rack-attack 4.3.0 → 4.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: da0016c3e3d7fee696a96f8f1e3a493b0b197518
-  data.tar.gz: 6b337c7d2ed9c48dbfd4cfc031ab6157fbceda3d
+  metadata.gz: 62911565ba358aadd130a8edf862d1f3ca57786d
+  data.tar.gz: 55876d8afb3bed309bb09a5b1fae357c8d5cdf10
 SHA512:
-  metadata.gz: 1f84ef0262ee5f64ed98d745bedf49f7e8ef38693a3bc8e0eddb643dc7165e881ee11642944cf75d52769e13f6da934be69bf3156c6945e938caa139bf886252
-  data.tar.gz: b952d3bd6061eaf8c7b5172c0b6620d4e3797d383c7a00d9d6d80eef78d470ba3ce8dbb1c57f801f3685164f7076a587236fc5bc3550b433c3771bddbfe589ef
+  metadata.gz: b54245dad4b5101ce8364da45654d650bfe86c2f4e3c85d48e3923b7ca8a31ad5ec61e3938745dedefba3fd117447e522a4207145b086eccf86bf14ba1696643
+  data.tar.gz: 57063639a9c9d6e3884b1a89cbfce044fefebe7dcb4a95f1e025e260db75490a05447d4e7294060aa55531b55d567b9763101debb2119a690c8760b0b94787ec

data/README.md

@@ -4,7 +4,7 @@
 Rack::Attack is a rack middleware to protect your web app from bad clients.
 It allows *whitelisting*, *blacklisting*, *throttling*, and *tracking* based on arbitrary properties of the request.
 
-Throttle state is stored in a configurable cache (e.g. `Rails.cache`), presumably backed by memcached or redis ([at least gem v3.0.0](https://rubygems.org/gems/redis)).
+Throttle and fail2ban state is stored in a configurable cache (e.g. `Rails.cache`), presumably backed by memcached or redis ([at least gem v3.0.0](https://rubygems.org/gems/redis)).
 
 See the [Backing & Hacking blog post](http://www.kickstarter.com/backing-and-hacking/rack-attack-protection-from-abusive-clients) introducing Rack::Attack.
 
@@ -47,13 +47,13 @@ end
 *Tip:* The example in the wiki is a great way to get started:
 [Example Configuration](https://github.com/kickstarter/rack-attack/wiki/Example-Configuration)
 
-Optionally configure the cache store for throttling:
+Optionally configure the cache store for throttling or fail2ban filtering:
 
 ```ruby
 Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new # defaults to Rails.cache
 ```
 
-Note that `Rack::Attack.cache` is only used for throttling; not blacklisting & whitelisting. Your cache store must implement `increment` and `write` like [ActiveSupport::Cache::Store](http://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html).
+Note that `Rack::Attack.cache` is only used for throttling and fail2ban filtering; not blacklisting & whitelisting. Your cache store must implement `increment` and `write` like [ActiveSupport::Cache::Store](http://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html).
 
 ## How it works
 
@@ -104,7 +104,7 @@ A [Rack::Request](http://www.rubydoc.info/gems/rack/Rack/Request) object is pass
 # (blacklist & throttles are skipped)
 Rack::Attack.whitelist('allow from localhost') do |req|
   # Requests are allowed if the return value is truthy
-  '127.0.0.1' == req.ip
+  '127.0.0.1' == req.ip || '::1' == req.ip
 end
 ```
 
@@ -128,21 +128,27 @@ end
 `Fail2Ban.filter` can be used within a blacklist to block all requests from misbehaving clients.
 This pattern is inspired by [fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page).
 See the [fail2ban documentation](http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options) for more details on
-how the parameters work.
+how the parameters work.  For multiple filters, be sure to put each filter in a separate blacklist and use a unique discriminator for each fail2ban filter.
 
 ```ruby
-# Block requests containing '/etc/password' in the params.
+# Block suspicious requests for '/etc/password' or wordpress specific paths.
 # After 3 blocked requests in 10 minutes, block all requests from that IP for 5 minutes.
 Rack::Attack.blacklist('fail2ban pentesters') do |req|
   # `filter` returns truthy value if request fails, or if it's from a previously banned IP
   # so the request is blocked
-  Rack::Attack::Fail2Ban.filter(req.ip, :maxretry => 3, :findtime => 10.minutes, :bantime => 5.minutes) do
-    # The count for the IP is incremented if the return value is truthy.
-    CGI.unescape(req.query_string) =~ %r{/etc/passwd}
+  Rack::Attack::Fail2Ban.filter("pentesters-#{req.ip}", :maxretry => 3, :findtime => 10.minutes, :bantime => 5.minutes) do
+    # The count for the IP is incremented if the return value is truthy
+    CGI.unescape(req.query_string) =~ %r{/etc/passwd} || 
+    req.path.include?('/etc/passwd') ||
+    req.path.include?('wp-admin') || 
+    req.path.include?('wp-login')
+    
   end
 end
 ```
 
+Note that `Fail2Ban` filters are not automatically scoped to the blacklist, so when using multiple filters in an application the scoping must be added to the discriminator e.g. `"pentest:#{req.ip}"`.
+
 #### Allow2Ban
 `Allow2Ban.filter` works the same way as the `Fail2Ban.filter` except that it *allows* requests from misbehaving
 clients until such time as they reach maxretry at which they are cut off as per normal.
@@ -283,6 +289,12 @@ It is impractical if not impossible to block abusive clients completely.
 Rack::Attack aims to let developers quickly mitigate abusive requests and rely
 less on short-term, one-off hacks to block a particular attack.
 
+## Contributing
+
+Pull requests and issues are greatly appreciated. This project is intended to be
+a safe, welcoming space for collaboration, and contributors are expected to
+adhere to the [Code of Conduct](CODE_OF_CONDUCT.md).
+
 ## Mailing list
 
 New releases of Rack::Attack are announced on

data/lib/rack/attack.rb

@@ -3,6 +3,7 @@ require 'forwardable'
 
 class Rack::Attack
   autoload :Cache,           'rack/attack/cache'
+  autoload :PathNormalizer,  'rack/attack/path_normalizer'
   autoload :Check,           'rack/attack/check'
   autoload :Throttle,        'rack/attack/throttle'
   autoload :Whitelist,       'rack/attack/whitelist'
@@ -91,6 +92,7 @@ class Rack::Attack
   end
 
   def call(env)
+    env['PATH_INFO'] = PathNormalizer.normalize_path(env['PATH_INFO'])
     req = Rack::Attack::Request.new(env)
 
     if whitelisted?(req)

data/lib/rack/attack/path_normalizer.rb

@@ -0,0 +1,27 @@
+class Rack::Attack
+
+  # When using Rack::Attack with a Rails app, developers expect the request path
+  # to be normalized. In particular, trailing slashes are stripped.
+  # (See http://git.io/v0rrR for implementation.)
+  #
+  # Look for an ActionDispatch utility class that Rails folks would expect
+  # to normalize request paths. If unavailable, use a fallback class that
+  # doesn't normalize the path (as a non-Rails rack app developer expects).
+
+  module FallbackPathNormalizer
+    def self.normalize_path(path)
+      path
+    end
+  end
+
+  PathNormalizer = if defined?(::ActionDispatch::Journey::Router::Utils)
+                 # For Rails 4+ apps
+                 ::ActionDispatch::Journey::Router::Utils
+               elsif defined?(::Journey::Router::Utils)
+                 # for Rails 3.2
+                 ::Journey::Router::Utils
+               else
+                 FallbackPathNormalizer
+               end
+
+end

data/lib/rack/attack/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class Attack
-    VERSION = '4.3.0'
+    VERSION = '4.3.1'
   end
 end

data/spec/rack_attack_path_normalizer_spec.rb

@@ -0,0 +1,17 @@
+require_relative 'spec_helper'
+
+describe Rack::Attack::PathNormalizer do
+  subject { Rack::Attack::PathNormalizer }
+
+  it 'should have a normalize_path method' do
+    subject.normalize_path('/foo').must_equal '/foo'
+  end
+
+  describe 'FallbackNormalizer' do
+    subject { Rack::Attack::FallbackPathNormalizer }
+
+    it '#normalize_path does not change the path' do
+      subject.normalize_path('').must_equal ''
+    end
+  end
+end

data/spec/rack_attack_spec.rb

@@ -3,6 +3,17 @@ require_relative 'spec_helper'
 describe 'Rack::Attack' do
   allow_ok_requests
 
+  describe 'normalizing paths' do
+    before do
+      Rack::Attack.blacklist("banned_path") {|req| req.path == '/foo' }
+    end
+
+    it 'blocks requests with trailing slash' do
+      get '/foo/'
+      last_response.status.must_equal 403
+    end
+  end
+
   describe 'blacklist' do
     before do
       @bad_ip = '1.2.3.4'

data/spec/spec_helper.rb

@@ -5,12 +5,17 @@ require "minitest/autorun"
 require "minitest/pride"
 require "rack/test"
 require 'active_support'
+require 'action_dispatch'
+
+# Load Journey for Rails 3.2
+require 'journey' if ActionPack::VERSION::MAJOR == 3
+
 require "rack/attack"
 
 begin
-  require 'debugger'
+  require 'pry'
 rescue LoadError
- #nothing to do here
+  #nothing to do here
 end
 
 class MiniTest::Spec

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-attack
 version: !ruby/object:Gem::Version
-  version: 4.3.0
+  version: 4.3.1
 platform: ruby
 authors:
 - Aaron Suggs
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-05-22 00:00:00.000000000 Z
+date: 2015-12-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -94,6 +94,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: actionpack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
 - !ruby/object:Gem::Dependency
   name: redis-activesupport
   requirement: !ruby/object:Gem::Requirement
@@ -150,6 +164,7 @@ files:
 - lib/rack/attack/cache.rb
 - lib/rack/attack/check.rb
 - lib/rack/attack/fail2ban.rb
+- lib/rack/attack/path_normalizer.rb
 - lib/rack/attack/request.rb
 - lib/rack/attack/store_proxy.rb
 - lib/rack/attack/store_proxy/dalli_proxy.rb
@@ -163,6 +178,7 @@ files:
 - spec/integration/offline_spec.rb
 - spec/integration/rack_attack_cache_spec.rb
 - spec/rack_attack_dalli_proxy_spec.rb
+- spec/rack_attack_path_normalizer_spec.rb
 - spec/rack_attack_request_spec.rb
 - spec/rack_attack_spec.rb
 - spec/rack_attack_throttle_spec.rb
@@ -181,7 +197,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 1.9.2
+      version: 2.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -189,7 +205,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 4
 summary: Block & throttle abusive requests
@@ -199,6 +215,7 @@ test_files:
 - spec/integration/offline_spec.rb
 - spec/integration/rack_attack_cache_spec.rb
 - spec/rack_attack_dalli_proxy_spec.rb
+- spec/rack_attack_path_normalizer_spec.rb
 - spec/rack_attack_request_spec.rb
 - spec/rack_attack_spec.rb
 - spec/rack_attack_throttle_spec.rb