RubyGems - rack-attack - Versions diffs - 5.4.0 → 6.2.0 - Mend

rack-attack 5.4.0 → 6.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (68) hide show

checksums.yaml +4 -4
data/README.md +78 -27
data/Rakefile +3 -1
data/bin/setup +8 -0
data/lib/rack/attack.rb +137 -148
data/lib/rack/attack/allow2ban.rb +2 -0
data/lib/rack/attack/blocklist.rb +3 -1
data/lib/rack/attack/cache.rb +9 -4
data/lib/rack/attack/check.rb +5 -2
data/lib/rack/attack/fail2ban.rb +2 -0
data/lib/rack/attack/path_normalizer.rb +22 -18
data/lib/rack/attack/railtie.rb +21 -0
data/lib/rack/attack/request.rb +2 -0
data/lib/rack/attack/safelist.rb +3 -1
data/lib/rack/attack/store_proxy.rb +12 -24
data/lib/rack/attack/store_proxy/active_support_redis_store_proxy.rb +39 -0
data/lib/rack/attack/store_proxy/dalli_proxy.rb +27 -13
data/lib/rack/attack/store_proxy/mem_cache_store_proxy.rb +21 -0
data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb +23 -9
data/lib/rack/attack/store_proxy/redis_proxy.rb +16 -10
data/lib/rack/attack/store_proxy/redis_store_proxy.rb +5 -5
data/lib/rack/attack/throttle.rb +12 -8
data/lib/rack/attack/track.rb +9 -6
data/lib/rack/attack/version.rb +3 -1
data/spec/acceptance/allow2ban_spec.rb +2 -0
data/spec/acceptance/blocking_ip_spec.rb +4 -2
data/spec/acceptance/blocking_spec.rb +45 -3
data/spec/acceptance/blocking_subnet_spec.rb +4 -2
data/spec/acceptance/cache_store_config_for_allow2ban_spec.rb +50 -39
data/spec/acceptance/cache_store_config_for_fail2ban_spec.rb +38 -29
data/spec/acceptance/cache_store_config_for_throttle_spec.rb +2 -0
data/spec/acceptance/cache_store_config_with_rails_spec.rb +2 -0
data/spec/acceptance/customizing_blocked_response_spec.rb +2 -0
data/spec/acceptance/customizing_throttled_response_spec.rb +2 -0
data/spec/acceptance/extending_request_object_spec.rb +2 -0
data/spec/acceptance/fail2ban_spec.rb +2 -0
data/spec/acceptance/rails_middleware_spec.rb +41 -0
data/spec/acceptance/safelisting_ip_spec.rb +4 -2
data/spec/acceptance/safelisting_spec.rb +57 -3
data/spec/acceptance/safelisting_subnet_spec.rb +4 -2
data/spec/acceptance/stores/active_support_dalli_store_spec.rb +3 -23
data/spec/acceptance/stores/active_support_mem_cache_store_pooled_spec.rb +20 -0
data/spec/acceptance/stores/active_support_mem_cache_store_spec.rb +4 -24
data/spec/acceptance/stores/active_support_memory_store_spec.rb +3 -23
data/spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb +10 -24
data/spec/acceptance/stores/active_support_redis_cache_store_spec.rb +9 -25
data/spec/acceptance/stores/active_support_redis_store_spec.rb +4 -24
data/spec/acceptance/stores/connection_pool_dalli_client_spec.rb +5 -23
data/spec/acceptance/stores/dalli_client_spec.rb +3 -23
data/spec/acceptance/stores/redis_spec.rb +1 -23
data/spec/acceptance/stores/redis_store_spec.rb +3 -23
data/spec/acceptance/throttling_spec.rb +7 -5
data/spec/acceptance/track_spec.rb +5 -3
data/spec/acceptance/track_throttle_spec.rb +5 -3
data/spec/allow2ban_spec.rb +20 -15
data/spec/fail2ban_spec.rb +20 -17
data/spec/integration/offline_spec.rb +3 -1
data/spec/rack_attack_dalli_proxy_spec.rb +2 -0
data/spec/rack_attack_instrumentation_spec.rb +42 -0
data/spec/rack_attack_path_normalizer_spec.rb +4 -2
data/spec/rack_attack_request_spec.rb +2 -0
data/spec/rack_attack_spec.rb +38 -34
data/spec/rack_attack_throttle_spec.rb +50 -19
data/spec/rack_attack_track_spec.rb +12 -7
data/spec/spec_helper.rb +10 -8
data/spec/support/cache_store_helper.rb +27 -1
metadata +48 -28
data/lib/rack/attack/store_proxy/mem_cache_proxy.rb +0 -50

data/spec/acceptance/cache_store_config_for_throttle_spec.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative "../spec_helper"
 describe "Cache store config when throttling without Rails" do

data/spec/acceptance/cache_store_config_with_rails_spec.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative "../spec_helper"
 require "minitest/stub_const"
 require "ostruct"

data/spec/acceptance/customizing_blocked_response_spec.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative "../spec_helper"
 describe "Customizing block responses" do

data/spec/acceptance/customizing_throttled_response_spec.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative "../spec_helper"
 describe "Customizing throttled response" do

data/spec/acceptance/extending_request_object_spec.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative "../spec_helper"
 describe "Extending the request object" do

data/spec/acceptance/fail2ban_spec.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative "../spec_helper"
 require "timecop"

data/spec/acceptance/rails_middleware_spec.rb ADDED

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+require_relative "../spec_helper"
+if defined?(Rails)
+  describe "Middleware for Rails" do
+    before do
+      @app = Class.new(Rails::Application) do
+        config.eager_load = false
+        config.logger = Logger.new(nil) # avoid creating the log/ directory automatically
+        config.cache_store = :null_store # avoid creating tmp/ directory for cache
+      end
+    end
+    if Gem::Version.new(Rails::VERSION::STRING) >= Gem::Version.new("5.1")
+      it "is used by default" do
+        @app.initialize!
+        assert_equal 1, @app.middleware.count(Rack::Attack)
+      end
+      it "is not added when it was added explicitly" do
+        @app.config.middleware.use(Rack::Attack)
+        @app.initialize!
+        assert_equal 1, @app.middleware.count(Rack::Attack)
+      end
+      it "is not added when it was explicitly deleted" do
+        @app.config.middleware.delete(Rack::Attack)
+        @app.initialize!
+        refute @app.middleware.include?(Rack::Attack)
+      end
+    end
+    if Gem::Version.new(Rails::VERSION::STRING) < Gem::Version.new("5.1")
+      it "is not used by default" do
+        @app.initialize!
+        assert_equal 0, @app.middleware.count(Rack::Attack)
+      end
+    end
+  end
+end

data/spec/acceptance/safelisting_ip_spec.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative "../spec_helper"
 describe "Safelist an IP" do
@@ -36,8 +38,8 @@ describe "Safelist an IP" do
   it "notifies when the request is safe" do
     notification_type = nil
-    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
-      notification_type = request.env["rack.attack.match_type"]
+    ActiveSupport::Notifications.subscribe("safelist.rack_attack") do |_name, _start, _finish, _id, payload|
+      notification_type = payload[:request].env["rack.attack.match_type"]
     end
     get "/admin", {}, "REMOTE_ADDR" => "5.6.7.8"

data/spec/acceptance/safelisting_spec.rb CHANGED

@@ -1,6 +1,60 @@
+# frozen_string_literal: true
 require_relative "../spec_helper"
 describe "#safelist" do
+  before do
+    Rack::Attack.blocklist do |request|
+      request.ip == "1.2.3.4"
+    end
+    Rack::Attack.safelist do |request|
+      request.path == "/safe_space"
+    end
+  end
+  it "forbids request if blocklist condition is true and safelist is false" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 403, last_response.status
+  end
+  it "succeeds if blocklist condition is false and safelist is false" do
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+    assert_equal 200, last_response.status
+  end
+  it "succeeds request if blocklist condition is false and safelist is true" do
+    get "/safe_space", {}, "REMOTE_ADDR" => "5.6.7.8"
+    assert_equal 200, last_response.status
+  end
+  it "succeeds request if both blocklist and safelist conditions are true" do
+    get "/safe_space", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 200, last_response.status
+  end
+  it "notifies when the request is safe" do
+    notification_matched = nil
+    notification_type = nil
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, payload|
+      notification_matched = payload[:request].env["rack.attack.matched"]
+      notification_type = payload[:request].env["rack.attack.match_type"]
+    end
+    get "/safe_space", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 200, last_response.status
+    assert_nil notification_matched
+    assert_equal :safelist, notification_type
+  end
+end
+describe "#safelist with name" do
   before do
     Rack::Attack.blocklist("block 1.2.3.4") do |request|
       request.ip == "1.2.3.4"
@@ -39,9 +93,9 @@ describe "#safelist" do
     notification_matched = nil
     notification_type = nil
-    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
-      notification_matched = request.env["rack.attack.matched"]
-      notification_type = request.env["rack.attack.match_type"]
+    ActiveSupport::Notifications.subscribe("safelist.rack_attack") do |_name, _start, _finish, _id, payload|
+      notification_matched = payload[:request].env["rack.attack.matched"]
+      notification_type = payload[:request].env["rack.attack.match_type"]
     end
     get "/safe_space", {}, "REMOTE_ADDR" => "1.2.3.4"

data/spec/acceptance/safelisting_subnet_spec.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative "../spec_helper"
 describe "Safelisting an IP subnet" do
@@ -36,8 +38,8 @@ describe "Safelisting an IP subnet" do
   it "notifies when the request is safe" do
     notification_type = nil
-    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
-      notification_type = request.env["rack.attack.match_type"]
+    ActiveSupport::Notifications.subscribe("safelist.rack_attack") do |_name, _start, _finish, _id, payload|
+      notification_type = payload[:request].env["rack.attack.match_type"]
     end
     get "/admin", {}, "REMOTE_ADDR" => "5.6.0.0"

data/spec/acceptance/stores/active_support_dalli_store_spec.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative "../../spec_helper"
 if defined?(::Dalli)
@@ -14,28 +16,6 @@ if defined?(::Dalli)
       Rack::Attack.cache.store.clear
     end
-    it_works_for_cache_backed_features
-    it "doesn't leak keys" do
-      Rack::Attack.throttle("by ip", limit: 1, period: 1) do |request|
-        request.ip
-      end
-      key = nil
-      # Freeze time during these statement to be sure that the key used by rack attack is the same
-      # we pre-calculate in local variable `key`
-      Timecop.freeze do
-        key = "rack::attack:#{Time.now.to_i}:by ip:1.2.3.4"
-        get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
-      end
-      assert Rack::Attack.cache.store.fetch(key)
-      sleep 2.1
-      assert_nil Rack::Attack.cache.store.fetch(key)
-    end
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) })
   end
 end

data/spec/acceptance/stores/active_support_mem_cache_store_pooled_spec.rb ADDED

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+require_relative "../../spec_helper"
+if defined?(::ConnectionPool) && defined?(::Dalli)
+  require_relative "../../support/cache_store_helper"
+  require "timecop"
+  describe "ActiveSupport::Cache::MemCacheStore (pooled) as a cache backend" do
+    before do
+      Rack::Attack.cache.store = ActiveSupport::Cache::MemCacheStore.new(pool_size: 2)
+    end
+    after do
+      Rack::Attack.cache.store.clear
+    end
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) })
+  end
+end

data/spec/acceptance/stores/active_support_mem_cache_store_spec.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative "../../spec_helper"
 if defined?(::Dalli)
@@ -10,31 +12,9 @@ if defined?(::Dalli)
     end
     after do
-      Rack::Attack.cache.store.flush_all
+      Rack::Attack.cache.store.clear
     end
-    it_works_for_cache_backed_features
-    it "doesn't leak keys" do
-      Rack::Attack.throttle("by ip", limit: 1, period: 1) do |request|
-        request.ip
-      end
-      key = nil
-      # Freeze time during these statement to be sure that the key used by rack attack is the same
-      # we pre-calculate in local variable `key`
-      Timecop.freeze do
-        key = "rack::attack:#{Time.now.to_i}:by ip:1.2.3.4"
-        get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
-      end
-      assert Rack::Attack.cache.store.get(key)
-      sleep 2.1
-      assert_nil Rack::Attack.cache.store.get(key)
-    end
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) })
   end
 end

data/spec/acceptance/stores/active_support_memory_store_spec.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative "../../spec_helper"
 require_relative "../../support/cache_store_helper"
@@ -12,27 +14,5 @@ describe "ActiveSupport::Cache::MemoryStore as a cache backend" do
     Rack::Attack.cache.store.clear
   end
-  it_works_for_cache_backed_features
-  it "doesn't leak keys" do
-    Rack::Attack.throttle("by ip", limit: 1, period: 1) do |request|
-      request.ip
-    end
-    key = nil
-    # Freeze time during these statement to be sure that the key used by rack attack is the same
-    # we pre-calculate in local variable `key`
-    Timecop.freeze do
-      key = "rack::attack:#{Time.now.to_i}:by ip:1.2.3.4"
-      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
-    end
-    assert Rack::Attack.cache.store.fetch(key)
-    sleep 2.1
-    assert_nil Rack::Attack.cache.store.fetch(key)
-  end
+  it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) })
 end

data/spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb CHANGED

@@ -1,6 +1,14 @@
+# frozen_string_literal: true
 require_relative "../../spec_helper"
-if defined?(::ConnectionPool) && defined?(::Redis) && defined?(::ActiveSupport::Cache::RedisCacheStore)
+should_run =
+  defined?(::ConnectionPool) &&
+  defined?(::Redis) &&
+  Gem::Version.new(::Redis::VERSION) >= Gem::Version.new("4") &&
+  defined?(::ActiveSupport::Cache::RedisCacheStore)
+if should_run
   require_relative "../../support/cache_store_helper"
   require "timecop"
@@ -13,28 +21,6 @@ if defined?(::ConnectionPool) && defined?(::Redis) && defined?(::ActiveSupport::
       Rack::Attack.cache.store.clear
     end
-    it_works_for_cache_backed_features
-    it "doesn't leak keys" do
-      Rack::Attack.throttle("by ip", limit: 1, period: 1) do |request|
-        request.ip
-      end
-      key = nil
-      # Freeze time during these statement to be sure that the key used by rack attack is the same
-      # we pre-calculate in local variable `key`
-      Timecop.freeze do
-        key = "rack::attack:#{Time.now.to_i}:by ip:1.2.3.4"
-        get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
-      end
-      assert Rack::Attack.cache.store.fetch(key)
-      sleep 2.1
-      assert_nil Rack::Attack.cache.store.fetch(key)
-    end
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) })
   end
 end

data/spec/acceptance/stores/active_support_redis_cache_store_spec.rb CHANGED

@@ -1,6 +1,13 @@
+# frozen_string_literal: true
 require_relative "../../spec_helper"
-if defined?(::Redis) && defined?(::ActiveSupport::Cache::RedisCacheStore)
+should_run =
+  defined?(::Redis) &&
+  Gem::Version.new(::Redis::VERSION) >= Gem::Version.new("4") &&
+  defined?(::ActiveSupport::Cache::RedisCacheStore)
+if should_run
   require_relative "../../support/cache_store_helper"
   require "timecop"
@@ -13,29 +20,6 @@ if defined?(::Redis) && defined?(::ActiveSupport::Cache::RedisCacheStore)
       Rack::Attack.cache.store.clear
     end
-    it_works_for_cache_backed_features
-    it "doesn't leak keys" do
-      Rack::Attack.throttle("by ip", limit: 1, period: 1) do |request|
-        request.ip
-      end
-      key = nil
-      # Freeze time during these statement to be sure that the key used by rack attack is the same
-      # we pre-calculate in local variable `key`
-      Timecop.freeze do
-        key = "rack::attack:#{Time.now.to_i}:by ip:1.2.3.4"
-        # puts key
-        get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
-      end
-      assert Rack::Attack.cache.store.fetch(key)
-      sleep 2.1
-      assert_nil Rack::Attack.cache.store.fetch(key)
-    end
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) })
   end
 end

data/spec/acceptance/stores/active_support_redis_store_spec.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative "../../spec_helper"
 if defined?(::ActiveSupport::Cache::RedisStore)
@@ -10,31 +12,9 @@ if defined?(::ActiveSupport::Cache::RedisStore)
     end
     after do
-      Rack::Attack.cache.store.flushdb
+      Rack::Attack.cache.store.clear
     end
-    it_works_for_cache_backed_features
-    it "doesn't leak keys" do
-      Rack::Attack.throttle("by ip", limit: 1, period: 1) do |request|
-        request.ip
-      end
-      key = nil
-      # Freeze time during these statement to be sure that the key used by rack attack is the same
-      # we pre-calculate in local variable `key`
-      Timecop.freeze do
-        key = "rack::attack:#{Time.now.to_i}:by ip:1.2.3.4"
-        get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
-      end
-      assert Rack::Attack.cache.store.read(key)
-      sleep 2.1
-      assert_nil Rack::Attack.cache.store.read(key)
-    end
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) })
   end
 end