rack-attack 6.0.0 → 6.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f85825803ce676e10466175d4bb99cc151d649130d6f4008bdffdc1381b4650a
-  data.tar.gz: 2bcd9d6a9d75491df5a9ddf2f7a5128eae152245fce8f27a069f36037ebc8ddb
+  metadata.gz: cba47e380843d184fd3df1af08b252aca3fc2411de7ccbd62a9b7da6ee933b72
+  data.tar.gz: 0dc5300a553830ca7e1cfa84de814fd743e608b9ec0140fd6b1145c421085ba7
 SHA512:
-  metadata.gz: 5c9b03bbb0e55105ebe4d2ea9a0f13a025ea7ab4903f86e07956ecbd7f7ddfcacfecbbc8239bc9ac427fcc4bd5445fa85e20732bd4d90b51f6dafeb7194bc063
-  data.tar.gz: a31dad7fb5c9220d4a44b303103ffb12cb23843bc150b14cec38a9d0151bc73791a66a80e8a543fa09f58d36a7b0627f0b5fda4fb93953d525747840d7e1d97f
+  metadata.gz: 71fd5eace9c851dab06317f3f4f4f28a2cbc20dd20c663228fbd073a052b4f30c4de87a06109ce9cf6b7395fc547b0c99b6f4e579285a699be40a93a9511452f
+  data.tar.gz: 5139f0be932f94273dba2d8d59ccbcb0e14ca92656b68d126099a124f04160c2c426e72f330b9e3c5dd8ed560f2fb292aa68dde2c32f2238d36c8c7e95422d01

data/README.md

@@ -1,3 +1,6 @@
+__Note__: You are viewing the development version README.
+For the README consistent with the latest released version see https://github.com/kickstarter/rack-attack/blob/6-stable/README.md.
+
 # Rack::Attack
 
 *Rack middleware for blocking & throttling abusive requests*
@@ -9,6 +12,7 @@ See the [Backing & Hacking blog post](https://www.kickstarter.com/backing-and-ha
 [![Gem Version](https://badge.fury.io/rb/rack-attack.svg)](https://badge.fury.io/rb/rack-attack)
 [![Build Status](https://travis-ci.org/kickstarter/rack-attack.svg?branch=master)](https://travis-ci.org/kickstarter/rack-attack)
 [![Code Climate](https://codeclimate.com/github/kickstarter/rack-attack.svg)](https://codeclimate.com/github/kickstarter/rack-attack)
+[![Join the chat at https://gitter.im/rack-attack/rack-attack](https://badges.gitter.im/rack-attack/rack-attack.svg)](https://gitter.im/rack-attack/rack-attack)
 
 ## Table of contents
 
@@ -67,14 +71,19 @@ Or install it yourself as:
 
 Then tell your ruby web application to use rack-attack as a middleware.
 
-a) For __rails__ applications:
-
+a) For __rails__ applications with versions >= 5.1 it is used by default. For older rails versions you should enable it explicitly:
 ```ruby
 # In config/application.rb
 
 config.middleware.use Rack::Attack
 ```
 
+You can disable it permanently (like for specific environment) or temporarily (can be useful for specific test cases) by writing:
+
+```ruby
+Rack::Attack.enabled = false
+```
+
 b) For __rack__ applications:
 
 ```ruby
@@ -285,9 +294,9 @@ Rack::Attack.track("special_agent", limit: 6, period: 60) do |req|
 end
 
 # Track it using ActiveSupport::Notification
-ActiveSupport::Notifications.subscribe("rack.attack") do |name, start, finish, request_id, payload|
+ActiveSupport::Notifications.subscribe("track.rack_attack") do |name, start, finish, request_id, payload|
   req = payload[:request]
-  if req.env['rack.attack.matched'] == "special_agent" && req.env['rack.attack.match_type'] == :track
+  if req.env['rack.attack.matched'] == "special_agent"
     Rails.logger.info "special_agent: #{req.path}"
     STATSD.increment("special_agent")
   end
@@ -333,6 +342,11 @@ end
 While Rack::Attack's primary focus is minimizing harm from abusive clients, it
 can also be used to return rate limit data that's helpful for well-behaved clients.
 
+If you want to return to user how many seconds to wait until he can start sending requests again, this can be done through enabling `Retry-After` header:
+```ruby
+Rack::Attack.throttled_response_retry_after_header = true
+```
+
 Here's an example response that includes conventional `RateLimit-*` headers:
 
 ```ruby
@@ -354,7 +368,7 @@ end
 For responses that did not exceed a throttle limit, Rack::Attack annotates the env with match data:
 
 ```ruby
-request.env['rack.attack.throttle_data'][name] # => { :count => n, :period => p, :limit => l, :epoch_time => t }
+request.env['rack.attack.throttle_data'][name] # => { discriminator: d, count: n, period: p, limit: l, epoch_time: t }
 ```
 
 ## Logging & Instrumentation

data/lib/rack/attack.rb

@@ -2,163 +2,114 @@
 
 require 'rack'
 require 'forwardable'
+require 'rack/attack/cache'
+require 'rack/attack/configuration'
 require 'rack/attack/path_normalizer'
 require 'rack/attack/request'
-require "ipaddr"
-
-class Rack::Attack
-  class MisconfiguredStoreError < StandardError; end
-  class MissingStoreError < StandardError; end
-
-  autoload :Cache,                'rack/attack/cache'
-  autoload :Check,                'rack/attack/check'
-  autoload :Throttle,             'rack/attack/throttle'
-  autoload :Safelist,             'rack/attack/safelist'
-  autoload :Blocklist,            'rack/attack/blocklist'
-  autoload :Track,                'rack/attack/track'
-  autoload :StoreProxy,           'rack/attack/store_proxy'
-  autoload :DalliProxy,           'rack/attack/store_proxy/dalli_proxy'
-  autoload :MemCacheStoreProxy,   'rack/attack/store_proxy/mem_cache_store_proxy'
-  autoload :RedisProxy,           'rack/attack/store_proxy/redis_proxy'
-  autoload :RedisStoreProxy,      'rack/attack/store_proxy/redis_store_proxy'
-  autoload :RedisCacheStoreProxy, 'rack/attack/store_proxy/redis_cache_store_proxy'
-  autoload :ActiveSupportRedisStoreProxy, 'rack/attack/store_proxy/active_support_redis_store_proxy'
-  autoload :Fail2Ban,             'rack/attack/fail2ban'
-  autoload :Allow2Ban,            'rack/attack/allow2ban'
-
-  class << self
-    attr_accessor :notifier, :blocklisted_response, :throttled_response, :anonymous_blocklists, :anonymous_safelists
-
-    def safelist(name = nil, &block)
-      safelist = Safelist.new(name, &block)
-
-      if name
-        safelists[name] = safelist
-      else
-        anonymous_safelists << safelist
-      end
-    end
 
-    def blocklist(name = nil, &block)
-      blocklist = Blocklist.new(name, &block)
-
-      if name
-        blocklists[name] = blocklist
-      else
-        anonymous_blocklists << blocklist
+require 'rack/attack/railtie' if defined?(::Rails)
+
+module Rack
+  class Attack
+    class Error < StandardError; end
+    class MisconfiguredStoreError < Error; end
+    class MissingStoreError < Error; end
+    class IncompatibleStoreError < Error; end
+
+    autoload :Check,                'rack/attack/check'
+    autoload :Throttle,             'rack/attack/throttle'
+    autoload :Safelist,             'rack/attack/safelist'
+    autoload :Blocklist,            'rack/attack/blocklist'
+    autoload :Track,                'rack/attack/track'
+    autoload :StoreProxy,           'rack/attack/store_proxy'
+    autoload :DalliProxy,           'rack/attack/store_proxy/dalli_proxy'
+    autoload :MemCacheStoreProxy,   'rack/attack/store_proxy/mem_cache_store_proxy'
+    autoload :RedisProxy,           'rack/attack/store_proxy/redis_proxy'
+    autoload :RedisStoreProxy,      'rack/attack/store_proxy/redis_store_proxy'
+    autoload :RedisCacheStoreProxy, 'rack/attack/store_proxy/redis_cache_store_proxy'
+    autoload :ActiveSupportRedisStoreProxy, 'rack/attack/store_proxy/active_support_redis_store_proxy'
+    autoload :Fail2Ban,             'rack/attack/fail2ban'
+    autoload :Allow2Ban,            'rack/attack/allow2ban'
+
+    class << self
+      attr_accessor :enabled, :notifier
+      attr_reader :configuration
+
+      def instrument(request)
+        if notifier
+          event_type = request.env["rack.attack.match_type"]
+          notifier.instrument("#{event_type}.rack_attack", request: request)
+
+          # Deprecated: Keeping just for backwards compatibility
+          notifier.instrument("rack.attack", request: request)
+        end
       end
-    end
-
-    def blocklist_ip(ip_address)
-      anonymous_blocklists << Blocklist.new { |request| IPAddr.new(ip_address).include?(IPAddr.new(request.ip)) }
-    end
-
-    def safelist_ip(ip_address)
-      anonymous_safelists << Safelist.new { |request| IPAddr.new(ip_address).include?(IPAddr.new(request.ip)) }
-    end
-
-    def throttle(name, options, &block)
-      throttles[name] = Throttle.new(name, options, &block)
-    end
-
-    def track(name, options = {}, &block)
-      tracks[name] = Track.new(name, options, &block)
-    end
-
-    def safelists
-      @safelists  ||= {}
-    end
-
-    def blocklists
-      @blocklists ||= {}
-    end
-
-    def throttles
-      @throttles  ||= {}
-    end
-
-    def tracks
-      @tracks     ||= {}
-    end
-
-    def safelisted?(request)
-      anonymous_safelists.any? { |safelist| safelist.matched_by?(request) } ||
-        safelists.any? { |_name, safelist| safelist.matched_by?(request) }
-    end
 
-    def blocklisted?(request)
-      anonymous_blocklists.any? { |blocklist| blocklist.matched_by?(request) } ||
-        blocklists.any? { |_name, blocklist| blocklist.matched_by?(request) }
-    end
-
-    def throttled?(request)
-      throttles.any? do |_name, throttle|
-        throttle.matched_by?(request)
+      def cache
+        @cache ||= Cache.new
       end
-    end
 
-    def tracked?(request)
-      tracks.each_value do |track|
-        track.matched_by?(request)
+      def clear!
+        warn "[DEPRECATION] Rack::Attack.clear! is deprecated. Please use Rack::Attack.clear_configuration instead"
+        @configuration.clear_configuration
       end
-    end
-
-    def instrument(request)
-      if notifier
-        event_type = request.env["rack.attack.match_type"]
-        notifier.instrument("#{event_type}.rack_attack", request: request)
 
-        # Deprecated: Keeping just for backwards compatibility
-        notifier.instrument("rack.attack", request: request)
+      def reset!
+        cache.reset!
       end
-    end
-
-    def cache
-      @cache ||= Cache.new
-    end
 
-    def clear_configuration
-      @safelists, @blocklists, @throttles, @tracks = {}, {}, {}, {}
-      self.anonymous_blocklists = []
-      self.anonymous_safelists = []
-    end
-
-    def clear!
-      warn "[DEPRECATION] Rack::Attack.clear! is deprecated. Please use Rack::Attack.clear_configuration instead"
-      clear_configuration
-    end
-  end
-
-  # Set defaults
-  @anonymous_blocklists = []
-  @anonymous_safelists = []
-  @notifier             = ActiveSupport::Notifications if defined?(ActiveSupport::Notifications)
-  @blocklisted_response = lambda { |_env| [403, { 'Content-Type' => 'text/plain' }, ["Forbidden\n"]] }
-  @throttled_response   = lambda { |env|
-    retry_after = (env['rack.attack.match_data'] || {})[:period]
-    [429, { 'Content-Type' => 'text/plain', 'Retry-After' => retry_after.to_s }, ["Retry later\n"]]
-  }
-
-  def initialize(app)
-    @app = app
-  end
-
-  def call(env)
-    env['PATH_INFO'] = PathNormalizer.normalize_path(env['PATH_INFO'])
-    request = Rack::Attack::Request.new(env)
-
-    if safelisted?(request)
-      @app.call(env)
-    elsif blocklisted?(request)
-      self.class.blocklisted_response.call(env)
-    elsif throttled?(request)
-      self.class.throttled_response.call(env)
-    else
-      tracked?(request)
-      @app.call(env)
+      extend Forwardable
+      def_delegators(
+        :@configuration,
+        :safelist,
+        :blocklist,
+        :blocklist_ip,
+        :safelist_ip,
+        :throttle,
+        :track,
+        :blocklisted_response,
+        :blocklisted_response=,
+        :throttled_response,
+        :throttled_response=,
+        :throttled_response_retry_after_header,
+        :throttled_response_retry_after_header=,
+        :clear_configuration,
+        :safelists,
+        :blocklists,
+        :throttles,
+        :tracks
+      )
+    end
+
+    # Set defaults
+    @enabled = true
+    @notifier = ActiveSupport::Notifications if defined?(ActiveSupport::Notifications)
+    @configuration = Configuration.new
+
+    attr_reader :configuration
+
+    def initialize(app)
+      @app = app
+      @configuration = self.class.configuration
+    end
+
+    def call(env)
+      return @app.call(env) if !self.class.enabled || env["rack.attack.called"]
+
+      env["rack.attack.called"] = true
+      env['PATH_INFO'] = PathNormalizer.normalize_path(env['PATH_INFO'])
+      request = Rack::Attack::Request.new(env)
+
+      if configuration.safelisted?(request)
+        @app.call(env)
+      elsif configuration.blocklisted?(request)
+        configuration.blocklisted_response.call(env)
+      elsif configuration.throttled?(request)
+        configuration.throttled_response.call(env)
+      else
+        configuration.tracked?(request)
+        @app.call(env)
+      end
     end
   end
-
-  extend Forwardable
-  def_delegators self, :safelisted?, :blocklisted?, :throttled?, :tracked?
 end

data/lib/rack/attack/cache.rb

@@ -41,6 +41,17 @@ module Rack
         store.delete("#{prefix}:#{unprefixed_key}")
       end
 
+      def reset!
+        if store.respond_to?(:delete_matched)
+          store.delete_matched("#{prefix}*")
+        else
+          raise(
+            Rack::Attack::IncompatibleStoreError,
+            "Configured store #{store.class.name} doesn't respond to #delete_matched method"
+          )
+        end
+      end
+
       private
 
       def key_and_expiry(unprefixed_key, period)
@@ -73,7 +84,10 @@ module Rack
 
       def enforce_store_method_presence!(method_name)
         if !store.respond_to?(method_name)
-          raise Rack::Attack::MisconfiguredStoreError, "Configured store #{store.class.name} doesn't respond to ##{method_name} method"
+          raise(
+            Rack::Attack::MisconfiguredStoreError,
+            "Configured store #{store.class.name} doesn't respond to ##{method_name} method"
+          )
         end
       end
     end

data/lib/rack/attack/check.rb

@@ -5,7 +5,8 @@ module Rack
     class Check
       attr_reader :name, :block, :type
       def initialize(name, options = {}, &block)
-        @name, @block = name, block
+        @name = name
+        @block = block
         @type = options.fetch(:type, nil)
       end
 

data/lib/rack/attack/configuration.rb

@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+
+require "ipaddr"
+
+module Rack
+  class Attack
+    class Configuration
+      DEFAULT_BLOCKLISTED_RESPONSE = lambda { |_env| [403, { 'Content-Type' => 'text/plain' }, ["Forbidden\n"]] }
+
+      DEFAULT_THROTTLED_RESPONSE = lambda do |env|
+        if Rack::Attack.configuration.throttled_response_retry_after_header
+          match_data = env['rack.attack.match_data']
+          now = match_data[:epoch_time]
+          retry_after = match_data[:period] - (now % match_data[:period])
+
+          [429, { 'Content-Type' => 'text/plain', 'Retry-After' => retry_after.to_s }, ["Retry later\n"]]
+        else
+          [429, { 'Content-Type' => 'text/plain' }, ["Retry later\n"]]
+        end
+      end
+
+      attr_reader :safelists, :blocklists, :throttles, :anonymous_blocklists, :anonymous_safelists
+      attr_accessor :blocklisted_response, :throttled_response, :throttled_response_retry_after_header
+
+      def initialize
+        set_defaults
+      end
+
+      def safelist(name = nil, &block)
+        safelist = Safelist.new(name, &block)
+
+        if name
+          @safelists[name] = safelist
+        else
+          @anonymous_safelists << safelist
+        end
+      end
+
+      def blocklist(name = nil, &block)
+        blocklist = Blocklist.new(name, &block)
+
+        if name
+          @blocklists[name] = blocklist
+        else
+          @anonymous_blocklists << blocklist
+        end
+      end
+
+      def blocklist_ip(ip_address)
+        @anonymous_blocklists << Blocklist.new { |request| IPAddr.new(ip_address).include?(IPAddr.new(request.ip)) }
+      end
+
+      def safelist_ip(ip_address)
+        @anonymous_safelists << Safelist.new { |request| IPAddr.new(ip_address).include?(IPAddr.new(request.ip)) }
+      end
+
+      def throttle(name, options, &block)
+        @throttles[name] = Throttle.new(name, options, &block)
+      end
+
+      def track(name, options = {}, &block)
+        @tracks[name] = Track.new(name, options, &block)
+      end
+
+      def safelisted?(request)
+        @anonymous_safelists.any? { |safelist| safelist.matched_by?(request) } ||
+          @safelists.any? { |_name, safelist| safelist.matched_by?(request) }
+      end
+
+      def blocklisted?(request)
+        @anonymous_blocklists.any? { |blocklist| blocklist.matched_by?(request) } ||
+          @blocklists.any? { |_name, blocklist| blocklist.matched_by?(request) }
+      end
+
+      def throttled?(request)
+        @throttles.any? do |_name, throttle|
+          throttle.matched_by?(request)
+        end
+      end
+
+      def tracked?(request)
+        @tracks.each_value do |track|
+          track.matched_by?(request)
+        end
+      end
+
+      def clear_configuration
+        set_defaults
+      end
+
+      private
+
+      def set_defaults
+        @safelists = {}
+        @blocklists = {}
+        @throttles = {}
+        @tracks = {}
+        @anonymous_blocklists = []
+        @anonymous_safelists = []
+        @throttled_response_retry_after_header = false
+
+        @blocklisted_response = DEFAULT_BLOCKLISTED_RESPONSE
+        @throttled_response = DEFAULT_THROTTLED_RESPONSE
+      end
+    end
+  end
+end