rack-attack 5.3.1 → 5.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f06d0fae1f4dc5d960274ca06a4da7be66a1180a3df051595c98813296e80e46
-  data.tar.gz: 32fa128bb61140836c8fcce73d1cd972c3987405e581a43dea2334d6ba05cfa7
+  metadata.gz: 123608043cbaa1604ab2d7b06c056010decd274dd4a5b1fe8f2175cec766fa4d
+  data.tar.gz: 2bd3ca91293545b76221608f144c1a43a458fbd9e6f2e8ea2647bf561d8ea9a9
 SHA512:
-  metadata.gz: 7d7be10e1ddb908f07fb10aec414f47fcb9d23289eacd98a1a91e1f87ffa0212d63f424fff44bcfa0b0154263518d807e535bcd8791200c8dc290ea31bd4395e
-  data.tar.gz: c99bfe7df1e11591e80526fd17b414494ddaa797906a4cced2beca884fe51db9fe9ce9d4dd99ee92ac98921a35f87361944ca4d8895b83a86ccc442b6d5cae31
+  metadata.gz: '06388ad68edc65019740c9ee77347f817b0769e782d0f8564ac5ac6b9c7fa819fe2157a10d89b570c78c14ef5a86fe080fac30aba8ebdfed281f2073785f5685'
+  data.tar.gz: a15cc2cef9eebda52d662fe3eeee3f187d5b575c089a1fa2cf5e0179012499f6440889349a47108c4017f8b73dd18985655dc933baf8c031e08d73ea23d1dbba

data/README.md

@@ -303,13 +303,13 @@ Here's an example response that includes conventional `X-RateLimit-*` headers:
 
 ```ruby
 Rack::Attack.throttled_response = lambda do |env|
-  now = Time.now
   match_data = env['rack.attack.match_data']
+  now = match_data[:epoch_time]
 
   headers = {
     'X-RateLimit-Limit' => match_data[:limit].to_s,
     'X-RateLimit-Remaining' => '0',
-    'X-RateLimit-Reset' => (now + (match_data[:period] - now.to_i % match_data[:period])).to_s
+    'X-RateLimit-Reset' => (now + (match_data[:period] - now % match_data[:period])).to_s
   }
 
   [ 429, headers, ["Throttled\n"]]
@@ -320,7 +320,7 @@ end
 For responses that did not exceed a throttle limit, Rack::Attack annotates the env with match data:
 
 ```ruby
-request.env['rack.attack.throttle_data'][name] # => { :count => n, :period => p, :limit => l }
+request.env['rack.attack.throttle_data'][name] # => { :count => n, :period => p, :limit => l, :epoch_time => t }
 ```
 
 ## Logging & Instrumentation

data/Rakefile

@@ -20,7 +20,8 @@ namespace :test do
   end
 end
 
-desc 'Run tests'
-task :test => %w[test:units test:integration test:acceptance]
+Rake::TestTask.new(:test) do |t|
+  t.pattern = "spec/**/*_spec.rb"
+end
 
 task :default => [:rubocop, :test]

data/lib/rack/attack.rb

@@ -17,6 +17,7 @@ class Rack::Attack
   autoload :StoreProxy,           'rack/attack/store_proxy'
   autoload :DalliProxy,           'rack/attack/store_proxy/dalli_proxy'
   autoload :MemCacheProxy,        'rack/attack/store_proxy/mem_cache_proxy'
+  autoload :RedisProxy,           'rack/attack/store_proxy/redis_proxy'
   autoload :RedisStoreProxy,      'rack/attack/store_proxy/redis_store_proxy'
   autoload :RedisCacheStoreProxy, 'rack/attack/store_proxy/redis_cache_store_proxy'
   autoload :Fail2Ban,             'rack/attack/fail2ban'
@@ -81,40 +82,40 @@ class Rack::Attack
       blocklists
     end
 
-    def safelisted?(req)
-      ip_safelists.any? { |safelist| safelist.match?(req) } ||
-        safelists.any? { |_name, safelist| safelist.match?(req) }
+    def safelisted?(request)
+      ip_safelists.any? { |safelist| safelist.matched_by?(request) } ||
+        safelists.any? { |_name, safelist| safelist.matched_by?(request) }
     end
 
-    def whitelisted?(req)
+    def whitelisted?(request)
       warn "[DEPRECATION] 'Rack::Attack.whitelisted?' is deprecated.  Please use 'safelisted?' instead."
-      safelisted?(req)
+      safelisted?(request)
     end
 
-    def blocklisted?(req)
-      ip_blocklists.any? { |blocklist| blocklist.match?(req) } ||
-        blocklists.any? { |_name, blocklist| blocklist.match?(req) }
+    def blocklisted?(request)
+      ip_blocklists.any? { |blocklist| blocklist.matched_by?(request) } ||
+        blocklists.any? { |_name, blocklist| blocklist.matched_by?(request) }
     end
 
-    def blacklisted?(req)
+    def blacklisted?(request)
       warn "[DEPRECATION] 'Rack::Attack.blacklisted?' is deprecated.  Please use 'blocklisted?' instead."
-      blocklisted?(req)
+      blocklisted?(request)
     end
 
-    def throttled?(req)
+    def throttled?(request)
       throttles.any? do |_name, throttle|
-        throttle[req]
+        throttle.matched_by?(request)
       end
     end
 
-    def tracked?(req)
-      tracks.each_value do |tracker|
-        tracker[req]
+    def tracked?(request)
+      tracks.each_value do |track|
+        track.matched_by?(request)
       end
     end
 
-    def instrument(req)
-      notifier.instrument('rack.attack', req) if notifier
+    def instrument(request)
+      notifier.instrument('rack.attack', request) if notifier
     end
 
     def cache
@@ -167,16 +168,16 @@ class Rack::Attack
 
   def call(env)
     env['PATH_INFO'] = PathNormalizer.normalize_path(env['PATH_INFO'])
-    req = Rack::Attack::Request.new(env)
+    request = Rack::Attack::Request.new(env)
 
-    if safelisted?(req)
+    if safelisted?(request)
       @app.call(env)
-    elsif blocklisted?(req)
+    elsif blocklisted?(request)
       self.class.blocklisted_response.call(env)
-    elsif throttled?(req)
+    elsif throttled?(request)
       self.class.throttled_response.call(env)
     else
-      tracked?(req)
+      tracked?(request)
       @app.call(env)
     end
   end

data/lib/rack/attack/cache.rb

@@ -2,6 +2,7 @@ module Rack
   class Attack
     class Cache
       attr_accessor :prefix
+      attr_reader :last_epoch_time
 
       def initialize
         self.store = ::Rails.cache if defined?(::Rails.cache)
@@ -41,10 +42,10 @@ module Rack
       private
 
       def key_and_expiry(unprefixed_key, period)
-        epoch_time = Time.now.to_i
+        @last_epoch_time = Time.now.to_i
         # Add 1 to expires_in to avoid timing error: https://git.io/i1PHXA
-        expires_in = (period - (epoch_time % period) + 1).to_i
-        ["#{prefix}:#{(epoch_time / period).to_i}:#{unprefixed_key}", expires_in]
+        expires_in = (period - (@last_epoch_time % period) + 1).to_i
+        ["#{prefix}:#{(@last_epoch_time / period).to_i}:#{unprefixed_key}", expires_in]
       end
 
       def do_count(key, expires_in)

data/lib/rack/attack/check.rb

@@ -7,17 +7,15 @@ module Rack
         @type = options.fetch(:type, nil)
       end
 
-      def [](req)
-        block[req].tap { |match|
+      def matched_by?(request)
+        block.call(request).tap do |match|
           if match
-            req.env["rack.attack.matched"] = name
-            req.env["rack.attack.match_type"] = type
-            Rack::Attack.instrument(req)
+            request.env["rack.attack.matched"] = name
+            request.env["rack.attack.match_type"] = type
+            Rack::Attack.instrument(request)
           end
-        }
+        end
       end
-
-      alias_method :match?, :[]
     end
   end
 end

data/lib/rack/attack/store_proxy.rb

@@ -1,7 +1,7 @@
 module Rack
   class Attack
     module StoreProxy
-      PROXIES = [DalliProxy, MemCacheProxy, RedisStoreProxy, RedisCacheStoreProxy].freeze
+      PROXIES = [DalliProxy, MemCacheProxy, RedisStoreProxy, RedisProxy, RedisCacheStoreProxy].freeze
 
       ACTIVE_SUPPORT_WRAPPER_CLASSES = Set.new(['ActiveSupport::Cache::MemCacheStore', 'ActiveSupport::Cache::RedisStore', 'ActiveSupport::Cache::RedisCacheStore']).freeze
       ACTIVE_SUPPORT_CLIENTS = Set.new(['Redis::Store', 'Dalli::Client', 'MemCache']).freeze

data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb

@@ -5,7 +5,7 @@ module Rack
     module StoreProxy
       class RedisCacheStoreProxy < SimpleDelegator
         def self.handle?(store)
-          defined?(::ActiveSupport::Cache::RedisCacheStore) && store.is_a?(::ActiveSupport::Cache::RedisCacheStore)
+          defined?(::Redis) && defined?(::ActiveSupport::Cache::RedisCacheStore) && store.is_a?(::ActiveSupport::Cache::RedisCacheStore)
         end
 
         def increment(name, amount = 1, options = {})
@@ -16,7 +16,7 @@ module Rack
           if options[:expires_in] && !read(name)
             write(name, amount, options)
 
-            1
+            amount
           else
             super
           end

data/lib/rack/attack/store_proxy/redis_proxy.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require 'delegate'
+
+module Rack
+  class Attack
+    module StoreProxy
+      class RedisProxy < SimpleDelegator
+        def initialize(*args)
+          if Gem::Version.new(Redis::VERSION) < Gem::Version.new("3")
+            warn 'RackAttack requires Redis gem >= 3.0.0.'
+          end
+
+          super(*args)
+        end
+
+        def self.handle?(store)
+          defined?(::Redis) && store.is_a?(::Redis)
+        end
+
+        def read(key)
+          get(key)
+        rescue Redis::BaseError
+        end
+
+        def write(key, value, options = {})
+          if (expires_in = options[:expires_in])
+            setex(key, expires_in, value)
+          else
+            set(key, value)
+          end
+        rescue Redis::BaseError
+        end
+
+        def increment(key, amount, options = {})
+          count = nil
+
+          pipelined do
+            count = incrby(key, amount)
+            expire(key, options[:expires_in]) if options[:expires_in]
+          end
+
+          count.value if count
+        rescue Redis::BaseError
+        end
+
+        def delete(key, _options = {})
+          del(key)
+        rescue Redis::BaseError
+        end
+      end
+    end
+  end
+end

data/lib/rack/attack/store_proxy/redis_store_proxy.rb

@@ -3,15 +3,11 @@ require 'delegate'
 module Rack
   class Attack
     module StoreProxy
-      class RedisStoreProxy < SimpleDelegator
+      class RedisStoreProxy < RedisProxy
         def self.handle?(store)
           defined?(::Redis::Store) && store.is_a?(::Redis::Store)
         end
 
-        def initialize(store)
-          super(store)
-        end
-
         def read(key)
           get(key, raw: true)
         rescue Redis::BaseError
@@ -25,23 +21,6 @@ module Rack
           end
         rescue Redis::BaseError
         end
-
-        def increment(key, amount, options = {})
-          count = nil
-
-          pipelined do
-            count = incrby(key, amount)
-            expire(key, options[:expires_in]) if options[:expires_in]
-          end
-
-          count.value if count
-        rescue Redis::BaseError
-        end
-
-        def delete(key, _options = {})
-          del(key)
-        rescue Redis::BaseError
-        end
       end
     end
   end

data/lib/rack/attack/throttle.rb

@@ -18,29 +18,32 @@ module Rack
         Rack::Attack.cache
       end
 
-      def [](req)
-        discriminator = block[req]
+      def matched_by?(request)
+        discriminator = block.call(request)
         return false unless discriminator
 
-        current_period = period.respond_to?(:call) ? period.call(req) : period
-        current_limit  = limit.respond_to?(:call) ? limit.call(req) : limit
+        current_period = period.respond_to?(:call) ? period.call(request) : period
+        current_limit  = limit.respond_to?(:call) ? limit.call(request) : limit
         key            = "#{name}:#{discriminator}"
         count          = cache.count(key, current_period)
+        epoch_time     = cache.last_epoch_time
 
         data = {
           :count => count,
           :period => current_period,
-          :limit => current_limit
+          :limit => current_limit,
+          :epoch_time => epoch_time
         }
-        (req.env['rack.attack.throttle_data'] ||= {})[name] = data
+
+        (request.env['rack.attack.throttle_data'] ||= {})[name] = data
 
         (count > current_limit).tap do |throttled|
           if throttled
-            req.env['rack.attack.matched']             = name
-            req.env['rack.attack.match_discriminator'] = discriminator
-            req.env['rack.attack.match_type']          = type
-            req.env['rack.attack.match_data']          = data
-            Rack::Attack.instrument(req)
+            request.env['rack.attack.matched']             = name
+            request.env['rack.attack.match_discriminator'] = discriminator
+            request.env['rack.attack.match_type']          = type
+            request.env['rack.attack.match_data']          = data
+            Rack::Attack.instrument(request)
           end
         end
       end

data/lib/rack/attack/track.rb

@@ -1,8 +1,6 @@
 module Rack
   class Attack
     class Track
-      extend Forwardable
-
       attr_reader :filter
 
       def initialize(name, options = {}, block)
@@ -15,7 +13,9 @@ module Rack
         end
       end
 
-      def_delegator :@filter, :[]
+      def matched_by?(request)
+        filter.matched_by?(request)
+      end
     end
   end
 end

data/lib/rack/attack/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class Attack
-    VERSION = '5.3.1'
+    VERSION = '5.4.0'
   end
 end

data/spec/acceptance/stores/active_support_dalli_store_spec.rb

@@ -0,0 +1,41 @@
+require_relative "../../spec_helper"
+
+if defined?(::Dalli)
+  require_relative "../../support/cache_store_helper"
+  require "active_support/cache/dalli_store"
+  require "timecop"
+
+  describe "ActiveSupport::Cache::DalliStore as a cache backend" do
+    before do
+      Rack::Attack.cache.store = ActiveSupport::Cache::DalliStore.new
+    end
+
+    after do
+      Rack::Attack.cache.store.clear
+    end
+
+    it_works_for_cache_backed_features
+
+    it "doesn't leak keys" do
+      Rack::Attack.throttle("by ip", limit: 1, period: 1) do |request|
+        request.ip
+      end
+
+      key = nil
+
+      # Freeze time during these statement to be sure that the key used by rack attack is the same
+      # we pre-calculate in local variable `key`
+      Timecop.freeze do
+        key = "rack::attack:#{Time.now.to_i}:by ip:1.2.3.4"
+
+        get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      end
+
+      assert Rack::Attack.cache.store.fetch(key)
+
+      sleep 2.1
+
+      assert_nil Rack::Attack.cache.store.fetch(key)
+    end
+  end
+end

data/spec/acceptance/stores/active_support_mem_cache_store_spec.rb

@@ -0,0 +1,40 @@
+require_relative "../../spec_helper"
+
+if defined?(::Dalli)
+  require_relative "../../support/cache_store_helper"
+  require "timecop"
+
+  describe "ActiveSupport::Cache::MemCacheStore as a cache backend" do
+    before do
+      Rack::Attack.cache.store = ActiveSupport::Cache::MemCacheStore.new
+    end
+
+    after do
+      Rack::Attack.cache.store.flush_all
+    end
+
+    it_works_for_cache_backed_features
+
+    it "doesn't leak keys" do
+      Rack::Attack.throttle("by ip", limit: 1, period: 1) do |request|
+        request.ip
+      end
+
+      key = nil
+
+      # Freeze time during these statement to be sure that the key used by rack attack is the same
+      # we pre-calculate in local variable `key`
+      Timecop.freeze do
+        key = "rack::attack:#{Time.now.to_i}:by ip:1.2.3.4"
+
+        get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      end
+
+      assert Rack::Attack.cache.store.get(key)
+
+      sleep 2.1
+
+      assert_nil Rack::Attack.cache.store.get(key)
+    end
+  end
+end