response = lambda do |_env|
+      [503, {}, ["Blocked"]]
+    end
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 503, last_response.status
+    assert_equal "Blocked", last_response.body
+  end
+  it "exposes match data" do
+    matched = nil
+    match_type = nil
+    Rack::Attack.blocklisted_response = lambda do |env|
+      matched = env['rack.attack.matched']
+      match_type = env['rack.attack.match_type']
+      [503, {}, ["Blocked"]]
+    end
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal "block 1.2.3.4", matched
+    assert_equal :blocklist, match_type
+  end
+end

data/spec/acceptance/customizing_throttled_response_spec.rb ADDED Viewed

@@ -0,0 +1,59 @@
+require_relative "../spec_helper"
+describe "Customizing throttled response" do
+  before do
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+    Rack::Attack.throttle("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+  end
+  it "can be customized" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 200, last_response.status
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 429, last_response.status
+    Rack::Attack.throttled_response = lambda do |_env|
+      [503, {}, ["Throttled"]]
+    end
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 503, last_response.status
+    assert_equal "Throttled", last_response.body
+  end
+  it "exposes match data" do
+    matched = nil
+    match_type = nil
+    match_data = nil
+    match_discriminator = nil
+    Rack::Attack.throttled_response = lambda do |env|
+      matched = env['rack.attack.matched']
+      match_type = env['rack.attack.match_type']
+      match_data = env['rack.attack.match_data']
+      match_discriminator = env['rack.attack.match_discriminator']
+      [429, {}, ["Throttled"]]
+    end
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal "by ip", matched
+    assert_equal :throttle, match_type
+    assert_equal 60, match_data[:period]
+    assert_equal 1, match_data[:limit]
+    assert_equal 2, match_data[:count]
+    assert_equal "1.2.3.4", match_discriminator
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 3, match_data[:count]
+  end
+end