rack-attack 6.4.0 → 6.6.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/LICENSE +21 -0
- data/README.md +15 -20
- data/lib/rack/attack/base_proxy.rb +27 -0
- data/lib/rack/attack/cache.rb +6 -1
- data/lib/rack/attack/configuration.rb +26 -8
- data/lib/rack/attack/railtie.rb +1 -3
- data/lib/rack/attack/store_proxy/active_support_redis_store_proxy.rb +2 -2
- data/lib/rack/attack/store_proxy/dalli_proxy.rb +2 -2
- data/lib/rack/attack/store_proxy/mem_cache_store_proxy.rb +6 -2
- data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb +2 -2
- data/lib/rack/attack/store_proxy/redis_proxy.rb +6 -6
- data/lib/rack/attack/store_proxy/redis_store_proxy.rb +1 -1
- data/lib/rack/attack/throttle.rb +9 -2
- data/lib/rack/attack/version.rb +1 -1
- data/lib/rack/attack.rb +26 -10
- data/spec/acceptance/customizing_blocked_response_spec.rb +21 -4
- data/spec/acceptance/customizing_throttled_response_spec.rb +27 -6
- data/spec/acceptance/rails_middleware_spec.rb +3 -18
- data/spec/acceptance/stores/active_support_dalli_store_spec.rb +5 -1
- data/spec/rack_attack_spec.rb +4 -4
- data/spec/rack_attack_throttle_spec.rb +44 -0
- metadata +8 -7
- data/lib/rack/attack/store_proxy.rb +0 -21
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: '0399127f00624959bafee349ab2e6010acda84373c3df24ff18c3ff701a6c274'
|
4
|
+
data.tar.gz: 88bbb4465f8b7ecd0f82d9ad7217a66da96bb829c6982b0151ea2c19b5bba3c5
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5a4d3d278b7c814c909ae0e01128f076f2ffcda003a56f688d803ccdfc5f72eeaa6c60412dc8e06769026f407860ac1259668fc61c0e87f1ef7a03434e17d982
|
7
|
+
data.tar.gz: 492e4659338b489d9fcdc3bd315148ec2e1802c6197ce4dc5d7eaf598c918866468387d1a2346bfc30c454605aeaa59aa7d9a4e50bdc08910b24a72c681053dc
|
data/LICENSE
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
The MIT License
|
2
|
+
|
3
|
+
Copyright (c) 2016 Kickstarter, PBC
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in
|
13
|
+
all copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
21
|
+
THE SOFTWARE.
|
data/README.md
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
|
1
|
+
:warning: You are viewing the development's branch version of README which might contain documentation for unreleased features.
|
2
2
|
For the README consistent with the latest released version see https://github.com/rack/rack-attack/blob/6-stable/README.md.
|
3
3
|
|
4
4
|
# Rack::Attack
|
@@ -10,7 +10,7 @@ Protect your Rails and Rack apps from bad clients. Rack::Attack lets you easily
|
|
10
10
|
See the [Backing & Hacking blog post](https://www.kickstarter.com/backing-and-hacking/rack-attack-protection-from-abusive-clients) introducing Rack::Attack.
|
11
11
|
|
12
12
|
[![Gem Version](https://badge.fury.io/rb/rack-attack.svg)](https://badge.fury.io/rb/rack-attack)
|
13
|
-
[![
|
13
|
+
[![build](https://github.com/rack/rack-attack/actions/workflows/build.yml/badge.svg)](https://github.com/rack/rack-attack/actions/workflows/build.yml)
|
14
14
|
[![Code Climate](https://codeclimate.com/github/kickstarter/rack-attack.svg)](https://codeclimate.com/github/kickstarter/rack-attack)
|
15
15
|
[![Join the chat at https://gitter.im/rack-attack/rack-attack](https://badges.gitter.im/rack-attack/rack-attack.svg)](https://gitter.im/rack-attack/rack-attack)
|
16
16
|
|
@@ -71,12 +71,7 @@ Or install it yourself as:
|
|
71
71
|
|
72
72
|
Then tell your ruby web application to use rack-attack as a middleware.
|
73
73
|
|
74
|
-
a) For __rails__ applications
|
75
|
-
```ruby
|
76
|
-
# In config/application.rb
|
77
|
-
|
78
|
-
config.middleware.use Rack::Attack
|
79
|
-
```
|
74
|
+
a) For __rails__ applications it is used by default.
|
80
75
|
|
81
76
|
You can disable it permanently (like for specific environment) or temporarily (can be useful for specific test cases) by writing:
|
82
77
|
|
@@ -317,21 +312,21 @@ Note that `Rack::Attack.cache` is only used for throttling, allow2ban and fail2b
|
|
317
312
|
|
318
313
|
## Customizing responses
|
319
314
|
|
320
|
-
Customize the response of blocklisted and throttled requests using an object that adheres to the [Rack app interface](http://www.rubydoc.info/github/rack/rack/file/SPEC).
|
315
|
+
Customize the response of blocklisted and throttled requests using an object that adheres to the [Rack app interface](http://www.rubydoc.info/github/rack/rack/file/SPEC.rdoc).
|
321
316
|
|
322
317
|
```ruby
|
323
|
-
Rack::Attack.
|
318
|
+
Rack::Attack.blocklisted_responder = lambda do |request|
|
324
319
|
# Using 503 because it may make attacker think that they have successfully
|
325
320
|
# DOSed the site. Rack::Attack returns 403 for blocklists by default
|
326
321
|
[ 503, {}, ['Blocked']]
|
327
322
|
end
|
328
323
|
|
329
|
-
Rack::Attack.
|
324
|
+
Rack::Attack.throttled_responder = lambda do |request|
|
330
325
|
# NB: you have access to the name and other data about the matched throttle
|
331
|
-
# env['rack.attack.matched'],
|
332
|
-
# env['rack.attack.match_type'],
|
333
|
-
# env['rack.attack.match_data'],
|
334
|
-
# env['rack.attack.match_discriminator']
|
326
|
+
# request.env['rack.attack.matched'],
|
327
|
+
# request.env['rack.attack.match_type'],
|
328
|
+
# request.env['rack.attack.match_data'],
|
329
|
+
# request.env['rack.attack.match_discriminator']
|
335
330
|
|
336
331
|
# Using 503 because it may make attacker think that they have successfully
|
337
332
|
# DOSed the site. Rack::Attack returns 429 for throttling by default
|
@@ -352,8 +347,8 @@ Rack::Attack.throttled_response_retry_after_header = true
|
|
352
347
|
Here's an example response that includes conventional `RateLimit-*` headers:
|
353
348
|
|
354
349
|
```ruby
|
355
|
-
Rack::Attack.
|
356
|
-
match_data = env['rack.attack.match_data']
|
350
|
+
Rack::Attack.throttled_responder = lambda do |request|
|
351
|
+
match_data = request.env['rack.attack.match_data']
|
357
352
|
now = match_data[:epoch_time]
|
358
353
|
|
359
354
|
headers = {
|
@@ -412,7 +407,7 @@ for more on how to do this.
|
|
412
407
|
|
413
408
|
### Test case isolation
|
414
409
|
|
415
|
-
`Rack::Attack.reset!` can be used in your test suite to clear any Rack::Attack state between different test cases.
|
410
|
+
`Rack::Attack.reset!` can be used in your test suite to clear any Rack::Attack state between different test cases. If you're testing blocklist and safelist configurations, consider using `Rack::Attack.clear_configuration` to unset the values for those lists between test cases.
|
416
411
|
|
417
412
|
## How it works
|
418
413
|
|
@@ -432,9 +427,9 @@ def call(env)
|
|
432
427
|
if safelisted?(req)
|
433
428
|
@app.call(env)
|
434
429
|
elsif blocklisted?(req)
|
435
|
-
self.class.
|
430
|
+
self.class.blocklisted_responder.call(req)
|
436
431
|
elsif throttled?(req)
|
437
|
-
self.class.
|
432
|
+
self.class.throttled_responder.call(req)
|
438
433
|
else
|
439
434
|
tracked?(req)
|
440
435
|
@app.call(env)
|
@@ -0,0 +1,27 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'delegate'
|
4
|
+
|
5
|
+
module Rack
|
6
|
+
class Attack
|
7
|
+
class BaseProxy < SimpleDelegator
|
8
|
+
class << self
|
9
|
+
def proxies
|
10
|
+
@@proxies ||= []
|
11
|
+
end
|
12
|
+
|
13
|
+
def inherited(klass)
|
14
|
+
proxies << klass
|
15
|
+
end
|
16
|
+
|
17
|
+
def lookup(store)
|
18
|
+
proxies.find { |proxy| proxy.handle?(store) }
|
19
|
+
end
|
20
|
+
|
21
|
+
def handle?(_store)
|
22
|
+
raise NotImplementedError
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
data/lib/rack/attack/cache.rb
CHANGED
@@ -5,22 +5,36 @@ require "ipaddr"
|
|
5
5
|
module Rack
|
6
6
|
class Attack
|
7
7
|
class Configuration
|
8
|
-
|
8
|
+
DEFAULT_BLOCKLISTED_RESPONDER = lambda { |_req| [403, { 'content-type' => 'text/plain' }, ["Forbidden\n"]] }
|
9
9
|
|
10
|
-
|
10
|
+
DEFAULT_THROTTLED_RESPONDER = lambda do |req|
|
11
11
|
if Rack::Attack.configuration.throttled_response_retry_after_header
|
12
|
-
match_data = env['rack.attack.match_data']
|
12
|
+
match_data = req.env['rack.attack.match_data']
|
13
13
|
now = match_data[:epoch_time]
|
14
14
|
retry_after = match_data[:period] - (now % match_data[:period])
|
15
15
|
|
16
|
-
[429, { '
|
16
|
+
[429, { 'content-type' => 'text/plain', 'retry-after' => retry_after.to_s }, ["Retry later\n"]]
|
17
17
|
else
|
18
|
-
[429, { '
|
18
|
+
[429, { 'content-type' => 'text/plain' }, ["Retry later\n"]]
|
19
19
|
end
|
20
20
|
end
|
21
21
|
|
22
22
|
attr_reader :safelists, :blocklists, :throttles, :anonymous_blocklists, :anonymous_safelists
|
23
|
-
attr_accessor :
|
23
|
+
attr_accessor :blocklisted_responder, :throttled_responder, :throttled_response_retry_after_header
|
24
|
+
|
25
|
+
attr_reader :blocklisted_response, :throttled_response # Keeping these for backwards compatibility
|
26
|
+
|
27
|
+
def blocklisted_response=(responder)
|
28
|
+
warn "[DEPRECATION] Rack::Attack.blocklisted_response is deprecated. "\
|
29
|
+
"Please use Rack::Attack.blocklisted_responder instead."
|
30
|
+
@blocklisted_response = responder
|
31
|
+
end
|
32
|
+
|
33
|
+
def throttled_response=(responder)
|
34
|
+
warn "[DEPRECATION] Rack::Attack.throttled_response is deprecated. "\
|
35
|
+
"Please use Rack::Attack.throttled_responder instead"
|
36
|
+
@throttled_response = responder
|
37
|
+
end
|
24
38
|
|
25
39
|
def initialize
|
26
40
|
set_defaults
|
@@ -99,8 +113,12 @@ module Rack
|
|
99
113
|
@anonymous_safelists = []
|
100
114
|
@throttled_response_retry_after_header = false
|
101
115
|
|
102
|
-
@
|
103
|
-
@
|
116
|
+
@blocklisted_responder = DEFAULT_BLOCKLISTED_RESPONDER
|
117
|
+
@throttled_responder = DEFAULT_THROTTLED_RESPONDER
|
118
|
+
|
119
|
+
# Deprecated: Keeping these for backwards compatibility
|
120
|
+
@blocklisted_response = nil
|
121
|
+
@throttled_response = nil
|
104
122
|
end
|
105
123
|
end
|
106
124
|
end
|
data/lib/rack/attack/railtie.rb
CHANGED
@@ -4,9 +4,7 @@ module Rack
|
|
4
4
|
class Attack
|
5
5
|
class Railtie < ::Rails::Railtie
|
6
6
|
initializer "rack-attack.middleware" do |app|
|
7
|
-
|
8
|
-
app.middleware.use(Rack::Attack)
|
9
|
-
end
|
7
|
+
app.middleware.use(Rack::Attack)
|
10
8
|
end
|
11
9
|
end
|
12
10
|
end
|
@@ -1,11 +1,11 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
-
require '
|
3
|
+
require 'rack/attack/base_proxy'
|
4
4
|
|
5
5
|
module Rack
|
6
6
|
class Attack
|
7
7
|
module StoreProxy
|
8
|
-
class ActiveSupportRedisStoreProxy <
|
8
|
+
class ActiveSupportRedisStoreProxy < BaseProxy
|
9
9
|
def self.handle?(store)
|
10
10
|
defined?(::Redis) &&
|
11
11
|
defined?(::ActiveSupport::Cache::RedisStore) &&
|
@@ -1,11 +1,11 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
-
require '
|
3
|
+
require 'rack/attack/base_proxy'
|
4
4
|
|
5
5
|
module Rack
|
6
6
|
class Attack
|
7
7
|
module StoreProxy
|
8
|
-
class DalliProxy <
|
8
|
+
class DalliProxy < BaseProxy
|
9
9
|
def self.handle?(store)
|
10
10
|
return false unless defined?(::Dalli)
|
11
11
|
|
@@ -1,17 +1,21 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
-
require '
|
3
|
+
require 'rack/attack/base_proxy'
|
4
4
|
|
5
5
|
module Rack
|
6
6
|
class Attack
|
7
7
|
module StoreProxy
|
8
|
-
class MemCacheStoreProxy <
|
8
|
+
class MemCacheStoreProxy < BaseProxy
|
9
9
|
def self.handle?(store)
|
10
10
|
defined?(::Dalli) &&
|
11
11
|
defined?(::ActiveSupport::Cache::MemCacheStore) &&
|
12
12
|
store.is_a?(::ActiveSupport::Cache::MemCacheStore)
|
13
13
|
end
|
14
14
|
|
15
|
+
def read(name, options = {})
|
16
|
+
super(name, options.merge!(raw: true))
|
17
|
+
end
|
18
|
+
|
15
19
|
def write(name, value, options = {})
|
16
20
|
super(name, value, options.merge!(raw: true))
|
17
21
|
end
|
@@ -1,11 +1,11 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
-
require '
|
3
|
+
require 'rack/attack/base_proxy'
|
4
4
|
|
5
5
|
module Rack
|
6
6
|
class Attack
|
7
7
|
module StoreProxy
|
8
|
-
class RedisCacheStoreProxy <
|
8
|
+
class RedisCacheStoreProxy < BaseProxy
|
9
9
|
def self.handle?(store)
|
10
10
|
store.class.name == "ActiveSupport::Cache::RedisCacheStore"
|
11
11
|
end
|
@@ -1,11 +1,11 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
-
require '
|
3
|
+
require 'rack/attack/base_proxy'
|
4
4
|
|
5
5
|
module Rack
|
6
6
|
class Attack
|
7
7
|
module StoreProxy
|
8
|
-
class RedisProxy <
|
8
|
+
class RedisProxy < BaseProxy
|
9
9
|
def initialize(*args)
|
10
10
|
if Gem::Version.new(Redis::VERSION) < Gem::Version.new("3")
|
11
11
|
warn 'RackAttack requires Redis gem >= 3.0.0.'
|
@@ -15,7 +15,7 @@ module Rack
|
|
15
15
|
end
|
16
16
|
|
17
17
|
def self.handle?(store)
|
18
|
-
defined?(::Redis) && store.
|
18
|
+
defined?(::Redis) && store.class == ::Redis
|
19
19
|
end
|
20
20
|
|
21
21
|
def read(key)
|
@@ -32,9 +32,9 @@ module Rack
|
|
32
32
|
|
33
33
|
def increment(key, amount, options = {})
|
34
34
|
rescuing do
|
35
|
-
pipelined do
|
36
|
-
incrby(key, amount)
|
37
|
-
expire(key, options[:expires_in]) if options[:expires_in]
|
35
|
+
pipelined do |redis|
|
36
|
+
redis.incrby(key, amount)
|
37
|
+
redis.expire(key, options[:expires_in]) if options[:expires_in]
|
38
38
|
end.first
|
39
39
|
end
|
40
40
|
end
|
data/lib/rack/attack/throttle.rb
CHANGED
@@ -23,8 +23,7 @@ module Rack
|
|
23
23
|
end
|
24
24
|
|
25
25
|
def matched_by?(request)
|
26
|
-
discriminator =
|
27
|
-
|
26
|
+
discriminator = discriminator_for(request)
|
28
27
|
return false unless discriminator
|
29
28
|
|
30
29
|
current_period = period_for(request)
|
@@ -50,6 +49,14 @@ module Rack
|
|
50
49
|
|
51
50
|
private
|
52
51
|
|
52
|
+
def discriminator_for(request)
|
53
|
+
discriminator = block.call(request)
|
54
|
+
if discriminator && Rack::Attack.throttle_discriminator_normalizer
|
55
|
+
discriminator = Rack::Attack.throttle_discriminator_normalizer.call(discriminator)
|
56
|
+
end
|
57
|
+
discriminator
|
58
|
+
end
|
59
|
+
|
53
60
|
def period_for(request)
|
54
61
|
period.respond_to?(:call) ? period.call(request) : period
|
55
62
|
end
|
data/lib/rack/attack/version.rb
CHANGED
data/lib/rack/attack.rb
CHANGED
@@ -6,6 +6,12 @@ require 'rack/attack/cache'
|
|
6
6
|
require 'rack/attack/configuration'
|
7
7
|
require 'rack/attack/path_normalizer'
|
8
8
|
require 'rack/attack/request'
|
9
|
+
require 'rack/attack/store_proxy/dalli_proxy'
|
10
|
+
require 'rack/attack/store_proxy/mem_cache_store_proxy'
|
11
|
+
require 'rack/attack/store_proxy/redis_proxy'
|
12
|
+
require 'rack/attack/store_proxy/redis_store_proxy'
|
13
|
+
require 'rack/attack/store_proxy/redis_cache_store_proxy'
|
14
|
+
require 'rack/attack/store_proxy/active_support_redis_store_proxy'
|
9
15
|
|
10
16
|
require 'rack/attack/railtie' if defined?(::Rails)
|
11
17
|
|
@@ -21,18 +27,11 @@ module Rack
|
|
21
27
|
autoload :Safelist, 'rack/attack/safelist'
|
22
28
|
autoload :Blocklist, 'rack/attack/blocklist'
|
23
29
|
autoload :Track, 'rack/attack/track'
|
24
|
-
autoload :StoreProxy, 'rack/attack/store_proxy'
|
25
|
-
autoload :DalliProxy, 'rack/attack/store_proxy/dalli_proxy'
|
26
|
-
autoload :MemCacheStoreProxy, 'rack/attack/store_proxy/mem_cache_store_proxy'
|
27
|
-
autoload :RedisProxy, 'rack/attack/store_proxy/redis_proxy'
|
28
|
-
autoload :RedisStoreProxy, 'rack/attack/store_proxy/redis_store_proxy'
|
29
|
-
autoload :RedisCacheStoreProxy, 'rack/attack/store_proxy/redis_cache_store_proxy'
|
30
|
-
autoload :ActiveSupportRedisStoreProxy, 'rack/attack/store_proxy/active_support_redis_store_proxy'
|
31
30
|
autoload :Fail2Ban, 'rack/attack/fail2ban'
|
32
31
|
autoload :Allow2Ban, 'rack/attack/allow2ban'
|
33
32
|
|
34
33
|
class << self
|
35
|
-
attr_accessor :enabled, :notifier
|
34
|
+
attr_accessor :enabled, :notifier, :throttle_discriminator_normalizer
|
36
35
|
attr_reader :configuration
|
37
36
|
|
38
37
|
def instrument(request)
|
@@ -67,6 +66,10 @@ module Rack
|
|
67
66
|
:safelist_ip,
|
68
67
|
:throttle,
|
69
68
|
:track,
|
69
|
+
:throttled_responder,
|
70
|
+
:throttled_responder=,
|
71
|
+
:blocklisted_responder,
|
72
|
+
:blocklisted_responder=,
|
70
73
|
:blocklisted_response,
|
71
74
|
:blocklisted_response=,
|
72
75
|
:throttled_response,
|
@@ -84,6 +87,9 @@ module Rack
|
|
84
87
|
# Set defaults
|
85
88
|
@enabled = true
|
86
89
|
@notifier = ActiveSupport::Notifications if defined?(ActiveSupport::Notifications)
|
90
|
+
@throttle_discriminator_normalizer = lambda do |discriminator|
|
91
|
+
discriminator.to_s.strip.downcase
|
92
|
+
end
|
87
93
|
@configuration = Configuration.new
|
88
94
|
|
89
95
|
attr_reader :configuration
|
@@ -103,9 +109,19 @@ module Rack
|
|
103
109
|
if configuration.safelisted?(request)
|
104
110
|
@app.call(env)
|
105
111
|
elsif configuration.blocklisted?(request)
|
106
|
-
|
112
|
+
# Deprecated: Keeping blocklisted_response for backwards compatibility
|
113
|
+
if configuration.blocklisted_response
|
114
|
+
configuration.blocklisted_response.call(env)
|
115
|
+
else
|
116
|
+
configuration.blocklisted_responder.call(request)
|
117
|
+
end
|
107
118
|
elsif configuration.throttled?(request)
|
108
|
-
|
119
|
+
# Deprecated: Keeping throttled_response for backwards compatibility
|
120
|
+
if configuration.throttled_response
|
121
|
+
configuration.throttled_response.call(env)
|
122
|
+
else
|
123
|
+
configuration.throttled_responder.call(request)
|
124
|
+
end
|
109
125
|
else
|
110
126
|
configuration.tracked?(request)
|
111
127
|
@app.call(env)
|
@@ -14,7 +14,7 @@ describe "Customizing block responses" do
|
|
14
14
|
|
15
15
|
assert_equal 403, last_response.status
|
16
16
|
|
17
|
-
Rack::Attack.
|
17
|
+
Rack::Attack.blocklisted_responder = lambda do |_req|
|
18
18
|
[503, {}, ["Blocked"]]
|
19
19
|
end
|
20
20
|
|
@@ -28,9 +28,9 @@ describe "Customizing block responses" do
|
|
28
28
|
matched = nil
|
29
29
|
match_type = nil
|
30
30
|
|
31
|
-
Rack::Attack.
|
32
|
-
matched = env['rack.attack.matched']
|
33
|
-
match_type = env['rack.attack.match_type']
|
31
|
+
Rack::Attack.blocklisted_responder = lambda do |req|
|
32
|
+
matched = req.env['rack.attack.matched']
|
33
|
+
match_type = req.env['rack.attack.match_type']
|
34
34
|
|
35
35
|
[503, {}, ["Blocked"]]
|
36
36
|
end
|
@@ -40,4 +40,21 @@ describe "Customizing block responses" do
|
|
40
40
|
assert_equal "block 1.2.3.4", matched
|
41
41
|
assert_equal :blocklist, match_type
|
42
42
|
end
|
43
|
+
|
44
|
+
it "supports old style" do
|
45
|
+
get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
|
46
|
+
|
47
|
+
assert_equal 403, last_response.status
|
48
|
+
|
49
|
+
silence_warnings do
|
50
|
+
Rack::Attack.blocklisted_response = lambda do |_env|
|
51
|
+
[503, {}, ["Blocked"]]
|
52
|
+
end
|
53
|
+
end
|
54
|
+
|
55
|
+
get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
|
56
|
+
|
57
|
+
assert_equal 503, last_response.status
|
58
|
+
assert_equal "Blocked", last_response.body
|
59
|
+
end
|
43
60
|
end
|
@@ -20,7 +20,7 @@ describe "Customizing throttled response" do
|
|
20
20
|
|
21
21
|
assert_equal 429, last_response.status
|
22
22
|
|
23
|
-
Rack::Attack.
|
23
|
+
Rack::Attack.throttled_responder = lambda do |_req|
|
24
24
|
[503, {}, ["Throttled"]]
|
25
25
|
end
|
26
26
|
|
@@ -36,11 +36,11 @@ describe "Customizing throttled response" do
|
|
36
36
|
match_data = nil
|
37
37
|
match_discriminator = nil
|
38
38
|
|
39
|
-
Rack::Attack.
|
40
|
-
matched = env['rack.attack.matched']
|
41
|
-
match_type = env['rack.attack.match_type']
|
42
|
-
match_data = env['rack.attack.match_data']
|
43
|
-
match_discriminator = env['rack.attack.match_discriminator']
|
39
|
+
Rack::Attack.throttled_responder = lambda do |req|
|
40
|
+
matched = req.env['rack.attack.matched']
|
41
|
+
match_type = req.env['rack.attack.match_type']
|
42
|
+
match_data = req.env['rack.attack.match_data']
|
43
|
+
match_discriminator = req.env['rack.attack.match_discriminator']
|
44
44
|
|
45
45
|
[429, {}, ["Throttled"]]
|
46
46
|
end
|
@@ -58,4 +58,25 @@ describe "Customizing throttled response" do
|
|
58
58
|
get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
|
59
59
|
assert_equal 3, match_data[:count]
|
60
60
|
end
|
61
|
+
|
62
|
+
it "supports old style" do
|
63
|
+
get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
|
64
|
+
|
65
|
+
assert_equal 200, last_response.status
|
66
|
+
|
67
|
+
get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
|
68
|
+
|
69
|
+
assert_equal 429, last_response.status
|
70
|
+
|
71
|
+
silence_warnings do
|
72
|
+
Rack::Attack.throttled_response = lambda do |_req|
|
73
|
+
[503, {}, ["Throttled"]]
|
74
|
+
end
|
75
|
+
end
|
76
|
+
|
77
|
+
get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
|
78
|
+
|
79
|
+
assert_equal 503, last_response.status
|
80
|
+
assert_equal "Throttled", last_response.body
|
81
|
+
end
|
61
82
|
end
|
@@ -12,24 +12,9 @@ if defined?(Rails)
|
|
12
12
|
end
|
13
13
|
end
|
14
14
|
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
assert_equal 1, @app.middleware.count(Rack::Attack)
|
19
|
-
end
|
20
|
-
|
21
|
-
it "is not added when it was explicitly deleted" do
|
22
|
-
@app.config.middleware.delete(Rack::Attack)
|
23
|
-
@app.initialize!
|
24
|
-
refute @app.middleware.include?(Rack::Attack)
|
25
|
-
end
|
26
|
-
end
|
27
|
-
|
28
|
-
if Gem::Version.new(Rails::VERSION::STRING) < Gem::Version.new("5.1")
|
29
|
-
it "is not used by default" do
|
30
|
-
@app.initialize!
|
31
|
-
assert_equal 0, @app.middleware.count(Rack::Attack)
|
32
|
-
end
|
15
|
+
it "is used by default" do
|
16
|
+
@app.initialize!
|
17
|
+
assert @app.middleware.include?(Rack::Attack)
|
33
18
|
end
|
34
19
|
end
|
35
20
|
end
|
@@ -2,7 +2,11 @@
|
|
2
2
|
|
3
3
|
require_relative "../../spec_helper"
|
4
4
|
|
5
|
-
|
5
|
+
should_run =
|
6
|
+
defined?(::Dalli) &&
|
7
|
+
Gem::Version.new(::Dalli::VERSION) < Gem::Version.new("3")
|
8
|
+
|
9
|
+
if should_run
|
6
10
|
require_relative "../../support/cache_store_helper"
|
7
11
|
require "active_support/cache/dalli_store"
|
8
12
|
require "timecop"
|
data/spec/rack_attack_spec.rb
CHANGED
@@ -64,15 +64,15 @@ describe 'Rack::Attack' do
|
|
64
64
|
end
|
65
65
|
end
|
66
66
|
|
67
|
-
describe '#
|
67
|
+
describe '#blocklisted_responder' do
|
68
68
|
it 'should exist' do
|
69
|
-
_(Rack::Attack.
|
69
|
+
_(Rack::Attack.blocklisted_responder).must_respond_to :call
|
70
70
|
end
|
71
71
|
end
|
72
72
|
|
73
|
-
describe '#
|
73
|
+
describe '#throttled_responder' do
|
74
74
|
it 'should exist' do
|
75
|
-
_(Rack::Attack.
|
75
|
+
_(Rack::Attack.throttled_responder).must_respond_to :call
|
76
76
|
end
|
77
77
|
end
|
78
78
|
end
|
@@ -144,3 +144,47 @@ describe 'Rack::Attack.throttle with block retuning nil' do
|
|
144
144
|
end
|
145
145
|
end
|
146
146
|
end
|
147
|
+
|
148
|
+
describe 'Rack::Attack.throttle with throttle_discriminator_normalizer' do
|
149
|
+
before do
|
150
|
+
@period = 60
|
151
|
+
@emails = [
|
152
|
+
"person@example.com",
|
153
|
+
"PERSON@example.com ",
|
154
|
+
" person@example.com\r\n ",
|
155
|
+
]
|
156
|
+
Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
|
157
|
+
Rack::Attack.throttle('logins/email', limit: 4, period: @period) do |req|
|
158
|
+
if req.path == '/login' && req.post?
|
159
|
+
req.params['email']
|
160
|
+
end
|
161
|
+
end
|
162
|
+
end
|
163
|
+
|
164
|
+
it 'should not differentiate requests when throttle_discriminator_normalizer is enabled' do
|
165
|
+
post_logins
|
166
|
+
key = "rack::attack:#{Time.now.to_i / @period}:logins/email:person@example.com"
|
167
|
+
_(Rack::Attack.cache.store.read(key)).must_equal 3
|
168
|
+
end
|
169
|
+
|
170
|
+
it 'should differentiate requests when throttle_discriminator_normalizer is disabled' do
|
171
|
+
begin
|
172
|
+
prev = Rack::Attack.throttle_discriminator_normalizer
|
173
|
+
Rack::Attack.throttle_discriminator_normalizer = nil
|
174
|
+
|
175
|
+
post_logins
|
176
|
+
@emails.each do |email|
|
177
|
+
key = "rack::attack:#{Time.now.to_i / @period}:logins/email:#{email}"
|
178
|
+
_(Rack::Attack.cache.store.read(key)).must_equal 1
|
179
|
+
end
|
180
|
+
ensure
|
181
|
+
Rack::Attack.throttle_discriminator_normalizer = prev
|
182
|
+
end
|
183
|
+
end
|
184
|
+
|
185
|
+
def post_logins
|
186
|
+
@emails.each do |email|
|
187
|
+
post '/login', email: email
|
188
|
+
end
|
189
|
+
end
|
190
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-attack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.
|
4
|
+
version: 6.6.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Aaron Suggs
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-04-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rack
|
@@ -185,7 +185,7 @@ dependencies:
|
|
185
185
|
version: '4.2'
|
186
186
|
- - "<"
|
187
187
|
- !ruby/object:Gem::Version
|
188
|
-
version: '
|
188
|
+
version: '7.1'
|
189
189
|
type: :development
|
190
190
|
prerelease: false
|
191
191
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -195,17 +195,19 @@ dependencies:
|
|
195
195
|
version: '4.2'
|
196
196
|
- - "<"
|
197
197
|
- !ruby/object:Gem::Version
|
198
|
-
version: '
|
198
|
+
version: '7.1'
|
199
199
|
description: A rack middleware for throttling and blocking abusive requests
|
200
200
|
email: aaron@ktheory.com
|
201
201
|
executables: []
|
202
202
|
extensions: []
|
203
203
|
extra_rdoc_files: []
|
204
204
|
files:
|
205
|
+
- LICENSE
|
205
206
|
- README.md
|
206
207
|
- Rakefile
|
207
208
|
- lib/rack/attack.rb
|
208
209
|
- lib/rack/attack/allow2ban.rb
|
210
|
+
- lib/rack/attack/base_proxy.rb
|
209
211
|
- lib/rack/attack/blocklist.rb
|
210
212
|
- lib/rack/attack/cache.rb
|
211
213
|
- lib/rack/attack/check.rb
|
@@ -215,7 +217,6 @@ files:
|
|
215
217
|
- lib/rack/attack/railtie.rb
|
216
218
|
- lib/rack/attack/request.rb
|
217
219
|
- lib/rack/attack/safelist.rb
|
218
|
-
- lib/rack/attack/store_proxy.rb
|
219
220
|
- lib/rack/attack/store_proxy/active_support_redis_store_proxy.rb
|
220
221
|
- lib/rack/attack/store_proxy/dalli_proxy.rb
|
221
222
|
- lib/rack/attack/store_proxy/mem_cache_store_proxy.rb
|
@@ -272,7 +273,7 @@ licenses:
|
|
272
273
|
- MIT
|
273
274
|
metadata:
|
274
275
|
bug_tracker_uri: https://github.com/rack/rack-attack/issues
|
275
|
-
changelog_uri: https://github.com/rack/rack-attack/blob/
|
276
|
+
changelog_uri: https://github.com/rack/rack-attack/blob/main/CHANGELOG.md
|
276
277
|
source_code_uri: https://github.com/rack/rack-attack
|
277
278
|
post_install_message:
|
278
279
|
rdoc_options:
|
@@ -290,7 +291,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
290
291
|
- !ruby/object:Gem::Version
|
291
292
|
version: '0'
|
292
293
|
requirements: []
|
293
|
-
rubygems_version: 3.
|
294
|
+
rubygems_version: 3.3.11
|
294
295
|
signing_key:
|
295
296
|
specification_version: 4
|
296
297
|
summary: Block & throttle abusive requests
|
@@ -1,21 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
module Rack
|
4
|
-
class Attack
|
5
|
-
module StoreProxy
|
6
|
-
PROXIES = [
|
7
|
-
DalliProxy,
|
8
|
-
MemCacheStoreProxy,
|
9
|
-
RedisStoreProxy,
|
10
|
-
RedisProxy,
|
11
|
-
RedisCacheStoreProxy,
|
12
|
-
ActiveSupportRedisStoreProxy
|
13
|
-
].freeze
|
14
|
-
|
15
|
-
def self.build(store)
|
16
|
-
klass = PROXIES.find { |proxy| proxy.handle?(store) }
|
17
|
-
klass ? klass.new(store) : store
|
18
|
-
end
|
19
|
-
end
|
20
|
-
end
|
21
|
-
end
|