RubyGems - rack-attack - Versions diffs - 6.4.0 → 6.5.0 - Mend

rack-attack 6.4.0 → 6.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

checksums.yaml +4 -4
data/README.md +1 -6
data/lib/rack/attack.rb +10 -8
data/lib/rack/attack/base_proxy.rb +27 -0
data/lib/rack/attack/cache.rb +6 -1
data/lib/rack/attack/railtie.rb +1 -3
data/lib/rack/attack/store_proxy/active_support_redis_store_proxy.rb +2 -2
data/lib/rack/attack/store_proxy/dalli_proxy.rb +2 -2
data/lib/rack/attack/store_proxy/mem_cache_store_proxy.rb +2 -2
data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb +2 -2
data/lib/rack/attack/store_proxy/redis_proxy.rb +3 -3
data/lib/rack/attack/store_proxy/redis_store_proxy.rb +1 -1
data/lib/rack/attack/throttle.rb +9 -2
data/lib/rack/attack/version.rb +1 -1
data/spec/acceptance/rails_middleware_spec.rb +3 -18
data/spec/rack_attack_throttle_spec.rb +44 -0
metadata +4 -4
data/lib/rack/attack/store_proxy.rb +0 -21

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e7d44de650fae1c83d5a3da49dc8f304e44280f72bd209d3f78643b90d573bd8
-  data.tar.gz: a39d0270489617a8c0a49e01868c24cc87311e80457fbc104c86e45d29978f51
+  metadata.gz: 81f6cce465b8441782ffaa3d446e558979de6a2ceadd9d43499b7977fa61586b
+  data.tar.gz: a2ee9b82f1144d483e7d26a893594ab6cada4dc52d98eb08d7615a38b49face8
 SHA512:
-  metadata.gz: 7d9d965cc672bba8ab2b9f333746e32091363d6b65bf290104c248799a811f272ad8388e7f7b3d870d382e9c80a1003a300f9380c2d8082195972817146a281d
-  data.tar.gz: fbfa381116824ea4de492b66408d15bd708692a74275548c9b167868c0bee566f79a216046213c43a8eb3117b869e86ac99f989e5e4c045c30267db2981b2c6b
+  metadata.gz: b90fa7841d1e5319b820d4bca9c1fc8d266fc98c06f2a936ce6d31949d9fdd7ddab9183f82c5bbbc31e3e4280bba8e786bbe155f146fdcfdbf53ad263bfec63f
+  data.tar.gz: c91be495fbf25444632a1734f40f9fa85b35bf19d921a129ca402aceadf0d30b2a7d5797283ca7ac68e8f323569fa3edc1be98bcecd2c72aa15c3956dd611455

data/README.md CHANGED Viewed

@@ -71,12 +71,7 @@ Or install it yourself as:
 Then tell your ruby web application to use rack-attack as a middleware.
-a) For __rails__ applications with versions >= 5.1 it is used by default. For older rails versions you should enable it explicitly:
-```ruby
-# In config/application.rb
-config.middleware.use Rack::Attack
-```
+a) For __rails__ applications it is used by default.
 You can disable it permanently (like for specific environment) or temporarily (can be useful for specific test cases) by writing:

data/lib/rack/attack.rb CHANGED Viewed

@@ -6,6 +6,12 @@ require 'rack/attack/cache'
 require 'rack/attack/configuration'
 require 'rack/attack/path_normalizer'
 require 'rack/attack/request'
+require 'rack/attack/store_proxy/dalli_proxy'
+require 'rack/attack/store_proxy/mem_cache_store_proxy'
+require 'rack/attack/store_proxy/redis_proxy'
+require 'rack/attack/store_proxy/redis_store_proxy'
+require 'rack/attack/store_proxy/redis_cache_store_proxy'
+require 'rack/attack/store_proxy/active_support_redis_store_proxy'
 require 'rack/attack/railtie' if defined?(::Rails)
@@ -21,18 +27,11 @@ module Rack
     autoload :Safelist,             'rack/attack/safelist'
     autoload :Blocklist,            'rack/attack/blocklist'
     autoload :Track,                'rack/attack/track'
-    autoload :StoreProxy,           'rack/attack/store_proxy'
-    autoload :DalliProxy,           'rack/attack/store_proxy/dalli_proxy'
-    autoload :MemCacheStoreProxy,   'rack/attack/store_proxy/mem_cache_store_proxy'
-    autoload :RedisProxy,           'rack/attack/store_proxy/redis_proxy'
-    autoload :RedisStoreProxy,      'rack/attack/store_proxy/redis_store_proxy'
-    autoload :RedisCacheStoreProxy, 'rack/attack/store_proxy/redis_cache_store_proxy'
-    autoload :ActiveSupportRedisStoreProxy, 'rack/attack/store_proxy/active_support_redis_store_proxy'
     autoload :Fail2Ban,             'rack/attack/fail2ban'
     autoload :Allow2Ban,            'rack/attack/allow2ban'
     class << self
-      attr_accessor :enabled, :notifier
+      attr_accessor :enabled, :notifier, :throttle_discriminator_normalizer
       attr_reader :configuration
       def instrument(request)
@@ -84,6 +83,9 @@ module Rack
     # Set defaults
     @enabled = true
     @notifier = ActiveSupport::Notifications if defined?(ActiveSupport::Notifications)
+    @throttle_discriminator_normalizer = lambda do |discriminator|
+      discriminator.to_s.strip.downcase
+    end
     @configuration = Configuration.new
     attr_reader :configuration

data/lib/rack/attack/base_proxy.rb ADDED Viewed

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+require 'delegate'
+module Rack
+  class Attack
+    class BaseProxy < SimpleDelegator
+      class << self
+        def proxies
+          @@proxies ||= []
+        end
+        def inherited(klass)
+          proxies << klass
+        end
+        def lookup(store)
+          proxies.find { |proxy| proxy.handle?(store) }
+        end
+        def handle?(_store)
+          raise NotImplementedError
+        end
+      end
+    end
+  end
+end

data/lib/rack/attack/cache.rb CHANGED Viewed

@@ -14,7 +14,12 @@ module Rack
       attr_reader :store
       def store=(store)
-        @store = StoreProxy.build(store)
+        @store =
+          if (proxy = BaseProxy.lookup(store))
+            proxy.new(store)
+          else
+            store
+          end
       end
       def count(unprefixed_key, period)

data/lib/rack/attack/railtie.rb CHANGED Viewed

@@ -4,9 +4,7 @@ module Rack
   class Attack
     class Railtie < ::Rails::Railtie
       initializer "rack-attack.middleware" do |app|
-        if Gem::Version.new(::Rails::VERSION::STRING) >= Gem::Version.new("5.1")
-          app.middleware.use(Rack::Attack)
-        end
+        app.middleware.use(Rack::Attack)
       end
     end
   end

data/lib/rack/attack/store_proxy/active_support_redis_store_proxy.rb CHANGED Viewed

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
-require 'delegate'
+require 'rack/attack/base_proxy'
 module Rack
   class Attack
     module StoreProxy
-      class ActiveSupportRedisStoreProxy < SimpleDelegator
+      class ActiveSupportRedisStoreProxy < BaseProxy
         def self.handle?(store)
           defined?(::Redis) &&
             defined?(::ActiveSupport::Cache::RedisStore) &&

data/lib/rack/attack/store_proxy/dalli_proxy.rb CHANGED Viewed

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
-require 'delegate'
+require 'rack/attack/base_proxy'
 module Rack
   class Attack
     module StoreProxy
-      class DalliProxy < SimpleDelegator
+      class DalliProxy < BaseProxy
         def self.handle?(store)
           return false unless defined?(::Dalli)

data/lib/rack/attack/store_proxy/mem_cache_store_proxy.rb CHANGED Viewed

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
-require 'delegate'
+require 'rack/attack/base_proxy'
 module Rack
   class Attack
     module StoreProxy
-      class MemCacheStoreProxy < SimpleDelegator
+      class MemCacheStoreProxy < BaseProxy
         def self.handle?(store)
           defined?(::Dalli) &&
             defined?(::ActiveSupport::Cache::MemCacheStore) &&

data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb CHANGED Viewed

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
-require 'delegate'
+require 'rack/attack/base_proxy'
 module Rack
   class Attack
     module StoreProxy
-      class RedisCacheStoreProxy < SimpleDelegator
+      class RedisCacheStoreProxy < BaseProxy
         def self.handle?(store)
           store.class.name == "ActiveSupport::Cache::RedisCacheStore"
         end

data/lib/rack/attack/store_proxy/redis_proxy.rb CHANGED Viewed

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
-require 'delegate'
+require 'rack/attack/base_proxy'
 module Rack
   class Attack
     module StoreProxy
-      class RedisProxy < SimpleDelegator
+      class RedisProxy < BaseProxy
         def initialize(*args)
           if Gem::Version.new(Redis::VERSION) < Gem::Version.new("3")
             warn 'RackAttack requires Redis gem >= 3.0.0.'
@@ -15,7 +15,7 @@ module Rack
         end
         def self.handle?(store)
-          defined?(::Redis) && store.is_a?(::Redis)
+          defined?(::Redis) && store.class == ::Redis
         end
         def read(key)

data/lib/rack/attack/store_proxy/redis_store_proxy.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
-require 'delegate'
+require 'rack/attack/store_proxy/redis_proxy'
 module Rack
   class Attack

data/lib/rack/attack/throttle.rb CHANGED Viewed

@@ -23,8 +23,7 @@ module Rack
       end
       def matched_by?(request)
-        discriminator = block.call(request)
+        discriminator = discriminator_for(request)
         return false unless discriminator
         current_period  = period_for(request)
@@ -50,6 +49,14 @@ module Rack
       private
+      def discriminator_for(request)
+        discriminator = block.call(request)
+        if discriminator && Rack::Attack.throttle_discriminator_normalizer
+          discriminator = Rack::Attack.throttle_discriminator_normalizer.call(discriminator)
+        end
+        discriminator
+      end
       def period_for(request)
         period.respond_to?(:call) ? period.call(request) : period
       end

data/lib/rack/attack/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Rack
   class Attack
-    VERSION = '6.4.0'
+    VERSION = '6.5.0'
   end
 end

data/spec/acceptance/rails_middleware_spec.rb CHANGED Viewed

@@ -12,24 +12,9 @@ if defined?(Rails)
       end
     end
-    if Gem::Version.new(Rails::VERSION::STRING) >= Gem::Version.new("5.1")
-      it "is used by default" do
-        @app.initialize!
-        assert_equal 1, @app.middleware.count(Rack::Attack)
-      end
-      it "is not added when it was explicitly deleted" do
-        @app.config.middleware.delete(Rack::Attack)
-        @app.initialize!
-        refute @app.middleware.include?(Rack::Attack)
-      end
-    end
-    if Gem::Version.new(Rails::VERSION::STRING) < Gem::Version.new("5.1")
-      it "is not used by default" do
-        @app.initialize!
-        assert_equal 0, @app.middleware.count(Rack::Attack)
-      end
+    it "is used by default" do
+      @app.initialize!
+      assert @app.middleware.include?(Rack::Attack)
     end
   end
 end

data/spec/rack_attack_throttle_spec.rb CHANGED Viewed

@@ -144,3 +144,47 @@ describe 'Rack::Attack.throttle with block retuning nil' do
     end
   end
 end
+describe 'Rack::Attack.throttle with throttle_discriminator_normalizer' do
+  before do
+    @period = 60
+    @emails = [
+      "person@example.com",
+      "PERSON@example.com ",
+      " person@example.com\r\n  ",
+    ]
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+    Rack::Attack.throttle('logins/email', limit: 4, period: @period) do |req|
+      if req.path == '/login' && req.post?
+        req.params['email']
+      end
+    end
+  end
+  it 'should not differentiate requests when throttle_discriminator_normalizer is enabled' do
+    post_logins
+    key = "rack::attack:#{Time.now.to_i / @period}:logins/email:person@example.com"
+    _(Rack::Attack.cache.store.read(key)).must_equal 3
+  end
+  it 'should differentiate requests when throttle_discriminator_normalizer is disabled' do
+    begin
+      prev = Rack::Attack.throttle_discriminator_normalizer
+      Rack::Attack.throttle_discriminator_normalizer = nil
+      post_logins
+      @emails.each do |email|
+        key = "rack::attack:#{Time.now.to_i / @period}:logins/email:#{email}"
+        _(Rack::Attack.cache.store.read(key)).must_equal 1
+      end
+    ensure
+      Rack::Attack.throttle_discriminator_normalizer = prev
+    end
+  end
+  def post_logins
+    @emails.each do |email|
+      post '/login', email: email
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-attack
 version: !ruby/object:Gem::Version
-  version: 6.4.0
+  version: 6.5.0
 platform: ruby
 authors:
 - Aaron Suggs
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-01-24 00:00:00.000000000 Z
+date: 2021-02-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -206,6 +206,7 @@ files:
 - Rakefile
 - lib/rack/attack.rb
 - lib/rack/attack/allow2ban.rb
+- lib/rack/attack/base_proxy.rb
 - lib/rack/attack/blocklist.rb
 - lib/rack/attack/cache.rb
 - lib/rack/attack/check.rb
@@ -215,7 +216,6 @@ files:
 - lib/rack/attack/railtie.rb
 - lib/rack/attack/request.rb
 - lib/rack/attack/safelist.rb
-- lib/rack/attack/store_proxy.rb
 - lib/rack/attack/store_proxy/active_support_redis_store_proxy.rb
 - lib/rack/attack/store_proxy/dalli_proxy.rb
 - lib/rack/attack/store_proxy/mem_cache_store_proxy.rb
@@ -290,7 +290,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.6
+rubygems_version: 3.2.8
 signing_key:
 specification_version: 4
 summary: Block & throttle abusive requests

data/lib/rack/attack/store_proxy.rb DELETED Viewed

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-module Rack
-  class Attack
-    module StoreProxy
-      PROXIES = [
-        DalliProxy,
-        MemCacheStoreProxy,
-        RedisStoreProxy,
-        RedisProxy,
-        RedisCacheStoreProxy,
-        ActiveSupportRedisStoreProxy
-      ].freeze
-      def self.build(store)
-        klass = PROXIES.find { |proxy| proxy.handle?(store) }
-        klass ? klass.new(store) : store
-      end
-    end
-  end
-end