rack-attack 6.4.0 → 6.6.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/LICENSE +21 -0
- data/README.md +15 -20
- data/lib/rack/attack/base_proxy.rb +27 -0
- data/lib/rack/attack/cache.rb +6 -1
- data/lib/rack/attack/configuration.rb +26 -8
- data/lib/rack/attack/railtie.rb +1 -3
- data/lib/rack/attack/store_proxy/active_support_redis_store_proxy.rb +2 -2
- data/lib/rack/attack/store_proxy/dalli_proxy.rb +2 -2
- data/lib/rack/attack/store_proxy/mem_cache_store_proxy.rb +6 -2
- data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb +2 -2
- data/lib/rack/attack/store_proxy/redis_proxy.rb +6 -6
- data/lib/rack/attack/store_proxy/redis_store_proxy.rb +1 -1
- data/lib/rack/attack/throttle.rb +9 -2
- data/lib/rack/attack/version.rb +1 -1
- data/lib/rack/attack.rb +26 -10
- data/spec/acceptance/customizing_blocked_response_spec.rb +21 -4
- data/spec/acceptance/customizing_throttled_response_spec.rb +27 -6
- data/spec/acceptance/rails_middleware_spec.rb +3 -18
- data/spec/acceptance/stores/active_support_dalli_store_spec.rb +5 -1
- data/spec/rack_attack_spec.rb +4 -4
- data/spec/rack_attack_throttle_spec.rb +44 -0
- metadata +8 -7
- data/lib/rack/attack/store_proxy.rb +0 -21
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: '0399127f00624959bafee349ab2e6010acda84373c3df24ff18c3ff701a6c274'
|
4
|
+
data.tar.gz: 88bbb4465f8b7ecd0f82d9ad7217a66da96bb829c6982b0151ea2c19b5bba3c5
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5a4d3d278b7c814c909ae0e01128f076f2ffcda003a56f688d803ccdfc5f72eeaa6c60412dc8e06769026f407860ac1259668fc61c0e87f1ef7a03434e17d982
|
7
|
+
data.tar.gz: 492e4659338b489d9fcdc3bd315148ec2e1802c6197ce4dc5d7eaf598c918866468387d1a2346bfc30c454605aeaa59aa7d9a4e50bdc08910b24a72c681053dc
|
data/LICENSE
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
The MIT License
|
2
|
+
|
3
|
+
Copyright (c) 2016 Kickstarter, PBC
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in
|
13
|
+
all copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
21
|
+
THE SOFTWARE.
|
data/README.md
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
|
1
|
+
:warning: You are viewing the development's branch version of README which might contain documentation for unreleased features.
|
2
2
|
For the README consistent with the latest released version see https://github.com/rack/rack-attack/blob/6-stable/README.md.
|
3
3
|
|
4
4
|
# Rack::Attack
|
@@ -10,7 +10,7 @@ Protect your Rails and Rack apps from bad clients. Rack::Attack lets you easily
|
|
10
10
|
See the [Backing & Hacking blog post](https://www.kickstarter.com/backing-and-hacking/rack-attack-protection-from-abusive-clients) introducing Rack::Attack.
|
11
11
|
|
12
12
|
[](https://badge.fury.io/rb/rack-attack)
|
13
|
-
[](https://github.com/rack/rack-attack/actions/workflows/build.yml)
|
14
14
|
[](https://codeclimate.com/github/kickstarter/rack-attack)
|
15
15
|
[](https://gitter.im/rack-attack/rack-attack)
|
16
16
|
|
@@ -71,12 +71,7 @@ Or install it yourself as:
|
|
71
71
|
|
72
72
|
Then tell your ruby web application to use rack-attack as a middleware.
|
73
73
|
|
74
|
-
a) For __rails__ applications
|
75
|
-
```ruby
|
76
|
-
# In config/application.rb
|
77
|
-
|
78
|
-
config.middleware.use Rack::Attack
|
79
|
-
```
|
74
|
+
a) For __rails__ applications it is used by default.
|
80
75
|
|
81
76
|
You can disable it permanently (like for specific environment) or temporarily (can be useful for specific test cases) by writing:
|
82
77
|
|
@@ -317,21 +312,21 @@ Note that `Rack::Attack.cache` is only used for throttling, allow2ban and fail2b
|
|
317
312
|
|
318
313
|
## Customizing responses
|
319
314
|
|
320
|
-
Customize the response of blocklisted and throttled requests using an object that adheres to the [Rack app interface](http://www.rubydoc.info/github/rack/rack/file/SPEC).
|
315
|
+
Customize the response of blocklisted and throttled requests using an object that adheres to the [Rack app interface](http://www.rubydoc.info/github/rack/rack/file/SPEC.rdoc).
|
321
316
|
|
322
317
|
```ruby
|
323
|
-
Rack::Attack.
|
318
|
+
Rack::Attack.blocklisted_responder = lambda do |request|
|
324
319
|
# Using 503 because it may make attacker think that they have successfully
|
325
320
|
# DOSed the site. Rack::Attack returns 403 for blocklists by default
|
326
321
|
[ 503, {}, ['Blocked']]
|
327
322
|
end
|
328
323
|
|
329
|
-
Rack::Attack.
|
324
|
+
Rack::Attack.throttled_responder = lambda do |request|
|
330
325
|
# NB: you have access to the name and other data about the matched throttle
|
331
|
-
# env['rack.attack.matched'],
|
332
|
-
# env['rack.attack.match_type'],
|
333
|
-
# env['rack.attack.match_data'],
|
334
|
-
# env['rack.attack.match_discriminator']
|
326
|
+
# request.env['rack.attack.matched'],
|
327
|
+
# request.env['rack.attack.match_type'],
|
328
|
+
# request.env['rack.attack.match_data'],
|
329
|
+
# request.env['rack.attack.match_discriminator']
|
335
330
|
|
336
331
|
# Using 503 because it may make attacker think that they have successfully
|
337
332
|
# DOSed the site. Rack::Attack returns 429 for throttling by default
|
@@ -352,8 +347,8 @@ Rack::Attack.throttled_response_retry_after_header = true
|
|
352
347
|
Here's an example response that includes conventional `RateLimit-*` headers:
|
353
348
|
|
354
349
|
```ruby
|
355
|
-
Rack::Attack.
|
356
|
-
match_data = env['rack.attack.match_data']
|
350
|
+
Rack::Attack.throttled_responder = lambda do |request|
|
351
|
+
match_data = request.env['rack.attack.match_data']
|
357
352
|
now = match_data[:epoch_time]
|
358
353
|
|
359
354
|
headers = {
|
@@ -412,7 +407,7 @@ for more on how to do this.
|
|
412
407
|
|
413
408
|
### Test case isolation
|
414
409
|
|
415
|
-
`Rack::Attack.reset!` can be used in your test suite to clear any Rack::Attack state between different test cases.
|
410
|
+
`Rack::Attack.reset!` can be used in your test suite to clear any Rack::Attack state between different test cases. If you're testing blocklist and safelist configurations, consider using `Rack::Attack.clear_configuration` to unset the values for those lists between test cases.
|
416
411
|
|
417
412
|
## How it works
|
418
413
|
|
@@ -432,9 +427,9 @@ def call(env)
|
|
432
427
|
if safelisted?(req)
|
433
428
|
@app.call(env)
|
434
429
|
elsif blocklisted?(req)
|
435
|
-
self.class.
|
430
|
+
self.class.blocklisted_responder.call(req)
|
436
431
|
elsif throttled?(req)
|
437
|
-
self.class.
|
432
|
+
self.class.throttled_responder.call(req)
|
438
433
|
else
|
439
434
|
tracked?(req)
|
440
435
|
@app.call(env)
|
@@ -0,0 +1,27 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'delegate'
|
4
|
+
|
5
|
+
module Rack
|
6
|
+
class Attack
|
7
|
+
class BaseProxy < SimpleDelegator
|
8
|
+
class << self
|
9
|
+
def proxies
|
10
|
+
@@proxies ||= []
|
11
|
+
end
|
12
|
+
|
13
|
+
def inherited(klass)
|
14
|
+
proxies << klass
|
15
|
+
end
|
16
|
+
|
17
|
+
def lookup(store)
|
18
|
+
proxies.find { |proxy| proxy.handle?(store) }
|
19
|
+
end
|
20
|
+
|
21
|
+
def handle?(_store)
|
22
|
+
raise NotImplementedError
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
data/lib/rack/attack/cache.rb
CHANGED
@@ -5,22 +5,36 @@ require "ipaddr"
|
|
5
5
|
module Rack
|
6
6
|
class Attack
|
7
7
|
class Configuration
|
8
|
-
|
8
|
+
DEFAULT_BLOCKLISTED_RESPONDER = lambda { |_req| [403, { 'content-type' => 'text/plain' }, ["Forbidden\n"]] }
|
9
9
|
|
10
|
-
|
10
|
+
DEFAULT_THROTTLED_RESPONDER = lambda do |req|
|
11
11
|
if Rack::Attack.configuration.throttled_response_retry_after_header
|
12
|
-
match_data = env['rack.attack.match_data']
|
12
|
+
match_data = req.env['rack.attack.match_data']
|
13
13
|
now = match_data[:epoch_time]
|
14
14
|
retry_after = match_data[:period] - (now % match_data[:period])
|
15
15
|
|
16
|
-
[429, { '
|
16
|
+
[429, { 'content-type' => 'text/plain', 'retry-after' => retry_after.to_s }, ["Retry later\n"]]
|
17
17
|
else
|
18
|
-
[429, { '
|
18
|
+
[429, { 'content-type' => 'text/plain' }, ["Retry later\n"]]
|
19
19
|
end
|
20
20
|
end
|
21
21
|
|
22
22
|
attr_reader :safelists, :blocklists, :throttles, :anonymous_blocklists, :anonymous_safelists
|
23
|
-
attr_accessor :
|
23
|
+
attr_accessor :blocklisted_responder, :throttled_responder, :throttled_response_retry_after_header
|
24
|
+
|
25
|
+
attr_reader :blocklisted_response, :throttled_response # Keeping these for backwards compatibility
|
26
|
+
|
27
|
+
def blocklisted_response=(responder)
|
28
|
+
warn "[DEPRECATION] Rack::Attack.blocklisted_response is deprecated. "\
|
29
|
+
"Please use Rack::Attack.blocklisted_responder instead."
|
30
|
+
@blocklisted_response = responder
|
31
|
+
end
|
32
|
+
|
33
|
+
def throttled_response=(responder)
|
34
|
+
warn "[DEPRECATION] Rack::Attack.throttled_response is deprecated. "\
|
35
|
+
"Please use Rack::Attack.throttled_responder instead"
|
36
|
+
@throttled_response = responder
|
37
|
+
end
|
24
38
|
|
25
39
|
def initialize
|
26
40
|
set_defaults
|
@@ -99,8 +113,12 @@ module Rack
|
|
99
113
|
@anonymous_safelists = []
|
100
114
|
@throttled_response_retry_after_header = false
|
101
115
|
|
102
|
-
@
|
103
|
-
@
|
116
|
+
@blocklisted_responder = DEFAULT_BLOCKLISTED_RESPONDER
|
117
|
+
@throttled_responder = DEFAULT_THROTTLED_RESPONDER
|
118
|
+
|
119
|
+
# Deprecated: Keeping these for backwards compatibility
|
120
|
+
@blocklisted_response = nil
|
121
|
+
@throttled_response = nil
|
104
122
|
end
|
105
123
|
end
|
106
124
|
end
|
data/lib/rack/attack/railtie.rb
CHANGED
@@ -4,9 +4,7 @@ module Rack
|
|
4
4
|
class Attack
|
5
5
|
class Railtie < ::Rails::Railtie
|
6
6
|
initializer "rack-attack.middleware" do |app|
|
7
|
-
|
8
|
-
app.middleware.use(Rack::Attack)
|
9
|
-
end
|
7
|
+
app.middleware.use(Rack::Attack)
|
10
8
|
end
|
11
9
|
end
|
12
10
|
end
|
@@ -1,11 +1,11 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
-
require '
|
3
|
+
require 'rack/attack/base_proxy'
|
4
4
|
|
5
5
|
module Rack
|
6
6
|
class Attack
|
7
7
|
module StoreProxy
|
8
|
-
class ActiveSupportRedisStoreProxy <
|
8
|
+
class ActiveSupportRedisStoreProxy < BaseProxy
|
9
9
|
def self.handle?(store)
|
10
10
|
defined?(::Redis) &&
|
11
11
|
defined?(::ActiveSupport::Cache::RedisStore) &&
|
@@ -1,11 +1,11 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
-
require '
|
3
|
+
require 'rack/attack/base_proxy'
|
4
4
|
|
5
5
|
module Rack
|
6
6
|
class Attack
|
7
7
|
module StoreProxy
|
8
|
-
class DalliProxy <
|
8
|
+
class DalliProxy < BaseProxy
|
9
9
|
def self.handle?(store)
|
10
10
|
return false unless defined?(::Dalli)
|
11
11
|
|
@@ -1,17 +1,21 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
-
require '
|
3
|
+
require 'rack/attack/base_proxy'
|
4
4
|
|
5
5
|
module Rack
|
6
6
|
class Attack
|
7
7
|
module StoreProxy
|
8
|
-
class MemCacheStoreProxy <
|
8
|
+
class MemCacheStoreProxy < BaseProxy
|
9
9
|
def self.handle?(store)
|
10
10
|
defined?(::Dalli) &&
|
11
11
|
defined?(::ActiveSupport::Cache::MemCacheStore) &&
|
12
12
|
store.is_a?(::ActiveSupport::Cache::MemCacheStore)
|
13
13
|
end
|
14
14
|
|
15
|
+
def read(name, options = {})
|
16
|
+
super(name, options.merge!(raw: true))
|
17
|
+
end
|
18
|
+
|
15
19
|
def write(name, value, options = {})
|
16
20
|
super(name, value, options.merge!(raw: true))
|
17
21
|
end
|
@@ -1,11 +1,11 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
-
require '
|
3
|
+
require 'rack/attack/base_proxy'
|
4
4
|
|
5
5
|
module Rack
|
6
6
|
class Attack
|
7
7
|
module StoreProxy
|
8
|
-
class RedisCacheStoreProxy <
|
8
|
+
class RedisCacheStoreProxy < BaseProxy
|
9
9
|
def self.handle?(store)
|
10
10
|
store.class.name == "ActiveSupport::Cache::RedisCacheStore"
|
11
11
|
end
|
@@ -1,11 +1,11 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
-
require '
|
3
|
+
require 'rack/attack/base_proxy'
|
4
4
|
|
5
5
|
module Rack
|
6
6
|
class Attack
|
7
7
|
module StoreProxy
|
8
|
-
class RedisProxy <
|
8
|
+
class RedisProxy < BaseProxy
|
9
9
|
def initialize(*args)
|
10
10
|
if Gem::Version.new(Redis::VERSION) < Gem::Version.new("3")
|
11
11
|
warn 'RackAttack requires Redis gem >= 3.0.0.'
|
@@ -15,7 +15,7 @@ module Rack
|
|
15
15
|
end
|
16
16
|
|
17
17
|
def self.handle?(store)
|
18
|
-
defined?(::Redis) && store.
|
18
|
+
defined?(::Redis) && store.class == ::Redis
|
19
19
|
end
|
20
20
|
|
21
21
|
def read(key)
|
@@ -32,9 +32,9 @@ module Rack
|
|
32
32
|
|
33
33
|
def increment(key, amount, options = {})
|
34
34
|
rescuing do
|
35
|
-
pipelined do
|
36
|
-
incrby(key, amount)
|
37
|
-
expire(key, options[:expires_in]) if options[:expires_in]
|
35
|
+
pipelined do |redis|
|
36
|
+
redis.incrby(key, amount)
|
37
|
+
redis.expire(key, options[:expires_in]) if options[:expires_in]
|
38
38
|
end.first
|
39
39
|
end
|
40
40
|
end
|
data/lib/rack/attack/throttle.rb
CHANGED
@@ -23,8 +23,7 @@ module Rack
|
|
23
23
|
end
|
24
24
|
|
25
25
|
def matched_by?(request)
|
26
|
-
discriminator =
|
27
|
-
|
26
|
+
discriminator = discriminator_for(request)
|
28
27
|
return false unless discriminator
|
29
28
|
|
30
29
|
current_period = period_for(request)
|
@@ -50,6 +49,14 @@ module Rack
|
|
50
49
|
|
51
50
|
private
|
52
51
|
|
52
|
+
def discriminator_for(request)
|
53
|
+
discriminator = block.call(request)
|
54
|
+
if discriminator && Rack::Attack.throttle_discriminator_normalizer
|
55
|
+
discriminator = Rack::Attack.throttle_discriminator_normalizer.call(discriminator)
|
56
|
+
end
|
57
|
+
discriminator
|
58
|
+
end
|
59
|
+
|
53
60
|
def period_for(request)
|
54
61
|
period.respond_to?(:call) ? period.call(request) : period
|
55
62
|
end
|
data/lib/rack/attack/version.rb
CHANGED
data/lib/rack/attack.rb
CHANGED
@@ -6,6 +6,12 @@ require 'rack/attack/cache'
|
|
6
6
|
require 'rack/attack/configuration'
|
7
7
|
require 'rack/attack/path_normalizer'
|
8
8
|
require 'rack/attack/request'
|
9
|
+
require 'rack/attack/store_proxy/dalli_proxy'
|
10
|
+
require 'rack/attack/store_proxy/mem_cache_store_proxy'
|
11
|
+
require 'rack/attack/store_proxy/redis_proxy'
|
12
|
+
require 'rack/attack/store_proxy/redis_store_proxy'
|
13
|
+
require 'rack/attack/store_proxy/redis_cache_store_proxy'
|
14
|
+
require 'rack/attack/store_proxy/active_support_redis_store_proxy'
|
9
15
|
|
10
16
|
require 'rack/attack/railtie' if defined?(::Rails)
|
11
17
|
|
@@ -21,18 +27,11 @@ module Rack
|
|
21
27
|
autoload :Safelist, 'rack/attack/safelist'
|
22
28
|
autoload :Blocklist, 'rack/attack/blocklist'
|
23
29
|
autoload :Track, 'rack/attack/track'
|
24
|
-
autoload :StoreProxy, 'rack/attack/store_proxy'
|
25
|
-
autoload :DalliProxy, 'rack/attack/store_proxy/dalli_proxy'
|
26
|
-
autoload :MemCacheStoreProxy, 'rack/attack/store_proxy/mem_cache_store_proxy'
|
27
|
-
autoload :RedisProxy, 'rack/attack/store_proxy/redis_proxy'
|
28
|
-
autoload :RedisStoreProxy, 'rack/attack/store_proxy/redis_store_proxy'
|
29
|
-
autoload :RedisCacheStoreProxy, 'rack/attack/store_proxy/redis_cache_store_proxy'
|
30
|
-
autoload :ActiveSupportRedisStoreProxy, 'rack/attack/store_proxy/active_support_redis_store_proxy'
|
31
30
|
autoload :Fail2Ban, 'rack/attack/fail2ban'
|
32
31
|
autoload :Allow2Ban, 'rack/attack/allow2ban'
|
33
32
|
|
34
33
|
class << self
|
35
|
-
attr_accessor :enabled, :notifier
|
34
|
+
attr_accessor :enabled, :notifier, :throttle_discriminator_normalizer
|
36
35
|
attr_reader :configuration
|
37
36
|
|
38
37
|
def instrument(request)
|
@@ -67,6 +66,10 @@ module Rack
|
|
67
66
|
:safelist_ip,
|
68
67
|
:throttle,
|
69
68
|
:track,
|
69
|
+
:throttled_responder,
|
70
|
+
:throttled_responder=,
|
71
|
+
:blocklisted_responder,
|
72
|
+
:blocklisted_responder=,
|
70
73
|
:blocklisted_response,
|
71
74
|
:blocklisted_response=,
|
72
75
|
:throttled_response,
|
@@ -84,6 +87,9 @@ module Rack
|
|
84
87
|
# Set defaults
|
85
88
|
@enabled = true
|
86
89
|
@notifier = ActiveSupport::Notifications if defined?(ActiveSupport::Notifications)
|
90
|
+
@throttle_discriminator_normalizer = lambda do |discriminator|
|
91
|
+
discriminator.to_s.strip.downcase
|
92
|
+
end
|
87
93
|
@configuration = Configuration.new
|
88
94
|
|
89
95
|
attr_reader :configuration
|
@@ -103,9 +109,19 @@ module Rack
|
|
103
109
|
if configuration.safelisted?(request)
|
104
110
|
@app.call(env)
|
105
111
|
elsif configuration.blocklisted?(request)
|
106
|
-
|
112
|
+
# Deprecated: Keeping blocklisted_response for backwards compatibility
|
113
|
+
if configuration.blocklisted_response
|
114
|
+
configuration.blocklisted_response.call(env)
|
115
|
+
else
|
116
|
+
configuration.blocklisted_responder.call(request)
|
117
|
+
end
|
107
118
|
elsif configuration.throttled?(request)
|
108
|
-
|
119
|
+
# Deprecated: Keeping throttled_response for backwards compatibility
|
120
|
+
if configuration.throttled_response
|
121
|
+
configuration.throttled_response.call(env)
|
122
|
+
else
|
123
|
+
configuration.throttled_responder.call(request)
|
124
|
+
end
|
109
125
|
else
|
110
126
|
configuration.tracked?(request)
|
111
127
|
@app.call(env)
|
@@ -14,7 +14,7 @@ describe "Customizing block responses" do
|
|
14
14
|
|
15
15
|
assert_equal 403, last_response.status
|
16
16
|
|
17
|
-
Rack::Attack.
|
17
|
+
Rack::Attack.blocklisted_responder = lambda do |_req|
|
18
18
|
[503, {}, ["Blocked"]]
|
19
19
|
end
|
20
20
|
|
@@ -28,9 +28,9 @@ describe "Customizing block responses" do
|
|
28
28
|
matched = nil
|
29
29
|
match_type = nil
|
30
30
|
|
31
|
-
Rack::Attack.
|
32
|
-
matched = env['rack.attack.matched']
|
33
|
-
match_type = env['rack.attack.match_type']
|
31
|
+
Rack::Attack.blocklisted_responder = lambda do |req|
|
32
|
+
matched = req.env['rack.attack.matched']
|
33
|
+
match_type = req.env['rack.attack.match_type']
|
34
34
|
|
35
35
|
[503, {}, ["Blocked"]]
|
36
36
|
end
|
@@ -40,4 +40,21 @@ describe "Customizing block responses" do
|
|
40
40
|
assert_equal "block 1.2.3.4", matched
|
41
41
|
assert_equal :blocklist, match_type
|
42
42
|
end
|
43
|
+
|
44
|
+
it "supports old style" do
|
45
|
+
get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
|
46
|
+
|
47
|
+
assert_equal 403, last_response.status
|
48
|
+
|
49
|
+
silence_warnings do
|
50
|
+
Rack::Attack.blocklisted_response = lambda do |_env|
|
51
|
+
[503, {}, ["Blocked"]]
|
52
|
+
end
|
53
|
+
end
|
54
|
+
|
55
|
+
get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
|
56
|
+
|
57
|
+
assert_equal 503, last_response.status
|
58
|
+
assert_equal "Blocked", last_response.body
|
59
|
+
end
|
43
60
|
end
|
@@ -20,7 +20,7 @@ describe "Customizing throttled response" do
|
|
20
20
|
|
21
21
|
assert_equal 429, last_response.status
|
22
22
|
|
23
|
-
Rack::Attack.
|
23
|
+
Rack::Attack.throttled_responder = lambda do |_req|
|
24
24
|
[503, {}, ["Throttled"]]
|
25
25
|
end
|
26
26
|
|
@@ -36,11 +36,11 @@ describe "Customizing throttled response" do
|
|
36
36
|
match_data = nil
|
37
37
|
match_discriminator = nil
|
38
38
|
|
39
|
-
Rack::Attack.
|
40
|
-
matched = env['rack.attack.matched']
|
41
|
-
match_type = env['rack.attack.match_type']
|
42
|
-
match_data = env['rack.attack.match_data']
|
43
|
-
match_discriminator = env['rack.attack.match_discriminator']
|
39
|
+
Rack::Attack.throttled_responder = lambda do |req|
|
40
|
+
matched = req.env['rack.attack.matched']
|
41
|
+
match_type = req.env['rack.attack.match_type']
|
42
|
+
match_data = req.env['rack.attack.match_data']
|
43
|
+
match_discriminator = req.env['rack.attack.match_discriminator']
|
44
44
|
|
45
45
|
[429, {}, ["Throttled"]]
|
46
46
|
end
|
@@ -58,4 +58,25 @@ describe "Customizing throttled response" do
|
|
58
58
|
get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
|
59
59
|
assert_equal 3, match_data[:count]
|
60
60
|
end
|
61
|
+
|
62
|
+
it "supports old style" do
|
63
|
+
get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
|
64
|
+
|
65
|
+
assert_equal 200, last_response.status
|
66
|
+
|
67
|
+
get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
|
68
|
+
|
69
|
+
assert_equal 429, last_response.status
|
70
|
+
|
71
|
+
silence_warnings do
|
72
|
+
Rack::Attack.throttled_response = lambda do |_req|
|
73
|
+
[503, {}, ["Throttled"]]
|
74
|
+
end
|
75
|
+
end
|
76
|
+
|
77
|
+
get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
|
78
|
+
|
79
|
+
assert_equal 503, last_response.status
|
80
|
+
assert_equal "Throttled", last_response.body
|
81
|
+
end
|
61
82
|
end
|
@@ -12,24 +12,9 @@ if defined?(Rails)
|
|
12
12
|
end
|
13
13
|
end
|
14
14
|
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
assert_equal 1, @app.middleware.count(Rack::Attack)
|
19
|
-
end
|
20
|
-
|
21
|
-
it "is not added when it was explicitly deleted" do
|
22
|
-
@app.config.middleware.delete(Rack::Attack)
|
23
|
-
@app.initialize!
|
24
|
-
refute @app.middleware.include?(Rack::Attack)
|
25
|
-
end
|
26
|
-
end
|
27
|
-
|
28
|
-
if Gem::Version.new(Rails::VERSION::STRING) < Gem::Version.new("5.1")
|
29
|
-
it "is not used by default" do
|
30
|
-
@app.initialize!
|
31
|
-
assert_equal 0, @app.middleware.count(Rack::Attack)
|
32
|
-
end
|
15
|
+
it "is used by default" do
|
16
|
+
@app.initialize!
|
17
|
+
assert @app.middleware.include?(Rack::Attack)
|
33
18
|
end
|
34
19
|
end
|
35
20
|
end
|
@@ -2,7 +2,11 @@
|
|
2
2
|
|
3
3
|
require_relative "../../spec_helper"
|
4
4
|
|
5
|
-
|
5
|
+
should_run =
|
6
|
+
defined?(::Dalli) &&
|
7
|
+
Gem::Version.new(::Dalli::VERSION) < Gem::Version.new("3")
|
8
|
+
|
9
|
+
if should_run
|
6
10
|
require_relative "../../support/cache_store_helper"
|
7
11
|
require "active_support/cache/dalli_store"
|
8
12
|
require "timecop"
|
data/spec/rack_attack_spec.rb
CHANGED
@@ -64,15 +64,15 @@ describe 'Rack::Attack' do
|
|
64
64
|
end
|
65
65
|
end
|
66
66
|
|
67
|
-
describe '#
|
67
|
+
describe '#blocklisted_responder' do
|
68
68
|
it 'should exist' do
|
69
|
-
_(Rack::Attack.
|
69
|
+
_(Rack::Attack.blocklisted_responder).must_respond_to :call
|
70
70
|
end
|
71
71
|
end
|
72
72
|
|
73
|
-
describe '#
|
73
|
+
describe '#throttled_responder' do
|
74
74
|
it 'should exist' do
|
75
|
-
_(Rack::Attack.
|
75
|
+
_(Rack::Attack.throttled_responder).must_respond_to :call
|
76
76
|
end
|
77
77
|
end
|
78
78
|
end
|
@@ -144,3 +144,47 @@ describe 'Rack::Attack.throttle with block retuning nil' do
|
|
144
144
|
end
|
145
145
|
end
|
146
146
|
end
|
147
|
+
|
148
|
+
describe 'Rack::Attack.throttle with throttle_discriminator_normalizer' do
|
149
|
+
before do
|
150
|
+
@period = 60
|
151
|
+
@emails = [
|
152
|
+
"person@example.com",
|
153
|
+
"PERSON@example.com ",
|
154
|
+
" person@example.com\r\n ",
|
155
|
+
]
|
156
|
+
Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
|
157
|
+
Rack::Attack.throttle('logins/email', limit: 4, period: @period) do |req|
|
158
|
+
if req.path == '/login' && req.post?
|
159
|
+
req.params['email']
|
160
|
+
end
|
161
|
+
end
|
162
|
+
end
|
163
|
+
|
164
|
+
it 'should not differentiate requests when throttle_discriminator_normalizer is enabled' do
|
165
|
+
post_logins
|
166
|
+
key = "rack::attack:#{Time.now.to_i / @period}:logins/email:person@example.com"
|
167
|
+
_(Rack::Attack.cache.store.read(key)).must_equal 3
|
168
|
+
end
|
169
|
+
|
170
|
+
it 'should differentiate requests when throttle_discriminator_normalizer is disabled' do
|
171
|
+
begin
|
172
|
+
prev = Rack::Attack.throttle_discriminator_normalizer
|
173
|
+
Rack::Attack.throttle_discriminator_normalizer = nil
|
174
|
+
|
175
|
+
post_logins
|
176
|
+
@emails.each do |email|
|
177
|
+
key = "rack::attack:#{Time.now.to_i / @period}:logins/email:#{email}"
|
178
|
+
_(Rack::Attack.cache.store.read(key)).must_equal 1
|
179
|
+
end
|
180
|
+
ensure
|
181
|
+
Rack::Attack.throttle_discriminator_normalizer = prev
|
182
|
+
end
|
183
|
+
end
|
184
|
+
|
185
|
+
def post_logins
|
186
|
+
@emails.each do |email|
|
187
|
+
post '/login', email: email
|
188
|
+
end
|
189
|
+
end
|
190
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-attack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.
|
4
|
+
version: 6.6.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Aaron Suggs
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-04-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rack
|
@@ -185,7 +185,7 @@ dependencies:
|
|
185
185
|
version: '4.2'
|
186
186
|
- - "<"
|
187
187
|
- !ruby/object:Gem::Version
|
188
|
-
version: '
|
188
|
+
version: '7.1'
|
189
189
|
type: :development
|
190
190
|
prerelease: false
|
191
191
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -195,17 +195,19 @@ dependencies:
|
|
195
195
|
version: '4.2'
|
196
196
|
- - "<"
|
197
197
|
- !ruby/object:Gem::Version
|
198
|
-
version: '
|
198
|
+
version: '7.1'
|
199
199
|
description: A rack middleware for throttling and blocking abusive requests
|
200
200
|
email: aaron@ktheory.com
|
201
201
|
executables: []
|
202
202
|
extensions: []
|
203
203
|
extra_rdoc_files: []
|
204
204
|
files:
|
205
|
+
- LICENSE
|
205
206
|
- README.md
|
206
207
|
- Rakefile
|
207
208
|
- lib/rack/attack.rb
|
208
209
|
- lib/rack/attack/allow2ban.rb
|
210
|
+
- lib/rack/attack/base_proxy.rb
|
209
211
|
- lib/rack/attack/blocklist.rb
|
210
212
|
- lib/rack/attack/cache.rb
|
211
213
|
- lib/rack/attack/check.rb
|
@@ -215,7 +217,6 @@ files:
|
|
215
217
|
- lib/rack/attack/railtie.rb
|
216
218
|
- lib/rack/attack/request.rb
|
217
219
|
- lib/rack/attack/safelist.rb
|
218
|
-
- lib/rack/attack/store_proxy.rb
|
219
220
|
- lib/rack/attack/store_proxy/active_support_redis_store_proxy.rb
|
220
221
|
- lib/rack/attack/store_proxy/dalli_proxy.rb
|
221
222
|
- lib/rack/attack/store_proxy/mem_cache_store_proxy.rb
|
@@ -272,7 +273,7 @@ licenses:
|
|
272
273
|
- MIT
|
273
274
|
metadata:
|
274
275
|
bug_tracker_uri: https://github.com/rack/rack-attack/issues
|
275
|
-
changelog_uri: https://github.com/rack/rack-attack/blob/
|
276
|
+
changelog_uri: https://github.com/rack/rack-attack/blob/main/CHANGELOG.md
|
276
277
|
source_code_uri: https://github.com/rack/rack-attack
|
277
278
|
post_install_message:
|
278
279
|
rdoc_options:
|
@@ -290,7 +291,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
290
291
|
- !ruby/object:Gem::Version
|
291
292
|
version: '0'
|
292
293
|
requirements: []
|
293
|
-
rubygems_version: 3.
|
294
|
+
rubygems_version: 3.3.11
|
294
295
|
signing_key:
|
295
296
|
specification_version: 4
|
296
297
|
summary: Block & throttle abusive requests
|
@@ -1,21 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
module Rack
|
4
|
-
class Attack
|
5
|
-
module StoreProxy
|
6
|
-
PROXIES = [
|
7
|
-
DalliProxy,
|
8
|
-
MemCacheStoreProxy,
|
9
|
-
RedisStoreProxy,
|
10
|
-
RedisProxy,
|
11
|
-
RedisCacheStoreProxy,
|
12
|
-
ActiveSupportRedisStoreProxy
|
13
|
-
].freeze
|
14
|
-
|
15
|
-
def self.build(store)
|
16
|
-
klass = PROXIES.find { |proxy| proxy.handle?(store) }
|
17
|
-
klass ? klass.new(store) : store
|
18
|
-
end
|
19
|
-
end
|
20
|
-
end
|
21
|
-
end
|