rack-attack 6.6.1 → 6.7.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: '0399127f00624959bafee349ab2e6010acda84373c3df24ff18c3ff701a6c274'
4
- data.tar.gz: 88bbb4465f8b7ecd0f82d9ad7217a66da96bb829c6982b0151ea2c19b5bba3c5
3
+ metadata.gz: 5ea46a4cc03f800f7d841d6e2fafb387f47514ba4eb9e89c2a0f84bbeeaa6fea
4
+ data.tar.gz: 355b0da550c98fd1c79c9aaef19bb2f651bdf941cf0f7feaec1e75c50a3d56f1
5
5
  SHA512:
6
- metadata.gz: 5a4d3d278b7c814c909ae0e01128f076f2ffcda003a56f688d803ccdfc5f72eeaa6c60412dc8e06769026f407860ac1259668fc61c0e87f1ef7a03434e17d982
7
- data.tar.gz: 492e4659338b489d9fcdc3bd315148ec2e1802c6197ce4dc5d7eaf598c918866468387d1a2346bfc30c454605aeaa59aa7d9a4e50bdc08910b24a72c681053dc
6
+ metadata.gz: 8b9965c215ce6fced981d2863496b8060282fd35b9134d867772adc848612c97cd37227d1a16bf20def74bd88d96c07744bd23ac4344e3cb173065c7ad3f47b4
7
+ data.tar.gz: 9f4cc8f537454a521a154f1dfa8c102831f901c89c485b769156c91107a193391f7cddeab9f0fbdf195ca49da24bb16478a7c090cc2b23c69ff20aa9d666f5fa
data/README.md CHANGED
@@ -305,10 +305,15 @@ end
305
305
  Throttle, allow2ban and fail2ban state is stored in a configurable cache (which defaults to `Rails.cache` if present), presumably backed by memcached or redis ([at least gem v3.0.0](https://rubygems.org/gems/redis)).
306
306
 
307
307
  ```ruby
308
- Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new # defaults to Rails.cache
308
+ # This is the default
309
+ Rack::Attack.cache.store = Rails.cache
310
+ # It is recommended to use a separate database for throttling/allow2ban/fail2ban.
311
+ Rack::Attack.cache.store = ActiveSupport::Cache::RedisCacheStore.new(url: "...")
309
312
  ```
310
313
 
311
- Note that `Rack::Attack.cache` is only used for throttling, allow2ban and fail2ban filtering; not blocklisting and safelisting. Your cache store must implement `increment` and `write` like [ActiveSupport::Cache::Store](http://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html).
314
+ Most applications should use a new, separate database used only for `rack-attack`. During an actual attack or periods of heavy load, this database will come under heavy load. Keeping it on a separate database instance will give you additional resilience and make sure that other functions (like caching for your application) don't go down.
315
+
316
+ Note that `Rack::Attack.cache` is only used for throttling, allow2ban and fail2ban filtering; not blocklisting and safelisting. Your cache store must implement `increment` and `write` like [ActiveSupport::Cache::Store](http://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html). This means that other cache stores which inherit from ActiveSupport::Cache::Store are also compatible. In-memory stores which are not backed by an external database, such as `ActiveSupport::Cache::MemoryStore.new`, will be mostly ineffective because each Ruby process in your deployment will have it's own state, effectively multiplying the number of requests each client can make by the number of Ruby processes you have deployed.
312
317
 
313
318
  ## Customizing responses
314
319
 
@@ -6,8 +6,14 @@ module Rack
6
6
  attr_accessor :prefix
7
7
  attr_reader :last_epoch_time
8
8
 
9
- def initialize
10
- self.store = ::Rails.cache if defined?(::Rails.cache)
9
+ def self.default_store
10
+ if Object.const_defined?(:Rails) && Rails.respond_to?(:cache)
11
+ ::Rails.cache
12
+ end
13
+ end
14
+
15
+ def initialize(store: self.class.default_store)
16
+ self.store = store
11
17
  @prefix = 'rack::attack'
12
18
  end
13
19
 
@@ -62,7 +68,7 @@ module Rack
62
68
 
63
69
  def key_and_expiry(unprefixed_key, period)
64
70
  @last_epoch_time = Time.now.to_i
65
- # Add 1 to expires_in to avoid timing error: https://git.io/i1PHXA
71
+ # Add 1 to expires_in to avoid timing error: https://github.com/rack/rack-attack/pull/85
66
72
  expires_in = (period - (@last_epoch_time % period) + 1).to_i
67
73
  ["#{prefix}:#{(@last_epoch_time / period).to_i}:#{unprefixed_key}", expires_in]
68
74
  end
@@ -4,7 +4,9 @@ module Rack
4
4
  class Attack
5
5
  # When using Rack::Attack with a Rails app, developers expect the request path
6
6
  # to be normalized. In particular, trailing slashes are stripped.
7
- # (See https://git.io/v0rrR for implementation.)
7
+ # (See
8
+ # https://github.com/rails/rails/blob/f8edd20/actionpack/lib/action_dispatch/journey/router/utils.rb#L5-L22
9
+ # for implementation.)
8
10
  #
9
11
  # Look for an ActionDispatch utility class that Rails folks would expect
10
12
  # to normalize request paths. If unavailable, use a fallback class that
@@ -1,5 +1,11 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ begin
4
+ require 'rails/railtie'
5
+ rescue LoadError
6
+ return
7
+ end
8
+
3
9
  module Rack
4
10
  class Attack
5
11
  class Railtie < ::Rails::Railtie
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Rack
4
4
  class Attack
5
- VERSION = '6.6.1'
5
+ VERSION = '6.7.0'
6
6
  end
7
7
  end
@@ -2,7 +2,7 @@
2
2
 
3
3
  require_relative "../spec_helper"
4
4
 
5
- if defined?(Rails)
5
+ if defined?(Rails::Application)
6
6
  describe "Middleware for Rails" do
7
7
  before do
8
8
  @app = Class.new(Rails::Application) do
@@ -1,6 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require_relative "spec_helper"
4
+ require 'active_support'
4
5
 
5
6
  # ActiveSupport::Subscribers added in ~> 4.0.2.0
6
7
  if ActiveSupport::VERSION::MAJOR > 3
@@ -11,6 +11,10 @@ describe 'Rack::Attack' do
11
11
  end
12
12
 
13
13
  it 'blocks requests with trailing slash' do
14
+ if Rack::Attack::PathNormalizer == Rack::Attack::FallbackPathNormalizer
15
+ skip "Normalization is only present on Rails"
16
+ end
17
+
14
18
  get '/foo/'
15
19
  _(last_response.status).must_equal 403
16
20
  end
data/spec/spec_helper.rb CHANGED
@@ -5,8 +5,7 @@ require "bundler/setup"
5
5
  require "minitest/autorun"
6
6
  require "minitest/pride"
7
7
  require "rack/test"
8
- require "rails"
9
-
8
+ require "active_support"
10
9
  require "rack/attack"
11
10
 
12
11
  if RUBY_ENGINE == "ruby"
@@ -29,7 +28,9 @@ class MiniTest::Spec
29
28
  include Rack::Test::Methods
30
29
 
31
30
  before do
32
- Rails.cache = nil
31
+ if Object.const_defined?(:Rails) && Rails.respond_to?(:cache)
32
+ Rails.cache.clear
33
+ end
33
34
  end
34
35
 
35
36
  after do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-attack
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.6.1
4
+ version: 6.7.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Aaron Suggs
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-04-14 00:00:00.000000000 Z
11
+ date: 2023-07-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rack
@@ -19,7 +19,7 @@ dependencies:
19
19
  version: '1.0'
20
20
  - - "<"
21
21
  - !ruby/object:Gem::Version
22
- version: '3'
22
+ version: '4'
23
23
  type: :runtime
24
24
  prerelease: false
25
25
  version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
29
29
  version: '1.0'
30
30
  - - "<"
31
31
  - !ruby/object:Gem::Version
32
- version: '3'
32
+ version: '4'
33
33
  - !ruby/object:Gem::Dependency
34
34
  name: appraisal
35
35
  requirement: !ruby/object:Gem::Requirement
@@ -98,14 +98,14 @@ dependencies:
98
98
  requirements:
99
99
  - - "~>"
100
100
  - !ruby/object:Gem::Version
101
- version: '1.0'
101
+ version: '2.0'
102
102
  type: :development
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - "~>"
107
107
  - !ruby/object:Gem::Version
108
- version: '1.0'
108
+ version: '2.0'
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: rake
111
111
  requirement: !ruby/object:Gem::Requirement
@@ -177,25 +177,19 @@ dependencies:
177
177
  - !ruby/object:Gem::Version
178
178
  version: '11.0'
179
179
  - !ruby/object:Gem::Dependency
180
- name: railties
180
+ name: activesupport
181
181
  requirement: !ruby/object:Gem::Requirement
182
182
  requirements:
183
183
  - - ">="
184
184
  - !ruby/object:Gem::Version
185
- version: '4.2'
186
- - - "<"
187
- - !ruby/object:Gem::Version
188
- version: '7.1'
185
+ version: '0'
189
186
  type: :development
190
187
  prerelease: false
191
188
  version_requirements: !ruby/object:Gem::Requirement
192
189
  requirements:
193
190
  - - ">="
194
191
  - !ruby/object:Gem::Version
195
- version: '4.2'
196
- - - "<"
197
- - !ruby/object:Gem::Version
198
- version: '7.1'
192
+ version: '0'
199
193
  description: A rack middleware for throttling and blocking abusive requests
200
194
  email: aaron@ktheory.com
201
195
  executables: []
@@ -275,7 +269,7 @@ metadata:
275
269
  bug_tracker_uri: https://github.com/rack/rack-attack/issues
276
270
  changelog_uri: https://github.com/rack/rack-attack/blob/main/CHANGELOG.md
277
271
  source_code_uri: https://github.com/rack/rack-attack
278
- post_install_message:
272
+ post_install_message:
279
273
  rdoc_options:
280
274
  - "--charset=UTF-8"
281
275
  require_paths:
@@ -291,8 +285,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
291
285
  - !ruby/object:Gem::Version
292
286
  version: '0'
293
287
  requirements: []
294
- rubygems_version: 3.3.11
295
- signing_key:
288
+ rubygems_version: 3.4.10
289
+ signing_key:
296
290
  specification_version: 4
297
291
  summary: Block & throttle abusive requests
298
292
  test_files: