rack-attack 5.2.0 → 5.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 21a52aca7aa6592b23e6a3e99f0b06cf6d4d9eedb8366ec57fe4f9cfe804ea82
-  data.tar.gz: 32e0db149bc10308fb8b5ae737147e1c11c9f854e08b9f453d9a7066911308fe
+  metadata.gz: c8f4c760b1ff68e6fbe79cf7576cbe2e0cc79ef5e2734ff55e63b46665ed6731
+  data.tar.gz: 75d7dd7fc98035d3961952582373af467fcfd225dac11af8db4aaf1cbaaf44b8
 SHA512:
-  metadata.gz: 560d951d375a9114752b37a2858f48e85af9edcdeabb0073c6e6f8d179b6d10a0331a7abee625df4c0171f9c993bb105cc8e54fed9170fd47d288fb2bf29617a
-  data.tar.gz: b3993951744e2755873cc7ce0c6810c3780ad44c6c84491bda5277a46536589d15b26bd25e7849e7b20a4e28aebc86ed874cb0b61e0d988da54252a3b3e024dc
+  metadata.gz: 53ecb94578ea2497b660ca508b572b8a1f9a5a40e986b4bc6f834e05f90ea49eb4e721aefe4bd431b26754aeb33440fa4b43cc204705c035e61ada8e79d543dc
+  data.tar.gz: 22dbd120cdc634115f7096d5e9e4a44cc4ec97ae5dd11fc746b0e21e6b2ad860bb8bbd62c0bf7b7ee0f63d5803c568579b5569d3f849159751b25c236ede1520

data/README.md

@@ -4,9 +4,9 @@
 
 Protect your Rails and Rack apps from bad clients. Rack::Attack lets you easily decide when to *allow*, *block* and *throttle* based on properties of the request.
 
-See the [Backing & Hacking blog post](http://www.kickstarter.com/backing-and-hacking/rack-attack-protection-from-abusive-clients) introducing Rack::Attack.
+See the [Backing & Hacking blog post](https://www.kickstarter.com/backing-and-hacking/rack-attack-protection-from-abusive-clients) introducing Rack::Attack.
 
-[![Gem Version](https://badge.fury.io/rb/rack-attack.svg)](http://badge.fury.io/rb/rack-attack)
+[![Gem Version](https://badge.fury.io/rb/rack-attack.svg)](https://badge.fury.io/rb/rack-attack)
 [![Build Status](https://travis-ci.org/kickstarter/rack-attack.svg?branch=master)](https://travis-ci.org/kickstarter/rack-attack)
 [![Code Climate](https://codeclimate.com/github/kickstarter/rack-attack.svg)](https://codeclimate.com/github/kickstarter/rack-attack)
 
@@ -133,7 +133,7 @@ Rack::Attack.blocklist_ip("1.2.0.0/16")
 
 #### `blocklist(name, &block)`
 
-Name your custom blocklist and make your ruby-block argument returna a truthy value if you want the request to be blocked, and falsy otherwise.
+Name your custom blocklist and make your ruby-block argument return a truthy value if you want the request to be blocked, and falsy otherwise.
 
 The request object is a [Rack::Request](http://www.rubydoc.info/gems/rack/Rack/Request).
 
@@ -155,8 +155,8 @@ end
 #### Fail2Ban
 
 `Fail2Ban.filter` can be used within a blocklist to block all requests from misbehaving clients.
-This pattern is inspired by [fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page).
-See the [fail2ban documentation](http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options) for more details on
+This pattern is inspired by [fail2ban](https://www.fail2ban.org/wiki/index.php/Main_Page).
+See the [fail2ban documentation](https://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options) for more details on
 how the parameters work.  For multiple filters, be sure to put each filter in a separate blocklist and use a unique discriminator for each fail2ban filter.
 
 Fail2ban state is stored in a [configurable cache](#cache-store-configuration) (which defaults to `Rails.cache` if present).
@@ -272,7 +272,7 @@ Note that `Rack::Attack.cache` is only used for throttling, allow2ban and fail2b
 
 ## Customizing responses
 
-Customize the response of blocklisted and throttled requests using an object that adheres to the [Rack app interface](http://rack.rubyforge.org/doc/SPEC.html).
+Customize the response of blocklisted and throttled requests using an object that adheres to the [Rack app interface](http://www.rubydoc.info/github/rack/rack/file/SPEC).
 
 ```ruby
 Rack::Attack.blocklisted_response = lambda do |env|
@@ -388,7 +388,7 @@ so try to keep the number of throttle checks per request low.
 If a request is blocklisted or throttled, the response is a very simple Rack response.
 A single typical ruby web server thread can block several hundred requests per second.
 
-Rack::Attack complements tools like `iptables` and nginx's [limit_conn_zone module](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_zone).
+Rack::Attack complements tools like `iptables` and nginx's [limit_conn_zone module](https://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_zone).
 
 ## Motivation
 
@@ -402,26 +402,15 @@ less on short-term, one-off hacks to block a particular attack.
 
 ## Contributing
 
-Pull requests and issues are greatly appreciated. This project is intended to be
-a safe, welcoming space for collaboration, and contributors are expected to
-adhere to the [Code of Conduct](CODE_OF_CONDUCT.md).
+Check out the [Contributing guide](CONTRIBUTING.md).
 
-### Testing pull requests
+## Code of Conduct
 
-To run the minitest test suite, you will need both [Redis](http://redis.io/) and
-[Memcached](https://memcached.org/) running locally and bound to IP `127.0.0.1` on
-default ports (`6379` for Redis, and `11211` for Memcached) and able to be
-accessed without authentication.
+This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Code of Conduct](CODE_OF_CONDUCT.md).
 
-Install dependencies by running
-```sh
-bundle install
-```
+## Development setup
 
-Then run the test suite by running
-```sh
-bundle exec rake
-```
+Check out the [Development guide](docs/development.md).
 
 ## Mailing list
 
@@ -434,4 +423,4 @@ New releases of Rack::Attack are announced on
 
 Copyright Kickstarter, PBC.
 
-Released under an [MIT License](http://opensource.org/licenses/MIT).
+Released under an [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -13,7 +13,7 @@ namespace :test do
   end
 
   Rake::TestTask.new(:acceptance) do |t|
-    t.pattern = "spec/acceptance/*_spec.rb"
+    t.pattern = "spec/acceptance/**/*_spec.rb"
   end
 end
 

data/lib/rack/attack.rb

@@ -8,21 +8,21 @@ class Rack::Attack
   class MisconfiguredStoreError < StandardError; end
   class MissingStoreError < StandardError; end
 
-  autoload :Cache,           'rack/attack/cache'
-  autoload :Check,           'rack/attack/check'
-  autoload :Throttle,        'rack/attack/throttle'
-  autoload :Safelist,        'rack/attack/safelist'
-  autoload :Blocklist,       'rack/attack/blocklist'
-  autoload :Track,           'rack/attack/track'
-  autoload :StoreProxy,      'rack/attack/store_proxy'
-  autoload :DalliProxy,      'rack/attack/store_proxy/dalli_proxy'
-  autoload :MemCacheProxy,   'rack/attack/store_proxy/mem_cache_proxy'
-  autoload :RedisStoreProxy, 'rack/attack/store_proxy/redis_store_proxy'
-  autoload :Fail2Ban,        'rack/attack/fail2ban'
-  autoload :Allow2Ban,       'rack/attack/allow2ban'
+  autoload :Cache,                'rack/attack/cache'
+  autoload :Check,                'rack/attack/check'
+  autoload :Throttle,             'rack/attack/throttle'
+  autoload :Safelist,             'rack/attack/safelist'
+  autoload :Blocklist,            'rack/attack/blocklist'
+  autoload :Track,                'rack/attack/track'
+  autoload :StoreProxy,           'rack/attack/store_proxy'
+  autoload :DalliProxy,           'rack/attack/store_proxy/dalli_proxy'
+  autoload :MemCacheProxy,        'rack/attack/store_proxy/mem_cache_proxy'
+  autoload :RedisStoreProxy,      'rack/attack/store_proxy/redis_store_proxy'
+  autoload :RedisCacheStoreProxy, 'rack/attack/store_proxy/redis_cache_store_proxy'
+  autoload :Fail2Ban,             'rack/attack/fail2ban'
+  autoload :Allow2Ban,            'rack/attack/allow2ban'
 
   class << self
-
     attr_accessor :notifier, :blocklisted_response, :throttled_response
 
     def safelist(name, &block)
@@ -64,8 +64,11 @@ class Rack::Attack
     end
 
     def safelists;  @safelists  ||= {}; end
+
     def blocklists; @blocklists ||= {}; end
+
     def throttles;  @throttles  ||= {}; end
+
     def tracks;     @tracks     ||= {}; end
 
     def whitelists
@@ -99,7 +102,7 @@ class Rack::Attack
     end
 
     def throttled?(req)
-      throttles.any? do |name, throttle|
+      throttles.any? do |_name, throttle|
         throttle[req]
       end
     end
@@ -118,15 +121,20 @@ class Rack::Attack
       @cache ||= Cache.new
     end
 
-    def clear!
+    def clear_configuration
       @safelists, @blocklists, @throttles, @tracks = {}, {}, {}, {}
       @ip_blocklists = []
       @ip_safelists = []
     end
 
+    def clear!
+      warn "[DEPRECATION] Rack::Attack.clear! is deprecated. Please use Rack::Attack.clear_configuration instead"
+      clear_configuration
+    end
+
     def blacklisted_response=(res)
       warn "[DEPRECATION] 'Rack::Attack.blacklisted_response=' is deprecated.  Please use 'blocklisted_response=' instead."
-      self.blocklisted_response=(res)
+      self.blocklisted_response = res
     end
 
     def blacklisted_response
@@ -147,10 +155,10 @@ class Rack::Attack
 
   # Set defaults
   @notifier             = ActiveSupport::Notifications if defined?(ActiveSupport::Notifications)
-  @blocklisted_response = lambda {|env| [403, {'Content-Type' => 'text/plain'}, ["Forbidden\n"]] }
-  @throttled_response   = lambda {|env|
+  @blocklisted_response = lambda { |_env| [403, { 'Content-Type' => 'text/plain' }, ["Forbidden\n"]] }
+  @throttled_response   = lambda { |env|
     retry_after = (env['rack.attack.match_data'] || {})[:period]
-    [429, {'Content-Type' => 'text/plain', 'Retry-After' => retry_after.to_s}, ["Retry later\n"]]
+    [429, { 'Content-Type' => 'text/plain', 'Retry-After' => retry_after.to_s }, ["Retry later\n"]]
   }
 
   def initialize(app)
@@ -174,8 +182,5 @@ class Rack::Attack
   end
 
   extend Forwardable
-  def_delegators self, :safelisted?,
-                       :blocklisted?,
-                       :throttled?,
-                       :tracked?
+  def_delegators self, :safelisted?, :blocklisted?, :throttled?, :tracked?
 end

data/lib/rack/attack/allow2ban.rb

@@ -3,6 +3,7 @@ module Rack
     class Allow2Ban < Fail2Ban
       class << self
         protected
+
         def key_prefix
           'allow2ban'
         end

data/lib/rack/attack/blocklist.rb

@@ -5,7 +5,6 @@ module Rack
         super
         @type = :blocklist
       end
-
     end
   end
 end

data/lib/rack/attack/cache.rb

@@ -1,7 +1,6 @@
 module Rack
   class Attack
     class Cache
-
       attr_accessor :prefix
 
       def initialize
@@ -43,7 +42,7 @@ module Rack
 
       def key_and_expiry(unprefixed_key, period)
         epoch_time = Time.now.to_i
-        # Add 1 to expires_in to avoid timing error: http://git.io/i1PHXA
+        # Add 1 to expires_in to avoid timing error: https://git.io/i1PHXA
         expires_in = (period - (epoch_time % period) + 1).to_i
         ["#{prefix}:#{(epoch_time / period).to_i}:#{unprefixed_key}", expires_in]
       end

data/lib/rack/attack/check.rb

@@ -8,7 +8,7 @@ module Rack
       end
 
       def [](req)
-        block[req].tap {|match|
+        block[req].tap { |match|
           if match
             req.env["rack.attack.matched"] = name
             req.env["rack.attack.match_type"] = type
@@ -21,4 +21,3 @@ module Rack
     end
   end
 end
-

data/lib/rack/attack/fail2ban.rb

@@ -27,6 +27,7 @@ module Rack
         end
 
         protected
+
         def key_prefix
           'fail2ban'
         end
@@ -40,8 +41,8 @@ module Rack
           true
         end
 
-
         private
+
         def ban!(discriminator, bantime)
           cache.write("#{key_prefix}:ban:#{discriminator}", 1, bantime)
         end

data/lib/rack/attack/path_normalizer.rb

@@ -1,8 +1,7 @@
 class Rack::Attack
-
   # When using Rack::Attack with a Rails app, developers expect the request path
   # to be normalized. In particular, trailing slashes are stripped.
-  # (See http://git.io/v0rrR for implementation.)
+  # (See https://git.io/v0rrR for implementation.)
   #
   # Look for an ActionDispatch utility class that Rails folks would expect
   # to normalize request paths. If unavailable, use a fallback class that
@@ -15,10 +14,9 @@ class Rack::Attack
   end
 
   PathNormalizer = if defined?(::ActionDispatch::Journey::Router::Utils)
-                 # For Rails apps
-                 ::ActionDispatch::Journey::Router::Utils
-               else
-                 FallbackPathNormalizer
-               end
-
+                     # For Rails apps
+                     ::ActionDispatch::Journey::Router::Utils
+                   else
+                     FallbackPathNormalizer
+                   end
 end

data/lib/rack/attack/safelist.rb

@@ -5,7 +5,6 @@ module Rack
         super
         @type = :safelist
       end
-
     end
   end
 end

data/lib/rack/attack/store_proxy.rb

@@ -1,9 +1,9 @@
 module Rack
   class Attack
     module StoreProxy
-      PROXIES = [DalliProxy, MemCacheProxy, RedisStoreProxy].freeze
+      PROXIES = [DalliProxy, MemCacheProxy, RedisStoreProxy, RedisCacheStoreProxy].freeze
 
-      ACTIVE_SUPPORT_WRAPPER_CLASSES = Set.new(['ActiveSupport::Cache::MemCacheStore', 'ActiveSupport::Cache::RedisStore']).freeze
+      ACTIVE_SUPPORT_WRAPPER_CLASSES = Set.new(['ActiveSupport::Cache::MemCacheStore', 'ActiveSupport::Cache::RedisStore', 'ActiveSupport::Cache::RedisCacheStore']).freeze
       ACTIVE_SUPPORT_CLIENTS = Set.new(['Redis::Store', 'Dalli::Client', 'MemCache']).freeze
 
       def self.build(store)
@@ -12,8 +12,6 @@ module Rack
         klass ? klass.new(client) : client
       end
 
-
-      private
       def self.unwrap_active_support_stores(store)
         # ActiveSupport::Cache::RedisStore doesn't expose any way to set an expiry,
         # so use the raw Redis::Store instead.

data/lib/rack/attack/store_proxy/dalli_proxy.rb

@@ -28,14 +28,14 @@ module Rack
         rescue Dalli::DalliError
         end
 
-        def write(key, value, options={})
+        def write(key, value, options = {})
           with do |client|
             client.set(key, value, options.fetch(:expires_in, 0), raw: true)
           end
         rescue Dalli::DalliError
         end
 
-        def increment(key, amount, options={})
+        def increment(key, amount, options = {})
           with do |client|
             client.incr(key, amount, options.fetch(:expires_in, 0), amount)
           end
@@ -58,7 +58,6 @@ module Rack
             end
           end
         end
-
       end
     end
   end

data/lib/rack/attack/store_proxy/mem_cache_proxy.rb

@@ -14,21 +14,21 @@ module Rack
         def read(key)
           # Second argument: reading raw value
           get(key, true)
-          rescue MemCache::MemCacheError
+        rescue MemCache::MemCacheError
         end
 
-        def write(key, value, options={})
+        def write(key, value, options = {})
           # Third argument: writing raw value
           set(key, value, options.fetch(:expires_in, 0), true)
         rescue MemCache::MemCacheError
         end
 
-        def increment(key, amount, options={})
+        def increment(key, amount, _options = {})
           incr(key, amount)
         rescue MemCache::MemCacheError
         end
 
-        def delete(key, options={})
+        def delete(key, _options = {})
           with do |client|
             client.delete(key)
           end
@@ -44,7 +44,6 @@ module Rack
             end
           end
         end
-
       end
     end
   end

data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb

@@ -0,0 +1,30 @@
+require 'delegate'
+
+module Rack
+  class Attack
+    module StoreProxy
+      class RedisCacheStoreProxy < SimpleDelegator
+        def self.handle?(store)
+          defined?(::ActiveSupport::Cache::RedisCacheStore) && store.is_a?(::ActiveSupport::Cache::RedisCacheStore)
+        end
+
+        def increment(name, amount, options = {})
+          # Redis doesn't check expiration on the INCRBY command. See https://redis.io/commands/expire
+          count = redis.pipelined do
+            redis.incrby(name, amount)
+            redis.expire(name, options[:expires_in]) if options[:expires_in]
+          end
+          count.first
+        end
+
+        def read(name, options = {})
+          super(name, options.merge!({ raw: true }))
+        end
+
+        def write(name, value, options = {})
+          super(name, value, options.merge!({ raw: true }))
+        end
+      end
+    end
+  end
+end

data/lib/rack/attack/store_proxy/redis_store_proxy.rb

@@ -5,14 +5,7 @@ module Rack
     module StoreProxy
       class RedisStoreProxy < SimpleDelegator
         def self.handle?(store)
-          # Using const_defined? for now.
-          #
-          # Go back to use defined? once this ruby issue is
-          # fixed and released:
-          # https://bugs.ruby-lang.org/issues/14407
-          #
-          # defined?(::Redis::Store) && store.is_a?(::Redis::Store)
-          const_defined?("::Redis::Store") && store.is_a?(::Redis::Store)
+          defined?(::Redis::Store) && store.is_a?(::Redis::Store)
         end
 
         def initialize(store)
@@ -24,7 +17,7 @@ module Rack
         rescue Redis::BaseError
         end
 
-        def write(key, value, options={})
+        def write(key, value, options = {})
           if (expires_in = options[:expires_in])
             setex(key, expires_in, value, raw: true)
           else
@@ -33,7 +26,7 @@ module Rack
         rescue Redis::BaseError
         end
 
-        def increment(key, amount, options={})
+        def increment(key, amount, options = {})
           count = nil
 
           pipelined do
@@ -45,7 +38,7 @@ module Rack
         rescue Redis::BaseError
         end
 
-        def delete(key, options={})
+        def delete(key, _options = {})
           del(key)
         rescue Redis::BaseError
         end