rack-attack 1.3.1 → 1.3.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of rack-attack might be problematic. Click here for more details.

Files changed (4) hide show
  1. data/README.md +15 -13
  2. data/lib/rack/attack/cache.rb +1 -1
  3. data/lib/rack/attack/version.rb +1 -1
  4. metadata +2 -2
data/README.md CHANGED
@@ -1,10 +1,10 @@
1
1
  # Rack::Attack!!!
2
- *A DSL for blocking & thottling abusive clients*
2
+ *A DSL for blocking & throttling abusive clients*
3
3
 
4
4
  Rack::Attack is a rack middleware to protect your web app from bad clients.
5
- It allows *whitelisting*, *blacklisting*, and *thottling* based on arbitrary properties of the request.
5
+ It allows *whitelisting*, *blacklisting*, and *throttling* based on arbitrary properties of the request.
6
6
 
7
- Thottle state is stored in a configurable cache (e.g. `Rails.cache`), presumably backed by memcached.
7
+ Throttle state is stored in a configurable cache (e.g. `Rails.cache`), presumably backed by memcached.
8
8
 
9
9
  ## Installation
10
10
 
@@ -28,7 +28,7 @@ Optionally configure the cache store for throttling:
28
28
 
29
29
  Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new # defaults to Rails.cache
30
30
 
31
- Note that `Rack::Attack.cache` is only used for throttling, not blacklisting & whitelisting. Your cache store must implement `increment` and `write` like [ActiveSupport::Cache::Store](http://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html).
31
+ Note that `Rack::Attack.cache` is only used for throttling; not blacklisting & whitelisting. Your cache store must implement `increment` and `write` like [ActiveSupport::Cache::Store](http://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html).
32
32
 
33
33
  ## How it works
34
34
 
@@ -40,8 +40,8 @@ The Rack::Attack middleware compares each request against *whitelists*, *blackli
40
40
 
41
41
  ## Usage
42
42
 
43
- Define blacklists, throttles, and whitelists.
44
- Note that `req` is a [Rack::Request](http://rack.rubyforge.org/doc/classes/Rack/Request.html) object.
43
+ Define blacklists, throttles, and whitelists as blocks that return truthy of falsy values.
44
+ A [Rack::Request](http://rack.rubyforge.org/doc/classes/Rack/Request.html) object is passed to the block (named 'req' in the examples).
45
45
 
46
46
  ### Blacklists
47
47
 
@@ -53,23 +53,25 @@ Note that `req` is a [Rack::Request](http://rack.rubyforge.org/doc/classes/Rack/
53
53
 
54
54
  # Block logins from a bad user agent
55
55
  Rack::Attack.blacklist('block bad UA logins') do |req|
56
- req.post? && request.path == '/login' && req.user_agent == 'BadUA'
56
+ req.path == '/login' && req.post? && req.user_agent == 'BadUA'
57
57
  end
58
58
 
59
59
  ### Throttles
60
60
 
61
61
  # Throttle requests to 5 requests per second per ip
62
62
  Rack::Attack.throttle('req/ip', :limit => 5, :period => 1.second) do |req|
63
- # If the return value is truthy, the cache key for
64
- # "rack::attack:#{Time.now.to_i/1.second}:req/ip:#{req.ip}"
65
- # is incremented and compared with the limit.
66
- # If falsy, the cache key is neither incremented or checked.
63
+ # If the return value is truthy, the cache key for the return value
64
+ # is incremented and compared with the limit. In this case:
65
+ # "rack::attack:#{Time.now.to_i/1.second}:req/ip:#{req.ip}"
66
+ #
67
+ # If falsy, the cache key is neither incremented nor checked.
68
+
67
69
  req.ip
68
70
  end
69
71
 
70
72
  # Throttle login attempts for a given email parameter to 6 reqs/minute
71
73
  Rack::Attack.throttle('logins/email', :limit => 6, :period => 60.seconds) do |req|
72
- req.post? && request.path == '/login' && req.params['email']
74
+ request.path == '/login' && req.post? && req.params['email']
73
75
  end
74
76
 
75
77
  ### Whitelists
@@ -124,7 +126,7 @@ It is impractical if not impossible to block abusive clients completely.
124
126
  Rack::Attack aims to let developers quickly mitigate abusive requests and rely
125
127
  less on short-term, one-off hacks to block a particular attack.
126
128
 
127
- Rack::Attack complements `iptables` and nginx's [limit_zone module](http://wiki.nginx.org/HttpLimitZoneModule).
129
+ Rack::Attack complements tools like iptables and nginx's [limit_zone module](http://wiki.nginx.org/HttpLimitZoneModule).
128
130
 
129
131
  [![Travis CI](https://secure.travis-ci.org/ktheory/rack-attack.png)](http://travis-ci.org/ktheory/rack-attack)
130
132
 
data/lib/rack/attack/cache.rb CHANGED
@@ -11,7 +11,7 @@ module Rack
11
11
  def count(unprefixed_key, period)
12
12
  epoch_time = Time.now.to_i
13
13
  expires_in = period - (epoch_time % period)
14
- key = "#{prefix}:#{epoch_time/period}:#{unprefixed_key}"
14
+ key = "#{prefix}:#{(epoch_time/period).to_i}:#{unprefixed_key}"
15
15
  result = store.increment(key, 1, :expires_in => expires_in)
16
16
  # NB: Some stores return nil when incrementing uninitialized values
17
17
  if result.nil?
data/lib/rack/attack/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Rack
2
2
  module Attack
3
- VERSION = '1.3.1'
3
+ VERSION = '1.3.2'
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-attack
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.1
4
+ version: 1.3.2
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2012-08-09 00:00:00.000000000 Z
12
+ date: 2012-08-15 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: rack