RubyGems - rack-attack - Versions diffs - 6.6.1 → 6.7.0 - Mend

rack-attack 6.6.1 → 6.7.0

Files changed (11) hide show

checksums.yaml +4 -4
data/README.md +7 -2
data/lib/rack/attack/cache.rb +9 -3
data/lib/rack/attack/path_normalizer.rb +3 -1
data/lib/rack/attack/railtie.rb +6 -0
data/lib/rack/attack/version.rb +1 -1
data/spec/acceptance/rails_middleware_spec.rb +1 -1
data/spec/rack_attack_instrumentation_spec.rb +1 -0
data/spec/rack_attack_spec.rb +4 -0
data/spec/spec_helper.rb +4 -3
metadata +13 -19

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '0399127f00624959bafee349ab2e6010acda84373c3df24ff18c3ff701a6c274'
-  data.tar.gz: 88bbb4465f8b7ecd0f82d9ad7217a66da96bb829c6982b0151ea2c19b5bba3c5
+  metadata.gz: 5ea46a4cc03f800f7d841d6e2fafb387f47514ba4eb9e89c2a0f84bbeeaa6fea
+  data.tar.gz: 355b0da550c98fd1c79c9aaef19bb2f651bdf941cf0f7feaec1e75c50a3d56f1
 SHA512:
-  metadata.gz: 5a4d3d278b7c814c909ae0e01128f076f2ffcda003a56f688d803ccdfc5f72eeaa6c60412dc8e06769026f407860ac1259668fc61c0e87f1ef7a03434e17d982
-  data.tar.gz: 492e4659338b489d9fcdc3bd315148ec2e1802c6197ce4dc5d7eaf598c918866468387d1a2346bfc30c454605aeaa59aa7d9a4e50bdc08910b24a72c681053dc
+  metadata.gz: 8b9965c215ce6fced981d2863496b8060282fd35b9134d867772adc848612c97cd37227d1a16bf20def74bd88d96c07744bd23ac4344e3cb173065c7ad3f47b4
+  data.tar.gz: 9f4cc8f537454a521a154f1dfa8c102831f901c89c485b769156c91107a193391f7cddeab9f0fbdf195ca49da24bb16478a7c090cc2b23c69ff20aa9d666f5fa

data/README.md CHANGED Viewed

@@ -305,10 +305,15 @@ end
 Throttle, allow2ban and fail2ban state is stored in a configurable cache (which defaults to `Rails.cache` if present), presumably backed by memcached or redis ([at least gem v3.0.0](https://rubygems.org/gems/redis)).
 ```ruby
-Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new # defaults to Rails.cache
+# This is the default
+Rack::Attack.cache.store = Rails.cache
+# It is recommended to use a separate database for throttling/allow2ban/fail2ban.
+Rack::Attack.cache.store = ActiveSupport::Cache::RedisCacheStore.new(url: "...")
 ```
-Note that `Rack::Attack.cache` is only used for throttling, allow2ban and fail2ban filtering; not blocklisting and safelisting. Your cache store must implement `increment` and `write` like [ActiveSupport::Cache::Store](http://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html).
+Most applications should use a new, separate database used only for `rack-attack`. During an actual attack or periods of heavy load, this database will come under heavy load. Keeping it on a separate database instance will give you additional resilience and make sure that other functions (like caching for your application) don't go down.
+Note that `Rack::Attack.cache` is only used for throttling, allow2ban and fail2ban filtering; not blocklisting and safelisting. Your cache store must implement `increment` and `write` like [ActiveSupport::Cache::Store](http://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html). This means that other cache stores which inherit from ActiveSupport::Cache::Store are also compatible. In-memory stores which are not backed by an external database, such as `ActiveSupport::Cache::MemoryStore.new`, will be mostly ineffective because each Ruby process in your deployment will have it's own state, effectively multiplying the number of requests each client can make by the number of Ruby processes you have deployed.
 ## Customizing responses

data/lib/rack/attack/cache.rb CHANGED Viewed

@@ -6,8 +6,14 @@ module Rack
       attr_accessor :prefix
       attr_reader :last_epoch_time
-      def initialize
-        self.store = ::Rails.cache if defined?(::Rails.cache)
+      def self.default_store
+        if Object.const_defined?(:Rails) && Rails.respond_to?(:cache)
+          ::Rails.cache
+        end
+      end
+      def initialize(store: self.class.default_store)
+        self.store = store
         @prefix = 'rack::attack'
       end
@@ -62,7 +68,7 @@ module Rack
       def key_and_expiry(unprefixed_key, period)
         @last_epoch_time = Time.now.to_i
-        # Add 1 to expires_in to avoid timing error: https://git.io/i1PHXA
+        # Add 1 to expires_in to avoid timing error: https://github.com/rack/rack-attack/pull/85
         expires_in = (period - (@last_epoch_time % period) + 1).to_i
         ["#{prefix}:#{(@last_epoch_time / period).to_i}:#{unprefixed_key}", expires_in]
       end

data/lib/rack/attack/path_normalizer.rb CHANGED Viewed

@@ -4,7 +4,9 @@ module Rack
   class Attack
     # When using Rack::Attack with a Rails app, developers expect the request path
     # to be normalized. In particular, trailing slashes are stripped.
-    # (See https://git.io/v0rrR for implementation.)
+    # (See
+    # https://github.com/rails/rails/blob/f8edd20/actionpack/lib/action_dispatch/journey/router/utils.rb#L5-L22
+    # for implementation.)
     #
     # Look for an ActionDispatch utility class that Rails folks would expect
     # to normalize request paths. If unavailable, use a fallback class that

data/lib/rack/attack/railtie.rb CHANGED Viewed

@@ -1,5 +1,11 @@
 # frozen_string_literal: true
+begin
+  require 'rails/railtie'
+rescue LoadError
+  return
+end
 module Rack
   class Attack
     class Railtie < ::Rails::Railtie

data/lib/rack/attack/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Rack
   class Attack
-    VERSION = '6.6.1'
+    VERSION = '6.7.0'
   end
 end

data/spec/acceptance/rails_middleware_spec.rb CHANGED Viewed

@@ -2,7 +2,7 @@
 require_relative "../spec_helper"
-if defined?(Rails)
+if defined?(Rails::Application)
   describe "Middleware for Rails" do
     before do
       @app = Class.new(Rails::Application) do

data/spec/rack_attack_instrumentation_spec.rb CHANGED Viewed

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 require_relative "spec_helper"
+require 'active_support'
 # ActiveSupport::Subscribers added in ~> 4.0.2.0
 if ActiveSupport::VERSION::MAJOR > 3

data/spec/rack_attack_spec.rb CHANGED Viewed

@@ -11,6 +11,10 @@ describe 'Rack::Attack' do
     end
     it 'blocks requests with trailing slash' do
+      if Rack::Attack::PathNormalizer == Rack::Attack::FallbackPathNormalizer
+        skip "Normalization is only present on Rails"
+      end
       get '/foo/'
       _(last_response.status).must_equal 403
     end

data/spec/spec_helper.rb CHANGED Viewed

@@ -5,8 +5,7 @@ require "bundler/setup"
 require "minitest/autorun"
 require "minitest/pride"
 require "rack/test"
-require "rails"
+require "active_support"
 require "rack/attack"
 if RUBY_ENGINE == "ruby"
@@ -29,7 +28,9 @@ class MiniTest::Spec
   include Rack::Test::Methods
   before do
-    Rails.cache = nil
+    if Object.const_defined?(:Rails) && Rails.respond_to?(:cache)
+      Rails.cache.clear
+    end
   end
   after do

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-attack
 version: !ruby/object:Gem::Version
-  version: 6.6.1
+  version: 6.7.0
 platform: ruby
 authors:
 - Aaron Suggs
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-04-14 00:00:00.000000000 Z
+date: 2023-07-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -19,7 +19,7 @@ dependencies:
         version: '1.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: '1.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '4'
 - !ruby/object:Gem::Dependency
   name: appraisal
   requirement: !ruby/object:Gem::Requirement
@@ -98,14 +98,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -177,25 +177,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '11.0'
 - !ruby/object:Gem::Dependency
-  name: railties
+  name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '7.1'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '7.1'
+        version: '0'
 description: A rack middleware for throttling and blocking abusive requests
 email: aaron@ktheory.com
 executables: []
@@ -275,7 +269,7 @@ metadata:
   bug_tracker_uri: https://github.com/rack/rack-attack/issues
   changelog_uri: https://github.com/rack/rack-attack/blob/main/CHANGELOG.md
   source_code_uri: https://github.com/rack/rack-attack
-post_install_message:
+post_install_message:
 rdoc_options:
 - "--charset=UTF-8"
 require_paths:
@@ -291,8 +285,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.11
-signing_key:
+rubygems_version: 3.4.10
+signing_key:
 specification_version: 4
 summary: Block & throttle abusive requests
 test_files: