RubyGems - rack-attack - Versions diffs - 6.5.0 → 6.6.1 - Mend

rack-attack 6.5.0 → 6.6.1

Files changed (13) hide show

checksums.yaml +4 -4
data/LICENSE +21 -0
data/README.md +14 -14
data/lib/rack/attack/configuration.rb +26 -8
data/lib/rack/attack/store_proxy/mem_cache_store_proxy.rb +4 -0
data/lib/rack/attack/store_proxy/redis_proxy.rb +3 -3
data/lib/rack/attack/version.rb +1 -1
data/lib/rack/attack.rb +16 -2
data/spec/acceptance/customizing_blocked_response_spec.rb +21 -4
data/spec/acceptance/customizing_throttled_response_spec.rb +27 -6
data/spec/acceptance/stores/active_support_dalli_store_spec.rb +5 -1
data/spec/rack_attack_spec.rb +4 -4
metadata +7 -6

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 81f6cce465b8441782ffaa3d446e558979de6a2ceadd9d43499b7977fa61586b
-  data.tar.gz: a2ee9b82f1144d483e7d26a893594ab6cada4dc52d98eb08d7615a38b49face8
+  metadata.gz: '0399127f00624959bafee349ab2e6010acda84373c3df24ff18c3ff701a6c274'
+  data.tar.gz: 88bbb4465f8b7ecd0f82d9ad7217a66da96bb829c6982b0151ea2c19b5bba3c5
 SHA512:
-  metadata.gz: b90fa7841d1e5319b820d4bca9c1fc8d266fc98c06f2a936ce6d31949d9fdd7ddab9183f82c5bbbc31e3e4280bba8e786bbe155f146fdcfdbf53ad263bfec63f
-  data.tar.gz: c91be495fbf25444632a1734f40f9fa85b35bf19d921a129ca402aceadf0d30b2a7d5797283ca7ac68e8f323569fa3edc1be98bcecd2c72aa15c3956dd611455
+  metadata.gz: 5a4d3d278b7c814c909ae0e01128f076f2ffcda003a56f688d803ccdfc5f72eeaa6c60412dc8e06769026f407860ac1259668fc61c0e87f1ef7a03434e17d982
+  data.tar.gz: 492e4659338b489d9fcdc3bd315148ec2e1802c6197ce4dc5d7eaf598c918866468387d1a2346bfc30c454605aeaa59aa7d9a4e50bdc08910b24a72c681053dc

data/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+The MIT License
+Copyright (c) 2016 Kickstarter, PBC
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md CHANGED Viewed

@@ -1,4 +1,4 @@
-__Note__: You are viewing the development version README.
+:warning:  You are viewing the development's branch version of README which might contain documentation for unreleased features.
 For the README consistent with the latest released version see https://github.com/rack/rack-attack/blob/6-stable/README.md.
 # Rack::Attack
@@ -10,7 +10,7 @@ Protect your Rails and Rack apps from bad clients. Rack::Attack lets you easily
 See the [Backing & Hacking blog post](https://www.kickstarter.com/backing-and-hacking/rack-attack-protection-from-abusive-clients) introducing Rack::Attack.
 [![Gem Version](https://badge.fury.io/rb/rack-attack.svg)](https://badge.fury.io/rb/rack-attack)
-[![Build Status](https://travis-ci.org/rack/rack-attack.svg?branch=master)](https://travis-ci.org/rack/rack-attack)
+[![build](https://github.com/rack/rack-attack/actions/workflows/build.yml/badge.svg)](https://github.com/rack/rack-attack/actions/workflows/build.yml)
 [![Code Climate](https://codeclimate.com/github/kickstarter/rack-attack.svg)](https://codeclimate.com/github/kickstarter/rack-attack)
 [![Join the chat at https://gitter.im/rack-attack/rack-attack](https://badges.gitter.im/rack-attack/rack-attack.svg)](https://gitter.im/rack-attack/rack-attack)
@@ -312,21 +312,21 @@ Note that `Rack::Attack.cache` is only used for throttling, allow2ban and fail2b
 ## Customizing responses
-Customize the response of blocklisted and throttled requests using an object that adheres to the [Rack app interface](http://www.rubydoc.info/github/rack/rack/file/SPEC).
+Customize the response of blocklisted and throttled requests using an object that adheres to the [Rack app interface](http://www.rubydoc.info/github/rack/rack/file/SPEC.rdoc).
 ```ruby
-Rack::Attack.blocklisted_response = lambda do |env|
+Rack::Attack.blocklisted_responder = lambda do |request|
   # Using 503 because it may make attacker think that they have successfully
   # DOSed the site. Rack::Attack returns 403 for blocklists by default
   [ 503, {}, ['Blocked']]
 end
-Rack::Attack.throttled_response = lambda do |env|
+Rack::Attack.throttled_responder = lambda do |request|
   # NB: you have access to the name and other data about the matched throttle
-  #  env['rack.attack.matched'],
-  #  env['rack.attack.match_type'],
-  #  env['rack.attack.match_data'],
-  #  env['rack.attack.match_discriminator']
+  #  request.env['rack.attack.matched'],
+  #  request.env['rack.attack.match_type'],
+  #  request.env['rack.attack.match_data'],
+  #  request.env['rack.attack.match_discriminator']
   # Using 503 because it may make attacker think that they have successfully
   # DOSed the site. Rack::Attack returns 429 for throttling by default
@@ -347,8 +347,8 @@ Rack::Attack.throttled_response_retry_after_header = true
 Here's an example response that includes conventional `RateLimit-*` headers:
 ```ruby
-Rack::Attack.throttled_response = lambda do |env|
-  match_data = env['rack.attack.match_data']
+Rack::Attack.throttled_responder = lambda do |request|
+  match_data = request.env['rack.attack.match_data']
   now = match_data[:epoch_time]
   headers = {
@@ -407,7 +407,7 @@ for more on how to do this.
 ### Test case isolation
-`Rack::Attack.reset!` can be used in your test suite to clear any Rack::Attack state between different test cases.
+`Rack::Attack.reset!` can be used in your test suite to clear any Rack::Attack state between different test cases. If you're testing blocklist and safelist configurations, consider using `Rack::Attack.clear_configuration` to unset the values for those lists between test cases.
 ## How it works
@@ -427,9 +427,9 @@ def call(env)
   if safelisted?(req)
     @app.call(env)
   elsif blocklisted?(req)
-    self.class.blocklisted_response.call(env)
+    self.class.blocklisted_responder.call(req)
   elsif throttled?(req)
-    self.class.throttled_response.call(env)
+    self.class.throttled_responder.call(req)
   else
     tracked?(req)
     @app.call(env)

data/lib/rack/attack/configuration.rb CHANGED Viewed

@@ -5,22 +5,36 @@ require "ipaddr"
 module Rack
   class Attack
     class Configuration
-      DEFAULT_BLOCKLISTED_RESPONSE = lambda { |_env| [403, { 'Content-Type' => 'text/plain' }, ["Forbidden\n"]] }
+      DEFAULT_BLOCKLISTED_RESPONDER = lambda { |_req| [403, { 'content-type' => 'text/plain' }, ["Forbidden\n"]] }
-      DEFAULT_THROTTLED_RESPONSE = lambda do |env|
+      DEFAULT_THROTTLED_RESPONDER = lambda do |req|
         if Rack::Attack.configuration.throttled_response_retry_after_header
-          match_data = env['rack.attack.match_data']
+          match_data = req.env['rack.attack.match_data']
           now = match_data[:epoch_time]
           retry_after = match_data[:period] - (now % match_data[:period])
-          [429, { 'Content-Type' => 'text/plain', 'Retry-After' => retry_after.to_s }, ["Retry later\n"]]
+          [429, { 'content-type' => 'text/plain', 'retry-after' => retry_after.to_s }, ["Retry later\n"]]
         else
-          [429, { 'Content-Type' => 'text/plain' }, ["Retry later\n"]]
+          [429, { 'content-type' => 'text/plain' }, ["Retry later\n"]]
         end
       end
       attr_reader :safelists, :blocklists, :throttles, :anonymous_blocklists, :anonymous_safelists
-      attr_accessor :blocklisted_response, :throttled_response, :throttled_response_retry_after_header
+      attr_accessor :blocklisted_responder, :throttled_responder, :throttled_response_retry_after_header
+      attr_reader :blocklisted_response, :throttled_response # Keeping these for backwards compatibility
+      def blocklisted_response=(responder)
+        warn "[DEPRECATION] Rack::Attack.blocklisted_response is deprecated. "\
+          "Please use Rack::Attack.blocklisted_responder instead."
+        @blocklisted_response = responder
+      end
+      def throttled_response=(responder)
+        warn "[DEPRECATION] Rack::Attack.throttled_response is deprecated. "\
+          "Please use Rack::Attack.throttled_responder instead"
+        @throttled_response = responder
+      end
       def initialize
         set_defaults
@@ -99,8 +113,12 @@ module Rack
         @anonymous_safelists = []
         @throttled_response_retry_after_header = false
-        @blocklisted_response = DEFAULT_BLOCKLISTED_RESPONSE
-        @throttled_response = DEFAULT_THROTTLED_RESPONSE
+        @blocklisted_responder = DEFAULT_BLOCKLISTED_RESPONDER
+        @throttled_responder = DEFAULT_THROTTLED_RESPONDER
+        # Deprecated: Keeping these for backwards compatibility
+        @blocklisted_response = nil
+        @throttled_response = nil
       end
     end
   end

data/lib/rack/attack/store_proxy/mem_cache_store_proxy.rb CHANGED Viewed

@@ -12,6 +12,10 @@ module Rack
             store.is_a?(::ActiveSupport::Cache::MemCacheStore)
         end
+        def read(name, options = {})
+          super(name, options.merge!(raw: true))
+        end
         def write(name, value, options = {})
           super(name, value, options.merge!(raw: true))
         end

data/lib/rack/attack/store_proxy/redis_proxy.rb CHANGED Viewed

@@ -32,9 +32,9 @@ module Rack
         def increment(key, amount, options = {})
           rescuing do
-            pipelined do
-              incrby(key, amount)
-              expire(key, options[:expires_in]) if options[:expires_in]
+            pipelined do |redis|
+              redis.incrby(key, amount)
+              redis.expire(key, options[:expires_in]) if options[:expires_in]
             end.first
           end
         end

data/lib/rack/attack/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Rack
   class Attack
-    VERSION = '6.5.0'
+    VERSION = '6.6.1'
   end
 end

data/lib/rack/attack.rb CHANGED Viewed

@@ -66,6 +66,10 @@ module Rack
         :safelist_ip,
         :throttle,
         :track,
+        :throttled_responder,
+        :throttled_responder=,
+        :blocklisted_responder,
+        :blocklisted_responder=,
         :blocklisted_response,
         :blocklisted_response=,
         :throttled_response,
@@ -105,9 +109,19 @@ module Rack
       if configuration.safelisted?(request)
         @app.call(env)
       elsif configuration.blocklisted?(request)
-        configuration.blocklisted_response.call(env)
+        # Deprecated: Keeping blocklisted_response for backwards compatibility
+        if configuration.blocklisted_response
+          configuration.blocklisted_response.call(env)
+        else
+          configuration.blocklisted_responder.call(request)
+        end
       elsif configuration.throttled?(request)
-        configuration.throttled_response.call(env)
+        # Deprecated: Keeping throttled_response for backwards compatibility
+        if configuration.throttled_response
+          configuration.throttled_response.call(env)
+        else
+          configuration.throttled_responder.call(request)
+        end
       else
         configuration.tracked?(request)
         @app.call(env)

data/spec/acceptance/customizing_blocked_response_spec.rb CHANGED Viewed

@@ -14,7 +14,7 @@ describe "Customizing block responses" do
     assert_equal 403, last_response.status
-    Rack::Attack.blocklisted_response = lambda do |_env|
+    Rack::Attack.blocklisted_responder = lambda do |_req|
       [503, {}, ["Blocked"]]
     end
@@ -28,9 +28,9 @@ describe "Customizing block responses" do
     matched = nil
     match_type = nil
-    Rack::Attack.blocklisted_response = lambda do |env|
-      matched = env['rack.attack.matched']
-      match_type = env['rack.attack.match_type']
+    Rack::Attack.blocklisted_responder = lambda do |req|
+      matched = req.env['rack.attack.matched']
+      match_type = req.env['rack.attack.match_type']
       [503, {}, ["Blocked"]]
     end
@@ -40,4 +40,21 @@ describe "Customizing block responses" do
     assert_equal "block 1.2.3.4", matched
     assert_equal :blocklist, match_type
   end
+  it "supports old style" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 403, last_response.status
+    silence_warnings do
+      Rack::Attack.blocklisted_response = lambda do |_env|
+        [503, {}, ["Blocked"]]
+      end
+    end
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 503, last_response.status
+    assert_equal "Blocked", last_response.body
+  end
 end

data/spec/acceptance/customizing_throttled_response_spec.rb CHANGED Viewed

@@ -20,7 +20,7 @@ describe "Customizing throttled response" do
     assert_equal 429, last_response.status
-    Rack::Attack.throttled_response = lambda do |_env|
+    Rack::Attack.throttled_responder = lambda do |_req|
       [503, {}, ["Throttled"]]
     end
@@ -36,11 +36,11 @@ describe "Customizing throttled response" do
     match_data = nil
     match_discriminator = nil
-    Rack::Attack.throttled_response = lambda do |env|
-      matched = env['rack.attack.matched']
-      match_type = env['rack.attack.match_type']
-      match_data = env['rack.attack.match_data']
-      match_discriminator = env['rack.attack.match_discriminator']
+    Rack::Attack.throttled_responder = lambda do |req|
+      matched = req.env['rack.attack.matched']
+      match_type = req.env['rack.attack.match_type']
+      match_data = req.env['rack.attack.match_data']
+      match_discriminator = req.env['rack.attack.match_discriminator']
       [429, {}, ["Throttled"]]
     end
@@ -58,4 +58,25 @@ describe "Customizing throttled response" do
     get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
     assert_equal 3, match_data[:count]
   end
+  it "supports old style" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 200, last_response.status
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 429, last_response.status
+    silence_warnings do
+      Rack::Attack.throttled_response = lambda do |_req|
+        [503, {}, ["Throttled"]]
+      end
+    end
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 503, last_response.status
+    assert_equal "Throttled", last_response.body
+  end
 end

data/spec/acceptance/stores/active_support_dalli_store_spec.rb CHANGED Viewed

@@ -2,7 +2,11 @@
 require_relative "../../spec_helper"
-if defined?(::Dalli)
+should_run =
+  defined?(::Dalli) &&
+  Gem::Version.new(::Dalli::VERSION) < Gem::Version.new("3")
+if should_run
   require_relative "../../support/cache_store_helper"
   require "active_support/cache/dalli_store"
   require "timecop"

data/spec/rack_attack_spec.rb CHANGED Viewed

@@ -64,15 +64,15 @@ describe 'Rack::Attack' do
       end
     end
-    describe '#blocklisted_response' do
+    describe '#blocklisted_responder' do
       it 'should exist' do
-        _(Rack::Attack.blocklisted_response).must_respond_to :call
+        _(Rack::Attack.blocklisted_responder).must_respond_to :call
       end
     end
-    describe '#throttled_response' do
+    describe '#throttled_responder' do
       it 'should exist' do
-        _(Rack::Attack.throttled_response).must_respond_to :call
+        _(Rack::Attack.throttled_responder).must_respond_to :call
       end
     end
   end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-attack
 version: !ruby/object:Gem::Version
-  version: 6.5.0
+  version: 6.6.1
 platform: ruby
 authors:
 - Aaron Suggs
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-07 00:00:00.000000000 Z
+date: 2022-04-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -185,7 +185,7 @@ dependencies:
         version: '4.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.2'
+        version: '7.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -195,13 +195,14 @@ dependencies:
         version: '4.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.2'
+        version: '7.1'
 description: A rack middleware for throttling and blocking abusive requests
 email: aaron@ktheory.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- LICENSE
 - README.md
 - Rakefile
 - lib/rack/attack.rb
@@ -272,7 +273,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rack/rack-attack/issues
-  changelog_uri: https://github.com/rack/rack-attack/blob/master/CHANGELOG.md
+  changelog_uri: https://github.com/rack/rack-attack/blob/main/CHANGELOG.md
   source_code_uri: https://github.com/rack/rack-attack
 post_install_message:
 rdoc_options:
@@ -290,7 +291,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.8
+rubygems_version: 3.3.11
 signing_key:
 specification_version: 4
 summary: Block & throttle abusive requests