rack-attack 6.0.0 → 6.3.0

data/lib/rack/attack/path_normalizer.rb

@@ -1,24 +1,26 @@
 # frozen_string_literal: true
 
-class Rack::Attack
-  # When using Rack::Attack with a Rails app, developers expect the request path
-  # to be normalized. In particular, trailing slashes are stripped.
-  # (See https://git.io/v0rrR for implementation.)
-  #
-  # Look for an ActionDispatch utility class that Rails folks would expect
-  # to normalize request paths. If unavailable, use a fallback class that
-  # doesn't normalize the path (as a non-Rails rack app developer expects).
+module Rack
+  class Attack
+    # When using Rack::Attack with a Rails app, developers expect the request path
+    # to be normalized. In particular, trailing slashes are stripped.
+    # (See https://git.io/v0rrR for implementation.)
+    #
+    # Look for an ActionDispatch utility class that Rails folks would expect
+    # to normalize request paths. If unavailable, use a fallback class that
+    # doesn't normalize the path (as a non-Rails rack app developer expects).
 
-  module FallbackPathNormalizer
-    def self.normalize_path(path)
-      path
+    module FallbackPathNormalizer
+      def self.normalize_path(path)
+        path
+      end
     end
-  end
 
-  PathNormalizer = if defined?(::ActionDispatch::Journey::Router::Utils)
-                     # For Rails apps
-                     ::ActionDispatch::Journey::Router::Utils
-                   else
-                     FallbackPathNormalizer
-                   end
+    PathNormalizer = if defined?(::ActionDispatch::Journey::Router::Utils)
+                       # For Rails apps
+                       ::ActionDispatch::Journey::Router::Utils
+                     else
+                       FallbackPathNormalizer
+                     end
+  end
 end

data/lib/rack/attack/railtie.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Rack
+  class Attack
+    class Railtie < ::Rails::Railtie
+      initializer "rack-attack.middleware" do |app|
+        if Gem::Version.new(::Rails::VERSION::STRING) >= Gem::Version.new("5.1")
+          app.middleware.use(Rack::Attack)
+        end
+      end
+    end
+  end
+end

data/lib/rack/attack/store_proxy/active_support_redis_store_proxy.rb

@@ -7,7 +7,9 @@ module Rack
     module StoreProxy
       class ActiveSupportRedisStoreProxy < SimpleDelegator
         def self.handle?(store)
-          defined?(::Redis) && defined?(::ActiveSupport::Cache::RedisStore) && store.is_a?(::ActiveSupport::Cache::RedisStore)
+          defined?(::Redis) &&
+            defined?(::ActiveSupport::Cache::RedisStore) &&
+            store.is_a?(::ActiveSupport::Cache::RedisStore)
         end
 
         def increment(name, amount = 1, options = {})

data/lib/rack/attack/store_proxy/mem_cache_store_proxy.rb

@@ -7,7 +7,9 @@ module Rack
     module StoreProxy
       class MemCacheStoreProxy < SimpleDelegator
         def self.handle?(store)
-          defined?(::Dalli) && defined?(::ActiveSupport::Cache::MemCacheStore) && store.is_a?(::ActiveSupport::Cache::MemCacheStore)
+          defined?(::Dalli) &&
+            defined?(::ActiveSupport::Cache::MemCacheStore) &&
+            store.is_a?(::ActiveSupport::Cache::MemCacheStore)
         end
 
         def write(name, value, options = {})

data/lib/rack/attack/store_proxy/redis_proxy.rb

@@ -31,27 +31,36 @@ module Rack
         end
 
         def increment(key, amount, options = {})
-          count = nil
-
           rescuing do
             pipelined do
-              count = incrby(key, amount)
+              incrby(key, amount)
               expire(key, options[:expires_in]) if options[:expires_in]
-            end
+            end.first
           end
-
-          count.value if count
         end
 
         def delete(key, _options = {})
           rescuing { del(key) }
         end
 
+        def delete_matched(matcher, _options = nil)
+          cursor = "0"
+
+          rescuing do
+            # Fetch keys in batches using SCAN to avoid blocking the Redis server.
+            loop do
+              cursor, keys = scan(cursor, match: matcher, count: 1000)
+              del(*keys) unless keys.empty?
+              break if cursor == "0"
+            end
+          end
+        end
+
         private
 
         def rescuing
           yield
-        rescue Redis::BaseError
+        rescue Redis::BaseConnectionError
           nil
         end
       end

data/lib/rack/attack/throttle.rb

@@ -7,11 +7,12 @@ module Rack
 
       attr_reader :name, :limit, :period, :block, :type
       def initialize(name, options, &block)
-        @name, @block = name, block
+        @name = name
+        @block = block
         MANDATORY_OPTIONS.each do |opt|
           raise ArgumentError, "Must pass #{opt.inspect} option" unless options[opt]
         end
-        @limit  = options[:limit]
+        @limit = options[:limit]
         @period = options[:period].respond_to?(:call) ? options[:period] : options[:period].to_i
         @type   = options.fetch(:type, :throttle)
       end
@@ -22,33 +23,50 @@ module Rack
 
       def matched_by?(request)
         discriminator = block.call(request)
+
         return false unless discriminator
 
-        current_period = period.respond_to?(:call) ? period.call(request) : period
-        current_limit  = limit.respond_to?(:call) ? limit.call(request) : limit
-        key            = "#{name}:#{discriminator}"
-        count          = cache.count(key, current_period)
-        epoch_time     = cache.last_epoch_time
+        current_period  = period_for(request)
+        current_limit   = limit_for(request)
+        count           = cache.count("#{name}:#{discriminator}", current_period)
 
         data = {
+          discriminator: discriminator,
           count: count,
           period: current_period,
           limit: current_limit,
-          epoch_time: epoch_time
+          epoch_time: cache.last_epoch_time
         }
 
-        (request.env['rack.attack.throttle_data'] ||= {})[name] = data
-
         (count > current_limit).tap do |throttled|
+          annotate_request_with_throttle_data(request, data)
           if throttled
-            request.env['rack.attack.matched']             = name
-            request.env['rack.attack.match_discriminator'] = discriminator
-            request.env['rack.attack.match_type']          = type
-            request.env['rack.attack.match_data']          = data
+            annotate_request_with_matched_data(request, data)
             Rack::Attack.instrument(request)
           end
         end
       end
+
+      private
+
+      def period_for(request)
+        period.respond_to?(:call) ? period.call(request) : period
+      end
+
+      def limit_for(request)
+        limit.respond_to?(:call) ? limit.call(request) : limit
+      end
+
+      def annotate_request_with_throttle_data(request, data)
+        (request.env['rack.attack.throttle_data'] ||= {})[name] = data
+      end
+
+      def annotate_request_with_matched_data(request, data)
+        request.env['rack.attack.matched']             = name
+        request.env['rack.attack.match_discriminator'] = data[:discriminator]
+        request.env['rack.attack.match_type']          = type
+        request.env['rack.attack.match_data']          = data
+      end
     end
   end
 end

data/lib/rack/attack/track.rb

@@ -8,11 +8,12 @@ module Rack
       def initialize(name, options = {}, &block)
         options[:type] = :track
 
-        if options[:limit] && options[:period]
-          @filter = Throttle.new(name, options, &block)
-        else
-          @filter = Check.new(name, options, &block)
-        end
+        @filter =
+          if options[:limit] && options[:period]
+            Throttle.new(name, options, &block)
+          else
+            Check.new(name, options, &block)
+          end
       end
 
       def matched_by?(request)

data/lib/rack/attack/version.rb

@@ -2,6 +2,6 @@
 
 module Rack
   class Attack
-    VERSION = '6.0.0'
+    VERSION = '6.3.0'
   end
 end

data/spec/acceptance/rails_middleware_spec.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require_relative "../spec_helper"
+
+if defined?(Rails)
+  describe "Middleware for Rails" do
+    before do
+      @app = Class.new(Rails::Application) do
+        config.eager_load = false
+        config.logger = Logger.new(nil) # avoid creating the log/ directory automatically
+        config.cache_store = :null_store # avoid creating tmp/ directory for cache
+      end
+    end
+
+    if Gem::Version.new(Rails::VERSION::STRING) >= Gem::Version.new("5.1")
+      it "is used by default" do
+        @app.initialize!
+        assert_equal 1, @app.middleware.count(Rack::Attack)
+      end
+
+      it "is not added when it was explicitly deleted" do
+        @app.config.middleware.delete(Rack::Attack)
+        @app.initialize!
+        refute @app.middleware.include?(Rack::Attack)
+      end
+    end
+
+    if Gem::Version.new(Rails::VERSION::STRING) < Gem::Version.new("5.1")
+      it "is not used by default" do
+        @app.initialize!
+        assert_equal 0, @app.middleware.count(Rack::Attack)
+      end
+    end
+  end
+end

data/spec/acceptance/stores/active_support_mem_cache_store_pooled_spec.rb

@@ -15,8 +15,6 @@ if defined?(::ConnectionPool) && defined?(::Dalli)
       Rack::Attack.cache.store.clear
     end
 
-    it_works_for_cache_backed_features(fetch_from_store: ->(key) {
-      Rack::Attack.cache.store.read(key)
-    })
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) })
   end
 end

data/spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb

@@ -2,7 +2,13 @@
 
 require_relative "../../spec_helper"
 
-if defined?(::ConnectionPool) && defined?(::Redis) && Gem::Version.new(::Redis::VERSION) >= Gem::Version.new("4") && defined?(::ActiveSupport::Cache::RedisCacheStore)
+should_run =
+  defined?(::ConnectionPool) &&
+  defined?(::Redis) &&
+  Gem::Version.new(::Redis::VERSION) >= Gem::Version.new("4") &&
+  defined?(::ActiveSupport::Cache::RedisCacheStore)
+
+if should_run
   require_relative "../../support/cache_store_helper"
   require "timecop"
 

data/spec/acceptance/stores/active_support_redis_cache_store_spec.rb

@@ -2,7 +2,12 @@
 
 require_relative "../../spec_helper"
 
-if defined?(::Redis) && Gem::Version.new(::Redis::VERSION) >= Gem::Version.new("4") && defined?(::ActiveSupport::Cache::RedisCacheStore)
+should_run =
+  defined?(::Redis) &&
+  Gem::Version.new(::Redis::VERSION) >= Gem::Version.new("4") &&
+  defined?(::ActiveSupport::Cache::RedisCacheStore)
+
+if should_run
   require_relative "../../support/cache_store_helper"
   require "timecop"
 

data/spec/acceptance/stores/connection_pool_dalli_client_spec.rb

@@ -17,8 +17,8 @@ if defined?(::Dalli) && defined?(::ConnectionPool)
       Rack::Attack.cache.store.with { |client| client.flush_all }
     end
 
-    it_works_for_cache_backed_features(fetch_from_store: ->(key) {
-      Rack::Attack.cache.store.with { |client| client.fetch(key) }
-    })
+    it_works_for_cache_backed_features(
+      fetch_from_store: ->(key) { Rack::Attack.cache.store.with { |client| client.fetch(key) } }
+    )
   end
 end

data/spec/acceptance/throttling_spec.rb

@@ -20,7 +20,7 @@ describe "#throttle" do
     get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
 
     assert_equal 429, last_response.status
-    assert_equal "60", last_response.headers["Retry-After"]
+    assert_nil last_response.headers["Retry-After"]
     assert_equal "Retry later\n", last_response.body
 
     get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
@@ -34,6 +34,24 @@ describe "#throttle" do
     end
   end
 
+  it "returns correct Retry-After header if enabled" do
+    Rack::Attack.throttled_response_retry_after_header = true
+
+    Rack::Attack.throttle("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+
+    Timecop.freeze(Time.at(0)) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal 200, last_response.status
+    end
+
+    Timecop.freeze(Time.at(25)) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal "35", last_response.headers["Retry-After"]
+    end
+  end
+
   it "supports limit to be dynamic" do
     # Could be used to have different rate limits for authorized
     # vs general requests

data/spec/allow2ban_spec.rb

@@ -20,7 +20,8 @@ describe 'Rack::Attack.Allow2Ban' do
     describe 'making ok request' do
       it 'succeeds' do
         get '/', {}, 'REMOTE_ADDR' => '1.2.3.4'
-        last_response.status.must_equal 200
+
+        _(last_response.status).must_equal 200
       end
     end
 
@@ -29,17 +30,18 @@ describe 'Rack::Attack.Allow2Ban' do
         before { get '/?foo=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4' }
 
         it 'succeeds' do
-          last_response.status.must_equal 200
+          _(last_response.status).must_equal 200
         end
 
         it 'increases fail count' do
           key = "rack::attack:#{Time.now.to_i / @findtime}:allow2ban:count:1.2.3.4"
-          @cache.store.read(key).must_equal 1
+
+          _(@cache.store.read(key)).must_equal 1
         end
 
         it 'is not banned' do
           key = "rack::attack:allow2ban:1.2.3.4"
-          @cache.store.read(key).must_be_nil
+          _(@cache.store.read(key)).must_be_nil
         end
       end
 
@@ -51,17 +53,17 @@ describe 'Rack::Attack.Allow2Ban' do
         end
 
         it 'succeeds' do
-          last_response.status.must_equal 200
+          _(last_response.status).must_equal 200
         end
 
         it 'increases fail count' do
           key = "rack::attack:#{Time.now.to_i / @findtime}:allow2ban:count:1.2.3.4"
-          @cache.store.read(key).must_equal 2
+          _(@cache.store.read(key)).must_equal 2
         end
 
         it 'is banned' do
           key = "rack::attack:allow2ban:ban:1.2.3.4"
-          @cache.store.read(key).must_equal 1
+          _(@cache.store.read(key)).must_equal 1
         end
       end
     end
@@ -77,7 +79,8 @@ describe 'Rack::Attack.Allow2Ban' do
     describe 'making request for other discriminator' do
       it 'succeeds' do
         get '/', {}, 'REMOTE_ADDR' => '2.2.3.4'
-        last_response.status.must_equal 200
+
+        _(last_response.status).must_equal 200
       end
     end
 
@@ -87,17 +90,17 @@ describe 'Rack::Attack.Allow2Ban' do
       end
 
       it 'fails' do
-        last_response.status.must_equal 403
+        _(last_response.status).must_equal 403
       end
 
       it 'does not increase fail count' do
         key = "rack::attack:#{Time.now.to_i / @findtime}:allow2ban:count:1.2.3.4"
-        @cache.store.read(key).must_equal 2
+        _(@cache.store.read(key)).must_equal 2
       end
 
       it 'is still banned' do
         key = "rack::attack:allow2ban:ban:1.2.3.4"
-        @cache.store.read(key).must_equal 1
+        _(@cache.store.read(key)).must_equal 1
       end
     end
 
@@ -107,17 +110,17 @@ describe 'Rack::Attack.Allow2Ban' do
       end
 
       it 'fails' do
-        last_response.status.must_equal 403
+        _(last_response.status).must_equal 403
       end
 
       it 'does not increase fail count' do
         key = "rack::attack:#{Time.now.to_i / @findtime}:allow2ban:count:1.2.3.4"
-        @cache.store.read(key).must_equal 2
+        _(@cache.store.read(key)).must_equal 2
       end
 
       it 'is still banned' do
         key = "rack::attack:allow2ban:ban:1.2.3.4"
-        @cache.store.read(key).must_equal 1
+        _(@cache.store.read(key)).must_equal 1
       end
     end
   end