rack-attack 6.1.0 → 6.2.0

data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb

@@ -15,17 +15,33 @@ module Rack
           #
           # So in order to workaround this we use RedisCacheStore#write (which sets expiration) to initialize
           # the counter. After that we continue using the original RedisCacheStore#increment.
-          if options[:expires_in] && !read(name)
-            write(name, amount, options)
+          rescuing do
+            if options[:expires_in] && !read(name)
+              write(name, amount, options)
 
-            amount
-          else
-            super
+              amount
+            else
+              super
+            end
           end
         end
 
+        def read(*_args)
+          rescuing { super }
+        end
+
         def write(name, value, options = {})
-          super(name, value, options.merge!(raw: true))
+          rescuing do
+            super(name, value, options.merge!(raw: true))
+          end
+        end
+
+        private
+
+        def rescuing
+          yield
+        rescue Redis::BaseError
+          nil
         end
       end
     end

data/lib/rack/attack/throttle.rb

@@ -7,11 +7,12 @@ module Rack
 
       attr_reader :name, :limit, :period, :block, :type
       def initialize(name, options, &block)
-        @name, @block = name, block
+        @name = name
+        @block = block
         MANDATORY_OPTIONS.each do |opt|
           raise ArgumentError, "Must pass #{opt.inspect} option" unless options[opt]
         end
-        @limit  = options[:limit]
+        @limit = options[:limit]
         @period = options[:period].respond_to?(:call) ? options[:period] : options[:period].to_i
         @type   = options.fetch(:type, :throttle)
       end

data/lib/rack/attack/track.rb

@@ -8,11 +8,12 @@ module Rack
       def initialize(name, options = {}, &block)
         options[:type] = :track
 
-        if options[:limit] && options[:period]
-          @filter = Throttle.new(name, options, &block)
-        else
-          @filter = Check.new(name, options, &block)
-        end
+        @filter =
+          if options[:limit] && options[:period]
+            Throttle.new(name, options, &block)
+          else
+            Check.new(name, options, &block)
+          end
       end
 
       def matched_by?(request)

data/lib/rack/attack/version.rb

@@ -2,6 +2,6 @@
 
 module Rack
   class Attack
-    VERSION = '6.1.0'
+    VERSION = '6.2.0'
   end
 end

data/spec/acceptance/rails_middleware_spec.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require_relative "../spec_helper"
+
+if defined?(Rails)
+  describe "Middleware for Rails" do
+    before do
+      @app = Class.new(Rails::Application) do
+        config.eager_load = false
+        config.logger = Logger.new(nil) # avoid creating the log/ directory automatically
+        config.cache_store = :null_store # avoid creating tmp/ directory for cache
+      end
+    end
+
+    if Gem::Version.new(Rails::VERSION::STRING) >= Gem::Version.new("5.1")
+      it "is used by default" do
+        @app.initialize!
+        assert_equal 1, @app.middleware.count(Rack::Attack)
+      end
+
+      it "is not added when it was added explicitly" do
+        @app.config.middleware.use(Rack::Attack)
+        @app.initialize!
+        assert_equal 1, @app.middleware.count(Rack::Attack)
+      end
+
+      it "is not added when it was explicitly deleted" do
+        @app.config.middleware.delete(Rack::Attack)
+        @app.initialize!
+        refute @app.middleware.include?(Rack::Attack)
+      end
+    end
+
+    if Gem::Version.new(Rails::VERSION::STRING) < Gem::Version.new("5.1")
+      it "is not used by default" do
+        @app.initialize!
+        assert_equal 0, @app.middleware.count(Rack::Attack)
+      end
+    end
+  end
+end

data/spec/acceptance/stores/active_support_mem_cache_store_pooled_spec.rb

@@ -15,8 +15,6 @@ if defined?(::ConnectionPool) && defined?(::Dalli)
       Rack::Attack.cache.store.clear
     end
 
-    it_works_for_cache_backed_features(fetch_from_store: ->(key) {
-      Rack::Attack.cache.store.read(key)
-    })
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) })
   end
 end

data/spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb

@@ -2,7 +2,13 @@
 
 require_relative "../../spec_helper"
 
-if defined?(::ConnectionPool) && defined?(::Redis) && Gem::Version.new(::Redis::VERSION) >= Gem::Version.new("4") && defined?(::ActiveSupport::Cache::RedisCacheStore)
+should_run =
+  defined?(::ConnectionPool) &&
+  defined?(::Redis) &&
+  Gem::Version.new(::Redis::VERSION) >= Gem::Version.new("4") &&
+  defined?(::ActiveSupport::Cache::RedisCacheStore)
+
+if should_run
   require_relative "../../support/cache_store_helper"
   require "timecop"
 

data/spec/acceptance/stores/active_support_redis_cache_store_spec.rb

@@ -2,7 +2,12 @@
 
 require_relative "../../spec_helper"
 
-if defined?(::Redis) && Gem::Version.new(::Redis::VERSION) >= Gem::Version.new("4") && defined?(::ActiveSupport::Cache::RedisCacheStore)
+should_run =
+  defined?(::Redis) &&
+  Gem::Version.new(::Redis::VERSION) >= Gem::Version.new("4") &&
+  defined?(::ActiveSupport::Cache::RedisCacheStore)
+
+if should_run
   require_relative "../../support/cache_store_helper"
   require "timecop"
 

data/spec/acceptance/stores/connection_pool_dalli_client_spec.rb

@@ -17,8 +17,8 @@ if defined?(::Dalli) && defined?(::ConnectionPool)
       Rack::Attack.cache.store.with { |client| client.flush_all }
     end
 
-    it_works_for_cache_backed_features(fetch_from_store: ->(key) {
-      Rack::Attack.cache.store.with { |client| client.fetch(key) }
-    })
+    it_works_for_cache_backed_features(
+      fetch_from_store: ->(key) { Rack::Attack.cache.store.with { |client| client.fetch(key) } }
+    )
   end
 end

data/spec/allow2ban_spec.rb

@@ -20,7 +20,8 @@ describe 'Rack::Attack.Allow2Ban' do
     describe 'making ok request' do
       it 'succeeds' do
         get '/', {}, 'REMOTE_ADDR' => '1.2.3.4'
-        last_response.status.must_equal 200
+
+        _(last_response.status).must_equal 200
       end
     end
 
@@ -29,17 +30,18 @@ describe 'Rack::Attack.Allow2Ban' do
         before { get '/?foo=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4' }
 
         it 'succeeds' do
-          last_response.status.must_equal 200
+          _(last_response.status).must_equal 200
         end
 
         it 'increases fail count' do
           key = "rack::attack:#{Time.now.to_i / @findtime}:allow2ban:count:1.2.3.4"
-          @cache.store.read(key).must_equal 1
+
+          _(@cache.store.read(key)).must_equal 1
         end
 
         it 'is not banned' do
           key = "rack::attack:allow2ban:1.2.3.4"
-          @cache.store.read(key).must_be_nil
+          _(@cache.store.read(key)).must_be_nil
         end
       end
 
@@ -51,17 +53,17 @@ describe 'Rack::Attack.Allow2Ban' do
         end
 
         it 'succeeds' do
-          last_response.status.must_equal 200
+          _(last_response.status).must_equal 200
         end
 
         it 'increases fail count' do
           key = "rack::attack:#{Time.now.to_i / @findtime}:allow2ban:count:1.2.3.4"
-          @cache.store.read(key).must_equal 2
+          _(@cache.store.read(key)).must_equal 2
         end
 
         it 'is banned' do
           key = "rack::attack:allow2ban:ban:1.2.3.4"
-          @cache.store.read(key).must_equal 1
+          _(@cache.store.read(key)).must_equal 1
         end
       end
     end
@@ -77,7 +79,8 @@ describe 'Rack::Attack.Allow2Ban' do
     describe 'making request for other discriminator' do
       it 'succeeds' do
         get '/', {}, 'REMOTE_ADDR' => '2.2.3.4'
-        last_response.status.must_equal 200
+
+        _(last_response.status).must_equal 200
       end
     end
 
@@ -87,17 +90,17 @@ describe 'Rack::Attack.Allow2Ban' do
       end
 
       it 'fails' do
-        last_response.status.must_equal 403
+        _(last_response.status).must_equal 403
       end
 
       it 'does not increase fail count' do
         key = "rack::attack:#{Time.now.to_i / @findtime}:allow2ban:count:1.2.3.4"
-        @cache.store.read(key).must_equal 2
+        _(@cache.store.read(key)).must_equal 2
       end
 
       it 'is still banned' do
         key = "rack::attack:allow2ban:ban:1.2.3.4"
-        @cache.store.read(key).must_equal 1
+        _(@cache.store.read(key)).must_equal 1
       end
     end
 
@@ -107,17 +110,17 @@ describe 'Rack::Attack.Allow2Ban' do
       end
 
       it 'fails' do
-        last_response.status.must_equal 403
+        _(last_response.status).must_equal 403
       end
 
       it 'does not increase fail count' do
         key = "rack::attack:#{Time.now.to_i / @findtime}:allow2ban:count:1.2.3.4"
-        @cache.store.read(key).must_equal 2
+        _(@cache.store.read(key)).must_equal 2
       end
 
       it 'is still banned' do
         key = "rack::attack:allow2ban:ban:1.2.3.4"
-        @cache.store.read(key).must_equal 1
+        _(@cache.store.read(key)).must_equal 1
       end
     end
   end

data/spec/fail2ban_spec.rb

@@ -20,7 +20,7 @@ describe 'Rack::Attack.Fail2Ban' do
     describe 'making ok request' do
       it 'succeeds' do
         get '/', {}, 'REMOTE_ADDR' => '1.2.3.4'
-        last_response.status.must_equal 200
+        _(last_response.status).must_equal 200
       end
     end
 
@@ -29,17 +29,17 @@ describe 'Rack::Attack.Fail2Ban' do
         before { get '/?foo=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4' }
 
         it 'fails' do
-          last_response.status.must_equal 403
+          _(last_response.status).must_equal 403
         end
 
         it 'increases fail count' do
           key = "rack::attack:#{Time.now.to_i / @findtime}:fail2ban:count:1.2.3.4"
-          @cache.store.read(key).must_equal 1
+          _(@cache.store.read(key)).must_equal 1
         end
 
         it 'is not banned' do
           key = "rack::attack:fail2ban:1.2.3.4"
-          @cache.store.read(key).must_be_nil
+          _(@cache.store.read(key)).must_be_nil
         end
       end
 
@@ -51,17 +51,17 @@ describe 'Rack::Attack.Fail2Ban' do
         end
 
         it 'fails' do
-          last_response.status.must_equal 403
+          _(last_response.status).must_equal 403
         end
 
         it 'increases fail count' do
           key = "rack::attack:#{Time.now.to_i / @findtime}:fail2ban:count:1.2.3.4"
-          @cache.store.read(key).must_equal 2
+          _(@cache.store.read(key)).must_equal 2
         end
 
         it 'is banned' do
           key = "rack::attack:fail2ban:ban:1.2.3.4"
-          @cache.store.read(key).must_equal 1
+          _(@cache.store.read(key)).must_equal 1
         end
       end
 
@@ -73,7 +73,7 @@ describe 'Rack::Attack.Fail2Ban' do
         end
 
         it 'succeeds' do
-          last_response.status.must_equal 200
+          _(last_response.status).must_equal 200
         end
 
         it 'resets fail count' do
@@ -82,7 +82,7 @@ describe 'Rack::Attack.Fail2Ban' do
         end
 
         it 'IP is not banned' do
-          Rack::Attack::Fail2Ban.banned?('1.2.3.4').must_equal false
+          _(Rack::Attack::Fail2Ban.banned?('1.2.3.4')).must_equal false
         end
       end
     end
@@ -98,7 +98,8 @@ describe 'Rack::Attack.Fail2Ban' do
     describe 'making request for other discriminator' do
       it 'succeeds' do
         get '/', {}, 'REMOTE_ADDR' => '2.2.3.4'
-        last_response.status.must_equal 200
+
+        _(last_response.status).must_equal 200
       end
     end
 
@@ -108,17 +109,17 @@ describe 'Rack::Attack.Fail2Ban' do
       end
 
       it 'fails' do
-        last_response.status.must_equal 403
+        _(last_response.status).must_equal 403
       end
 
       it 'does not increase fail count' do
         key = "rack::attack:#{Time.now.to_i / @findtime}:fail2ban:count:1.2.3.4"
-        @cache.store.read(key).must_equal 2
+        _(@cache.store.read(key)).must_equal 2
       end
 
       it 'is still banned' do
         key = "rack::attack:fail2ban:ban:1.2.3.4"
-        @cache.store.read(key).must_equal 1
+        _(@cache.store.read(key)).must_equal 1
       end
     end
 
@@ -128,17 +129,17 @@ describe 'Rack::Attack.Fail2Ban' do
       end
 
       it 'fails' do
-        last_response.status.must_equal 403
+        _(last_response.status).must_equal 403
       end
 
       it 'does not increase fail count' do
         key = "rack::attack:#{Time.now.to_i / @findtime}:fail2ban:count:1.2.3.4"
-        @cache.store.read(key).must_equal 2
+        _(@cache.store.read(key)).must_equal 2
       end
 
       it 'is still banned' do
         key = "rack::attack:fail2ban:ban:1.2.3.4"
-        @cache.store.read(key).must_equal 1
+        _(@cache.store.read(key)).must_equal 1
       end
     end
   end

data/spec/rack_attack_instrumentation_spec.rb

@@ -34,7 +34,7 @@ if ActiveSupport::VERSION::MAJOR > 3
       end
 
       it 'should instrument without error' do
-        last_response.status.must_equal 429
+        _(last_response.status).must_equal 429
         assert_equal 1, CustomSubscriber.notification_count
       end
     end

data/spec/rack_attack_path_normalizer_spec.rb

@@ -6,14 +6,14 @@ describe Rack::Attack::PathNormalizer do
   subject { Rack::Attack::PathNormalizer }
 
   it 'should have a normalize_path method' do
-    subject.normalize_path('/foo').must_equal '/foo'
+    _(subject.normalize_path('/foo')).must_equal '/foo'
   end
 
   describe 'FallbackNormalizer' do
     subject { Rack::Attack::FallbackPathNormalizer }
 
     it '#normalize_path does not change the path' do
-      subject.normalize_path('').must_equal ''
+      _(subject.normalize_path('')).must_equal ''
     end
   end
 end

data/spec/rack_attack_spec.rb

@@ -12,7 +12,7 @@ describe 'Rack::Attack' do
 
     it 'blocks requests with trailing slash' do
       get '/foo/'
-      last_response.status.must_equal 403
+      _(last_response.status).must_equal 403
     end
   end
 
@@ -22,21 +22,21 @@ describe 'Rack::Attack' do
       Rack::Attack.blocklist("ip #{@bad_ip}") { |req| req.ip == @bad_ip }
     end
 
-    it('has a blocklist') {
-      Rack::Attack.blocklists.key?("ip #{@bad_ip}").must_equal true
-    }
+    it 'has a blocklist' do
+      _(Rack::Attack.blocklists.key?("ip #{@bad_ip}")).must_equal true
+    end
 
     describe "a bad request" do
       before { get '/', {}, 'REMOTE_ADDR' => @bad_ip }
 
       it "should return a blocklist response" do
-        last_response.status.must_equal 403
-        last_response.body.must_equal "Forbidden\n"
+        _(last_response.status).must_equal 403
+        _(last_response.body).must_equal "Forbidden\n"
       end
 
       it "should tag the env" do
-        last_request.env['rack.attack.matched'].must_equal "ip #{@bad_ip}"
-        last_request.env['rack.attack.match_type'].must_equal :blocklist
+        _(last_request.env['rack.attack.matched']).must_equal "ip #{@bad_ip}"
+        _(last_request.env['rack.attack.match_type']).must_equal :blocklist
       end
 
       it_allows_ok_requests
@@ -54,25 +54,48 @@ describe 'Rack::Attack' do
         before { get '/', {}, 'REMOTE_ADDR' => @bad_ip, 'HTTP_USER_AGENT' => @good_ua }
 
         it "should allow safelists before blocklists" do
-          last_response.status.must_equal 200
+          _(last_response.status).must_equal 200
         end
 
         it "should tag the env" do
-          last_request.env['rack.attack.matched'].must_equal 'good ua'
-          last_request.env['rack.attack.match_type'].must_equal :safelist
+          _(last_request.env['rack.attack.matched']).must_equal 'good ua'
+          _(last_request.env['rack.attack.match_type']).must_equal :safelist
         end
       end
     end
 
     describe '#blocklisted_response' do
       it 'should exist' do
-        Rack::Attack.blocklisted_response.must_respond_to :call
+        _(Rack::Attack.blocklisted_response).must_respond_to :call
       end
     end
 
     describe '#throttled_response' do
       it 'should exist' do
-        Rack::Attack.throttled_response.must_respond_to :call
+        _(Rack::Attack.throttled_response).must_respond_to :call
+      end
+    end
+  end
+
+  describe 'enabled' do
+    it 'should be enabled by default' do
+      _(Rack::Attack.enabled).must_equal true
+    end
+
+    it 'should directly pass request when disabled' do
+      bad_ip = '1.2.3.4'
+      Rack::Attack.blocklist("ip #{bad_ip}") { |req| req.ip == bad_ip }
+
+      get '/', {}, 'REMOTE_ADDR' => bad_ip
+      _(last_response.status).must_equal 403
+
+      prev_enabled = Rack::Attack.enabled
+      begin
+        Rack::Attack.enabled = false
+        get '/', {}, 'REMOTE_ADDR' => bad_ip
+        _(last_response.status).must_equal 200
+      ensure
+        Rack::Attack.enabled = prev_enabled
       end
     end
   end