rack-attack 4.4.1 → 5.0.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b35131dd58c3ab63a32c6ebeba00cd203c207973
-  data.tar.gz: 86113382083a32cec8f0c3a5ed67d45b8a797bba
+  metadata.gz: f610566e30822bb7e044db96673364461ab144bc
+  data.tar.gz: 0c455cc58bdc60917bcf26f8d9a50323c96f9237
 SHA512:
-  metadata.gz: f9b12687222d55512bc1958b56e50b04f2bd87099a3806539df170d321db1e32b992bcff13f18b95875259448a0193f6caf5f5ba63caca0a6a018847a43dfbd3
-  data.tar.gz: 227b3c795cf86843e607ec36cb0c5a5ef3bdfe31ffdc7f30788bf935f716129d51574c326f2b29a542955e028b45a28ff282b13d4277e2233cb93842c1cb2d63
+  metadata.gz: 23256e856a36a8a0b37d2617f33ef2ba21032de6053a062d77f2ac035c5e5bde34c463c44d2d3b1c0546b079d7a01a0e005be0cf142d54870eaef64af4f56c6e
+  data.tar.gz: 9645bcc5b224881e1348e4c97e8ada425ea768c0d7e851c3d022863ba6a01bb31b9e0b942e35c914152ee17775c4d305f893820f3df32392d1d46dd372670371

data/README.md

@@ -2,7 +2,7 @@
 *Rack middleware for blocking & throttling abusive requests*
 
 Rack::Attack is a rack middleware to protect your web app from bad clients.
-It allows *whitelisting*, *blacklisting*, *throttling*, and *tracking* based on arbitrary properties of the request.
+It allows *safelisting*, *blocklisting*, *throttling*, and *tracking* based on arbitrary properties of the request.
 
 Throttle and fail2ban state is stored in a configurable cache (e.g. `Rails.cache`), presumably backed by memcached or redis ([at least gem v3.0.0](https://rubygems.org/gems/redis)).
 
@@ -53,14 +53,14 @@ Optionally configure the cache store for throttling or fail2ban filtering:
 Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new # defaults to Rails.cache
 ```
 
-Note that `Rack::Attack.cache` is only used for throttling and fail2ban filtering; not blacklisting & whitelisting. Your cache store must implement `increment` and `write` like [ActiveSupport::Cache::Store](http://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html).
+Note that `Rack::Attack.cache` is only used for throttling and fail2ban filtering; not blocklisting & safelisting. Your cache store must implement `increment` and `write` like [ActiveSupport::Cache::Store](http://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html).
 
 ## How it works
 
-The Rack::Attack middleware compares each request against *whitelists*, *blacklists*, *throttles*, and *tracks* that you define. There are none by default.
+The Rack::Attack middleware compares each request against *safelists*, *blocklists*, *throttles*, and *tracks* that you define. There are none by default.
 
- * If the request matches any **whitelist**, it is allowed.
- * Otherwise, if the request matches any **blacklist**, it is blocked.
+ * If the request matches any **safelist**, it is allowed.
+ * Otherwise, if the request matches any **blocklist**, it is blocked.
  * Otherwise, if the request matches any **throttle**, a counter is incremented in the Rack::Attack.cache. If any throttle's limit is exceeded, the request is blocked.
  * Otherwise, all **tracks** are checked, and the request is allowed.
 
@@ -70,10 +70,10 @@ The algorithm is actually more concise in code: See [Rack::Attack.call](https://
 def call(env)
   req = Rack::Attack::Request.new(env)
 
-  if whitelisted?(req)
+  if safelisted?(req)
     @app.call(env)
-  elsif blacklisted?(req)
-    self.class.blacklisted_response.call(env)
+  elsif blocklisted?(req)
+    self.class.blocklisted_response.call(env)
   elsif throttled?(req)
     self.class.throttled_response.call(env)
   else
@@ -93,61 +93,61 @@ can cleanly monkey patch helper methods onto the
 
 ## Usage
 
-Define whitelists, blacklists, throttles, and tracks as blocks that return truthy values if matched, falsy otherwise. In a Rails app
+Define safelists, blocklists, throttles, and tracks as blocks that return truthy values if matched, falsy otherwise. In a Rails app
 these go in an initializer in `config/initializers/`.
 A [Rack::Request](http://www.rubydoc.info/gems/rack/Rack/Request) object is passed to the block (named 'req' in the examples).
 
-### Whitelists
+### Safelists
 
 ```ruby
 # Always allow requests from localhost
-# (blacklist & throttles are skipped)
-Rack::Attack.whitelist('allow from localhost') do |req|
+# (blocklist & throttles are skipped)
+Rack::Attack.safelist('allow from localhost') do |req|
   # Requests are allowed if the return value is truthy
   '127.0.0.1' == req.ip || '::1' == req.ip
 end
 ```
 
-### Blacklists
+### Blocklists
 
 ```ruby
 # Block requests from 1.2.3.4
-Rack::Attack.blacklist('block 1.2.3.4') do |req|
+Rack::Attack.blocklist('block 1.2.3.4') do |req|
   # Requests are blocked if the return value is truthy
   '1.2.3.4' == req.ip
 end
 
 # Block logins from a bad user agent
-Rack::Attack.blacklist('block bad UA logins') do |req|
+Rack::Attack.blocklist('block bad UA logins') do |req|
   req.path == '/login' && req.post? && req.user_agent == 'BadUA'
 end
 ```
 
 #### Fail2Ban
 
-`Fail2Ban.filter` can be used within a blacklist to block all requests from misbehaving clients.
+`Fail2Ban.filter` can be used within a blocklist to block all requests from misbehaving clients.
 This pattern is inspired by [fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page).
 See the [fail2ban documentation](http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options) for more details on
-how the parameters work.  For multiple filters, be sure to put each filter in a separate blacklist and use a unique discriminator for each fail2ban filter.
+how the parameters work.  For multiple filters, be sure to put each filter in a separate blocklist and use a unique discriminator for each fail2ban filter.
 
 ```ruby
 # Block suspicious requests for '/etc/password' or wordpress specific paths.
 # After 3 blocked requests in 10 minutes, block all requests from that IP for 5 minutes.
-Rack::Attack.blacklist('fail2ban pentesters') do |req|
+Rack::Attack.blocklist('fail2ban pentesters') do |req|
   # `filter` returns truthy value if request fails, or if it's from a previously banned IP
   # so the request is blocked
   Rack::Attack::Fail2Ban.filter("pentesters-#{req.ip}", :maxretry => 3, :findtime => 10.minutes, :bantime => 5.minutes) do
     # The count for the IP is incremented if the return value is truthy
-    CGI.unescape(req.query_string) =~ %r{/etc/passwd} || 
+    CGI.unescape(req.query_string) =~ %r{/etc/passwd} ||
     req.path.include?('/etc/passwd') ||
-    req.path.include?('wp-admin') || 
+    req.path.include?('wp-admin') ||
     req.path.include?('wp-login')
-    
+
   end
 end
 ```
 
-Note that `Fail2Ban` filters are not automatically scoped to the blacklist, so when using multiple filters in an application the scoping must be added to the discriminator e.g. `"pentest:#{req.ip}"`.
+Note that `Fail2Ban` filters are not automatically scoped to the blocklist, so when using multiple filters in an application the scoping must be added to the discriminator e.g. `"pentest:#{req.ip}"`.
 
 #### Allow2Ban
 `Allow2Ban.filter` works the same way as the `Fail2Ban.filter` except that it *allows* requests from misbehaving
@@ -155,7 +155,7 @@ clients until such time as they reach maxretry at which they are cut off as per
 ```ruby
 # Lockout IP addresses that are hammering your login page.
 # After 20 requests in 1 minute, block all requests from that IP for 1 hour.
-Rack::Attack.blacklist('allow2ban login scrapers') do |req|
+Rack::Attack.blocklist('allow2ban login scrapers') do |req|
   # `filter` returns false value if request is to your login page (but still
   # increments the count) so request below the limit are not blocked until
   # they hit the limit.  At that point, filter will return true and block.
@@ -220,12 +220,12 @@ end
 
 ## Responses
 
-Customize the response of blacklisted and throttled requests using an object that adheres to the [Rack app interface](http://rack.rubyforge.org/doc/SPEC.html).
+Customize the response of blocklisted and throttled requests using an object that adheres to the [Rack app interface](http://rack.rubyforge.org/doc/SPEC.html).
 
 ```ruby
-Rack::Attack.blacklisted_response = lambda do |env|
+Rack::Attack.blocklisted_response = lambda do |env|
   # Using 503 because it may make attacker think that they have successfully
-  # DOSed the site. Rack::Attack returns 403 for blacklists by default
+  # DOSed the site. Rack::Attack returns 403 for blocklists by default
   [ 503, {}, ['Blocked']]
 end
 
@@ -274,7 +274,7 @@ but it depends on how many checks you've configured, and how long they take.
 Throttles usually require a network roundtrip to your cache server(s),
 so try to keep the number of throttle checks per request low.
 
-If a request is blacklisted or throttled, the response is a very simple Rack response.
+If a request is blocklisted or throttled, the response is a very simple Rack response.
 A single typical ruby web server thread can block several hundred requests per second.
 
 Rack::Attack complements tools like `iptables` and nginx's [limit_conn_zone module](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_zone).
@@ -304,6 +304,6 @@ New releases of Rack::Attack are announced on
 
 ## License
 
-Copyright Kickstarter, Inc.
+Copyright Kickstarter, PBC.
 
 Released under an [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -10,6 +10,7 @@ namespace :test do
 
   Rake::TestTask.new(:integration) do |t|
     t.pattern = "spec/integration/*_spec.rb"
+    t.warning = false
   end
 end
 

data/lib/rack/attack.rb

@@ -6,8 +6,8 @@ class Rack::Attack
   autoload :PathNormalizer,  'rack/attack/path_normalizer'
   autoload :Check,           'rack/attack/check'
   autoload :Throttle,        'rack/attack/throttle'
-  autoload :Whitelist,       'rack/attack/whitelist'
-  autoload :Blacklist,       'rack/attack/blacklist'
+  autoload :Safelist,       'rack/attack/safelist'
+  autoload :Blocklist,       'rack/attack/blocklist'
   autoload :Track,           'rack/attack/track'
   autoload :StoreProxy,      'rack/attack/store_proxy'
   autoload :DalliProxy,      'rack/attack/store_proxy/dalli_proxy'
@@ -19,14 +19,24 @@ class Rack::Attack
 
   class << self
 
-    attr_accessor :notifier, :blacklisted_response, :throttled_response
+    attr_accessor :notifier, :blocklisted_response, :throttled_response
+
+    def safelist(name, &block)
+      self.safelists[name] = Safelist.new(name, block)
+    end
 
     def whitelist(name, &block)
-      self.whitelists[name] = Whitelist.new(name, block)
+      warn "[DEPRECATION] 'Rack::Attack.whitelist' is deprecated.  Please use 'safelist' instead."
+      safelist(name, &block)
+    end
+
+    def blocklist(name, &block)
+      self.blocklists[name] = Blocklist.new(name, block)
     end
 
     def blacklist(name, &block)
-      self.blacklists[name] = Blacklist.new(name, block)
+      warn "[DEPRECATION] 'Rack::Attack.blacklist' is deprecated.  Please use 'blocklist' instead."
+      blocklist(name, &block)
     end
 
     def throttle(name, options, &block)
@@ -37,23 +47,43 @@ class Rack::Attack
       self.tracks[name] = Track.new(name, options, block)
     end
 
-    def whitelists; @whitelists ||= {}; end
-    def blacklists; @blacklists ||= {}; end
+    def safelists; @safelists ||= {}; end
+    def blocklists; @blocklists ||= {}; end
     def throttles;  @throttles  ||= {}; end
     def tracks;     @tracks     ||= {}; end
 
-    def whitelisted?(req)
-      whitelists.any? do |name, whitelist|
-        whitelist[req]
+    def whitelists
+      warn "[DEPRECATION] 'Rack::Attack.whitelists' is deprecated.  Please use 'safelists' instead."
+      safelists
+    end
+
+    def blacklists
+      warn "[DEPRECATION] 'Rack::Attack.blacklists' is deprecated.  Please use 'blocklists' instead."
+      blocklists
+    end
+
+    def safelisted?(req)
+      safelists.any? do |name, safelist|
+        safelist[req]
       end
     end
 
-    def blacklisted?(req)
-      blacklists.any? do |name, blacklist|
-        blacklist[req]
+    def whitelisted?
+      warn "[DEPRECATION] 'Rack::Attack.whitelisted?' is deprecated.  Please use 'safelisted?' instead."
+      safelisted?
+    end
+
+    def blocklisted?(req)
+      blocklists.any? do |name, blocklist|
+        blocklist[req]
       end
     end
 
+    def blacklisted?
+      warn "[DEPRECATION] 'Rack::Attack.blacklisted?' is deprecated.  Please use 'blocklisted?' instead."
+      blocklisted?
+    end
+
     def throttled?(req)
       throttles.any? do |name, throttle|
         throttle[req]
@@ -75,14 +105,24 @@ class Rack::Attack
     end
 
     def clear!
-      @whitelists, @blacklists, @throttles, @tracks = {}, {}, {}, {}
+      @safelists, @blocklists, @throttles, @tracks = {}, {}, {}, {}
+    end
+
+    def blacklisted_response=(res)
+      warn "[DEPRECATION] 'Rack::Attack.blacklisted_response=' is deprecated.  Please use 'blocklisted_response=' instead."
+      self.blocklisted_response=(res)
+    end
+
+    def blacklisted_response
+      warn "[DEPRECATION] 'Rack::Attack.blacklisted_response' is deprecated.  Please use 'blocklisted_response' instead."
+      self.blocklisted_response
     end
 
   end
 
   # Set defaults
   @notifier             = ActiveSupport::Notifications if defined?(ActiveSupport::Notifications)
-  @blacklisted_response = lambda {|env| [403, {'Content-Type' => 'text/plain'}, ["Forbidden\n"]] }
+  @blocklisted_response = lambda {|env| [403, {'Content-Type' => 'text/plain'}, ["Forbidden\n"]] }
   @throttled_response   = lambda {|env|
     retry_after = (env['rack.attack.match_data'] || {})[:period]
     [429, {'Content-Type' => 'text/plain', 'Retry-After' => retry_after.to_s}, ["Retry later\n"]]
@@ -96,10 +136,10 @@ class Rack::Attack
     env['PATH_INFO'] = PathNormalizer.normalize_path(env['PATH_INFO'])
     req = Rack::Attack::Request.new(env)
 
-    if whitelisted?(req)
+    if safelisted?(req)
       @app.call(env)
-    elsif blacklisted?(req)
-      self.class.blacklisted_response.call(env)
+    elsif blocklisted?(req)
+      self.class.blocklisted_response.call(env)
     elsif throttled?(req)
       self.class.throttled_response.call(env)
     else
@@ -109,8 +149,8 @@ class Rack::Attack
   end
 
   extend Forwardable
-  def_delegators self, :whitelisted?,
-                       :blacklisted?,
+  def_delegators self, :safelisted?,
+                       :blocklisted?,
                        :throttled?,
                        :tracked?
 end

data/lib/rack/attack/{whitelist.rb → blocklist.rb}

@@ -1,9 +1,9 @@
 module Rack
   class Attack
-    class Whitelist < Check
+    class Blocklist < Check
       def initialize(name, block)
         super
-        @type = :whitelist
+        @type = :blocklist
       end
 
     end

data/lib/rack/attack/fail2ban.rb

@@ -8,7 +8,7 @@ module Rack
           maxretry  = options[:maxretry]  or raise ArgumentError, "Must pass maxretry option"
 
           if banned?(discriminator)
-            # Return true for blacklist
+            # Return true for blocklist
             true
           elsif yield
             fail!(discriminator, bantime, findtime, maxretry)

data/lib/rack/attack/request.rb

@@ -9,7 +9,7 @@
 #     end
 #   end
 #
-#   Rack::Attack.whitelist("localhost") {|req| req.localhost? }
+#   Rack::Attack.safelist("localhost") {|req| req.localhost? }
 #
 module Rack
   class Attack

data/lib/rack/attack/{blacklist.rb → safelist.rb}

@@ -1,12 +1,11 @@
 module Rack
   class Attack
-    class Blacklist < Check
+    class Safelist < Check
       def initialize(name, block)
         super
-        @type = :blacklist
+        @type = :safelist
       end
 
     end
   end
 end
-

data/lib/rack/attack/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class Attack
-    VERSION = '4.4.1'
+    VERSION = '5.0.0.beta1'
   end
 end

data/spec/allow2ban_spec.rb

@@ -7,7 +7,7 @@ describe 'Rack::Attack.Allow2Ban' do
     @bantime  = 60
     Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
     @f2b_options = {:bantime => @bantime, :findtime => @findtime, :maxretry => 2}
-    Rack::Attack.blacklist('pentest') do |req|
+    Rack::Attack.blocklist('pentest') do |req|
       Rack::Attack::Allow2Ban.filter(req.ip, @f2b_options){req.query_string =~ /OMGHAX/}
     end
   end

data/spec/fail2ban_spec.rb

@@ -7,7 +7,7 @@ describe 'Rack::Attack.Fail2Ban' do
     @bantime  = 60
     Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
     @f2b_options = {:bantime => @bantime, :findtime => @findtime, :maxretry => 2}
-    Rack::Attack.blacklist('pentest') do |req|
+    Rack::Attack.blocklist('pentest') do |req|
       Rack::Attack::Fail2Ban.filter(req.ip, @f2b_options){req.query_string =~ /OMGHAX/}
     end
   end

data/spec/rack_attack_request_spec.rb

@@ -9,7 +9,7 @@ describe 'Rack::Attack' do
         end
       end
 
-      Rack::Attack.whitelist('valid IP') do |req|
+      Rack::Attack.safelist('valid IP') do |req|
         req.remote_ip == "127.0.0.1"
       end
     end

data/spec/rack_attack_spec.rb

@@ -5,7 +5,7 @@ describe 'Rack::Attack' do
 
   describe 'normalizing paths' do
     before do
-      Rack::Attack.blacklist("banned_path") {|req| req.path == '/foo' }
+      Rack::Attack.blocklist("banned_path") {|req| req.path == '/foo' }
     end
 
     it 'blocks requests with trailing slash' do
@@ -14,50 +14,86 @@ describe 'Rack::Attack' do
     end
   end
 
-  describe 'blacklist' do
+  describe 'blocklist' do
     before do
       @bad_ip = '1.2.3.4'
-      Rack::Attack.blacklist("ip #{@bad_ip}") {|req| req.ip == @bad_ip }
+      Rack::Attack.blocklist("ip #{@bad_ip}") {|req| req.ip == @bad_ip }
     end
 
-    it('has a blacklist') {
-      Rack::Attack.blacklists.key?("ip #{@bad_ip}").must_equal true
+    it('has a blocklist') {
+      Rack::Attack.blocklists.key?("ip #{@bad_ip}").must_equal true
+    }
+
+    it('has a blacklist with a deprication warning') {
+      _, stderror  = capture_io do
+        Rack::Attack.blacklists.key?("ip #{@bad_ip}").must_equal true
+      end
+      assert_match "[DEPRECATION] 'Rack::Attack.blacklists' is deprecated.  Please use 'blocklists' instead.", stderror
     }
 
     describe "a bad request" do
       before { get '/', {}, 'REMOTE_ADDR' => @bad_ip }
-      it "should return a blacklist response" do
+      it "should return a blocklist response" do
         get '/', {}, 'REMOTE_ADDR' => @bad_ip
         last_response.status.must_equal 403
         last_response.body.must_equal "Forbidden\n"
       end
       it "should tag the env" do
         last_request.env['rack.attack.matched'].must_equal "ip #{@bad_ip}"
-        last_request.env['rack.attack.match_type'].must_equal :blacklist
+        last_request.env['rack.attack.match_type'].must_equal :blocklist
       end
 
       allow_ok_requests
     end
 
-    describe "and whitelist" do
+    describe "and safelist" do
       before do
         @good_ua = 'GoodUA'
-        Rack::Attack.whitelist("good ua") {|req| req.user_agent == @good_ua }
+        Rack::Attack.safelist("good ua") {|req| req.user_agent == @good_ua }
       end
 
-      it('has a whitelist'){ Rack::Attack.whitelists.key?("good ua") }
-      describe "with a request match both whitelist & blacklist" do
+      it('has a safelist'){ Rack::Attack.safelists.key?("good ua") }
+
+      it('has a whitelist with a deprication warning') {
+        _, stderror  = capture_io do
+          Rack::Attack.whitelists.key?("good ua")
+        end
+        assert_match "[DEPRECATION] 'Rack::Attack.whitelists' is deprecated.  Please use 'safelists' instead.", stderror
+      }
+
+      describe "with a request match both safelist & blocklist" do
         before { get '/', {}, 'REMOTE_ADDR' => @bad_ip, 'HTTP_USER_AGENT' => @good_ua }
-        it "should allow whitelists before blacklists" do
+        it "should allow safelists before blocklists" do
           get '/', {}, 'REMOTE_ADDR' => @bad_ip, 'HTTP_USER_AGENT' => @good_ua
           last_response.status.must_equal 200
         end
         it "should tag the env" do
           last_request.env['rack.attack.matched'].must_equal 'good ua'
-          last_request.env['rack.attack.match_type'].must_equal :whitelist
+          last_request.env['rack.attack.match_type'].must_equal :safelist
         end
       end
     end
+
+    describe '#blocklisted_response' do
+      it 'should exist' do
+        Rack::Attack.blocklisted_response.must_respond_to :call
+      end
+
+      it 'should give a deprication warning for blacklisted_response' do
+        _, stderror  = capture_io do
+          Rack::Attack.blacklisted_response
+        end
+        assert_match "[DEPRECATION] 'Rack::Attack.blacklisted_response' is deprecated.  Please use 'blocklisted_response' instead.", stderror
+
+      end
+    end
+
+    describe '#throttled_response' do
+      it 'should exist' do
+        Rack::Attack.throttled_response.must_respond_to :call
+      end
+    end
+
   end
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-attack
 version: !ruby/object:Gem::Version
-  version: 4.4.1
+  version: 5.0.0.beta1
 platform: ruby
 authors:
 - Aaron Suggs
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-17 00:00:00.000000000 Z
+date: 2016-07-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -174,12 +174,13 @@ files:
 - Rakefile
 - lib/rack/attack.rb
 - lib/rack/attack/allow2ban.rb
-- lib/rack/attack/blacklist.rb
+- lib/rack/attack/blocklist.rb
 - lib/rack/attack/cache.rb
 - lib/rack/attack/check.rb
 - lib/rack/attack/fail2ban.rb
 - lib/rack/attack/path_normalizer.rb
 - lib/rack/attack/request.rb
+- lib/rack/attack/safelist.rb
 - lib/rack/attack/store_proxy.rb
 - lib/rack/attack/store_proxy/dalli_proxy.rb
 - lib/rack/attack/store_proxy/mem_cache_proxy.rb
@@ -187,7 +188,6 @@ files:
 - lib/rack/attack/throttle.rb
 - lib/rack/attack/track.rb
 - lib/rack/attack/version.rb
-- lib/rack/attack/whitelist.rb
 - spec/allow2ban_spec.rb
 - spec/fail2ban_spec.rb
 - spec/integration/offline_spec.rb
@@ -215,9 +215,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.5.1