rack-attack 5.4.2 → 6.0.0

data/lib/rack/attack/path_normalizer.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Rack::Attack
   # When using Rack::Attack with a Rails app, developers expect the request path
   # to be normalized. In particular, trailing slashes are stripped.

data/lib/rack/attack/request.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Rack::Attack::Request is the same as ::Rack::Request by default.
 #
 # This is a safe place to add custom helper methods to the request object

data/lib/rack/attack/safelist.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 module Rack
   class Attack
     class Safelist < Check
-      def initialize(name, block)
+      def initialize(name = nil, &block)
         super
         @type = :safelist
       end

data/lib/rack/attack/store_proxy.rb

@@ -1,22 +1,20 @@
+# frozen_string_literal: true
+
 module Rack
   class Attack
     module StoreProxy
-      PROXIES = [DalliProxy, MemCacheStoreProxy, MemCacheProxy, RedisStoreProxy, RedisProxy, RedisCacheStoreProxy].freeze
+      PROXIES = [
+        DalliProxy,
+        MemCacheStoreProxy,
+        RedisStoreProxy,
+        RedisProxy,
+        RedisCacheStoreProxy,
+        ActiveSupportRedisStoreProxy
+      ].freeze
 
       def self.build(store)
-        client = unwrap_active_support_stores(store)
-        klass = PROXIES.find { |proxy| proxy.handle?(client) }
-        klass ? klass.new(client) : client
-      end
-
-      def self.unwrap_active_support_stores(store)
-        # ActiveSupport::Cache::RedisStore doesn't expose any way to set an expiry,
-        # so use the raw Redis::Store instead.
-        if store.class.name == 'ActiveSupport::Cache::RedisStore'
-          store.instance_variable_get(:@data)
-        else
-          store
-        end
+        klass = PROXIES.find { |proxy| proxy.handle?(store) }
+        klass ? klass.new(store) : store
       end
     end
   end

data/lib/rack/attack/store_proxy/active_support_redis_store_proxy.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'delegate'
+
+module Rack
+  class Attack
+    module StoreProxy
+      class ActiveSupportRedisStoreProxy < SimpleDelegator
+        def self.handle?(store)
+          defined?(::Redis) && defined?(::ActiveSupport::Cache::RedisStore) && store.is_a?(::ActiveSupport::Cache::RedisStore)
+        end
+
+        def increment(name, amount = 1, options = {})
+          # #increment ignores options[:expires_in].
+          #
+          # So in order to workaround this we use #write (which sets expiration) to initialize
+          # the counter. After that we continue using the original #increment.
+          if options[:expires_in] && !read(name)
+            write(name, amount, options)
+
+            amount
+          else
+            super
+          end
+        end
+
+        def read(name, options = {})
+          super(name, options.merge!(raw: true))
+        end
+
+        def write(name, value, options = {})
+          super(name, value, options.merge!(raw: true))
+        end
+      end
+    end
+  end
+end

data/lib/rack/attack/store_proxy/dalli_proxy.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'delegate'
 
 module Rack
@@ -22,31 +24,35 @@ module Rack
         end
 
         def read(key)
-          with do |client|
-            client.get(key)
+          rescuing do
+            with do |client|
+              client.get(key)
+            end
           end
-        rescue Dalli::DalliError
         end
 
         def write(key, value, options = {})
-          with do |client|
-            client.set(key, value, options.fetch(:expires_in, 0), raw: true)
+          rescuing do
+            with do |client|
+              client.set(key, value, options.fetch(:expires_in, 0), raw: true)
+            end
           end
-        rescue Dalli::DalliError
         end
 
         def increment(key, amount, options = {})
-          with do |client|
-            client.incr(key, amount, options.fetch(:expires_in, 0), amount)
+          rescuing do
+            with do |client|
+              client.incr(key, amount, options.fetch(:expires_in, 0), amount)
+            end
           end
-        rescue Dalli::DalliError
         end
 
         def delete(key)
-          with do |client|
-            client.delete(key)
+          rescuing do
+            with do |client|
+              client.delete(key)
+            end
           end
-        rescue Dalli::DalliError
         end
 
         private
@@ -54,10 +60,18 @@ module Rack
         def stub_with_if_missing
           unless __getobj__.respond_to?(:with)
             class << self
-              def with; yield __getobj__; end
+              def with
+                yield __getobj__
+              end
             end
           end
         end
+
+        def rescuing
+          yield
+        rescue Dalli::DalliError
+          nil
+        end
       end
     end
   end

data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'delegate'
 
 module Rack
@@ -22,10 +24,6 @@ module Rack
           end
         end
 
-        def read(name, options = {})
-          super(name, options.merge!(raw: true))
-        end
-
         def write(name, value, options = {})
           super(name, value, options.merge!(raw: true))
         end

data/lib/rack/attack/store_proxy/redis_proxy.rb

@@ -19,34 +19,40 @@ module Rack
         end
 
         def read(key)
-          get(key)
-        rescue Redis::BaseError
+          rescuing { get(key) }
         end
 
         def write(key, value, options = {})
           if (expires_in = options[:expires_in])
-            setex(key, expires_in, value)
+            rescuing { setex(key, expires_in, value) }
           else
-            set(key, value)
+            rescuing { set(key, value) }
           end
-        rescue Redis::BaseError
         end
 
         def increment(key, amount, options = {})
           count = nil
 
-          pipelined do
-            count = incrby(key, amount)
-            expire(key, options[:expires_in]) if options[:expires_in]
+          rescuing do
+            pipelined do
+              count = incrby(key, amount)
+              expire(key, options[:expires_in]) if options[:expires_in]
+            end
           end
 
           count.value if count
-        rescue Redis::BaseError
         end
 
         def delete(key, _options = {})
-          del(key)
+          rescuing { del(key) }
+        end
+
+        private
+
+        def rescuing
+          yield
         rescue Redis::BaseError
+          nil
         end
       end
     end

data/lib/rack/attack/store_proxy/redis_store_proxy.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'delegate'
 
 module Rack
@@ -9,17 +11,15 @@ module Rack
         end
 
         def read(key)
-          get(key, raw: true)
-        rescue Redis::BaseError
+          rescuing { get(key, raw: true) }
         end
 
         def write(key, value, options = {})
           if (expires_in = options[:expires_in])
-            setex(key, expires_in, value, raw: true)
+            rescuing { setex(key, expires_in, value, raw: true) }
           else
-            set(key, value, raw: true)
+            rescuing { set(key, value, raw: true) }
           end
-        rescue Redis::BaseError
         end
       end
     end

data/lib/rack/attack/throttle.rb

@@ -1,13 +1,15 @@
+# frozen_string_literal: true
+
 module Rack
   class Attack
     class Throttle
       MANDATORY_OPTIONS = [:limit, :period].freeze
 
       attr_reader :name, :limit, :period, :block, :type
-      def initialize(name, options, block)
+      def initialize(name, options, &block)
         @name, @block = name, block
         MANDATORY_OPTIONS.each do |opt|
-          raise ArgumentError.new("Must pass #{opt.inspect} option") unless options[opt]
+          raise ArgumentError, "Must pass #{opt.inspect} option" unless options[opt]
         end
         @limit  = options[:limit]
         @period = options[:period].respond_to?(:call) ? options[:period] : options[:period].to_i
@@ -29,10 +31,10 @@ module Rack
         epoch_time     = cache.last_epoch_time
 
         data = {
-          :count => count,
-          :period => current_period,
-          :limit => current_limit,
-          :epoch_time => epoch_time
+          count: count,
+          period: current_period,
+          limit: current_limit,
+          epoch_time: epoch_time
         }
 
         (request.env['rack.attack.throttle_data'] ||= {})[name] = data

data/lib/rack/attack/track.rb

@@ -1,15 +1,17 @@
+# frozen_string_literal: true
+
 module Rack
   class Attack
     class Track
       attr_reader :filter
 
-      def initialize(name, options = {}, block)
+      def initialize(name, options = {}, &block)
         options[:type] = :track
 
         if options[:limit] && options[:period]
-          @filter = Throttle.new(name, options, block)
+          @filter = Throttle.new(name, options, &block)
         else
-          @filter = Check.new(name, options, block)
+          @filter = Check.new(name, options, &block)
         end
       end
 

data/lib/rack/attack/version.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module Rack
   class Attack
-    VERSION = '5.4.2'
+    VERSION = '6.0.0'
   end
 end

data/spec/acceptance/allow2ban_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative "../spec_helper"
 require "timecop"
 

data/spec/acceptance/blocking_ip_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative "../spec_helper"
 
 describe "Blocking an IP" do
@@ -21,9 +23,9 @@ describe "Blocking an IP" do
     notified = false
     notification_type = nil
 
-    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+    ActiveSupport::Notifications.subscribe("blocklist.rack_attack") do |_name, _start, _finish, _id, payload|
       notified = true
-      notification_type = request.env["rack.attack.match_type"]
+      notification_type = payload[:request].env["rack.attack.match_type"]
     end
 
     get "/", {}, "REMOTE_ADDR" => "5.6.7.8"

data/spec/acceptance/blocking_spec.rb

@@ -1,6 +1,48 @@
+# frozen_string_literal: true
+
 require_relative "../spec_helper"
 
 describe "#blocklist" do
+  before do
+    Rack::Attack.blocklist do |request|
+      request.ip == "1.2.3.4"
+    end
+  end
+
+  it "forbids request if blocklist condition is true" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 403, last_response.status
+  end
+
+  it "succeeds if blocklist condition is false" do
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "notifies when the request is blocked" do
+    notification_matched = nil
+    notification_type = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, payload|
+      notification_matched = payload[:request].env["rack.attack.matched"]
+      notification_type = payload[:request].env["rack.attack.match_type"]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_nil notification_matched
+    assert_nil notification_type
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_nil notification_matched
+    assert_equal :blocklist, notification_type
+  end
+end
+
+describe "#blocklist with name" do
   before do
     Rack::Attack.blocklist("block 1.2.3.4") do |request|
       request.ip == "1.2.3.4"
@@ -23,9 +65,9 @@ describe "#blocklist" do
     notification_matched = nil
     notification_type = nil
 
-    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
-      notification_matched = request.env["rack.attack.matched"]
-      notification_type = request.env["rack.attack.match_type"]
+    ActiveSupport::Notifications.subscribe("blocklist.rack_attack") do |_name, _start, _finish, _id, payload|
+      notification_matched = payload[:request].env["rack.attack.matched"]
+      notification_type = payload[:request].env["rack.attack.match_type"]
     end
 
     get "/", {}, "REMOTE_ADDR" => "5.6.7.8"

data/spec/acceptance/blocking_subnet_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative "../spec_helper"
 
 describe "Blocking an IP subnet" do
@@ -27,9 +29,9 @@ describe "Blocking an IP subnet" do
     notified = false
     notification_type = nil
 
-    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+    ActiveSupport::Notifications.subscribe("blocklist.rack_attack") do |_name, _start, _finish, _id, payload|
       notified = true
-      notification_type = request.env["rack.attack.match_type"]
+      notification_type = payload[:request].env["rack.attack.match_type"]
     end
 
     get "/", {}, "REMOTE_ADDR" => "5.6.7.8"

data/spec/acceptance/cache_store_config_for_allow2ban_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative "../spec_helper"
 require "minitest/stub_const"
 
@@ -20,11 +22,9 @@ describe "Cache store config when using allow2ban" do
     raised_exception = nil
 
     fake_store_class = Class.new do
-      def write(key, value)
-      end
+      def write(key, value); end
 
-      def increment(key, count, options = {})
-      end
+      def increment(key, count, options = {}); end
     end
 
     Object.stub_const(:FakeStore, fake_store_class) do
@@ -42,11 +42,9 @@ describe "Cache store config when using allow2ban" do
     raised_exception = nil
 
     fake_store_class = Class.new do
-      def read(key)
-      end
+      def read(key); end
 
-      def increment(key, count, options = {})
-      end
+      def increment(key, count, options = {}); end
     end
 
     Object.stub_const(:FakeStore, fake_store_class) do
@@ -64,11 +62,9 @@ describe "Cache store config when using allow2ban" do
     raised_exception = nil
 
     fake_store_class = Class.new do
-      def read(key)
-      end
+      def read(key); end
 
-      def write(key, value)
-      end
+      def write(key, value); end
     end
 
     Object.stub_const(:FakeStore, fake_store_class) do