rack-attack 5.3.2 → 5.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 30b1caccf538327c289b6e4962e2deadc4d7c5fc8509eb1adbf4383c950bd4ad
-  data.tar.gz: 4b8af97dca4e04414712cce9ba21cc7940f46e2072d3cc9e288b5bf54d066bba
+  metadata.gz: 123608043cbaa1604ab2d7b06c056010decd274dd4a5b1fe8f2175cec766fa4d
+  data.tar.gz: 2bd3ca91293545b76221608f144c1a43a458fbd9e6f2e8ea2647bf561d8ea9a9
 SHA512:
-  metadata.gz: f439d0196c505e73f10671f30d1b9cf919fb1b185468f38915817782cfecdc59d6405bd4d1a895e956de2f788c33524f232bd5c4eadee36dffe1883b0954efdb
-  data.tar.gz: a736973564ec15f143fbb6b5067441eea50cbc33385a557b1d6d13180b5237982cc676de6ee97989e06fa97185666811945b85d6a8263c19c0a16446407afa22
+  metadata.gz: '06388ad68edc65019740c9ee77347f817b0769e782d0f8564ac5ac6b9c7fa819fe2157a10d89b570c78c14ef5a86fe080fac30aba8ebdfed281f2073785f5685'
+  data.tar.gz: a15cc2cef9eebda52d662fe3eeee3f187d5b575c089a1fa2cf5e0179012499f6440889349a47108c4017f8b73dd18985655dc933baf8c031e08d73ea23d1dbba

data/README.md

@@ -303,13 +303,13 @@ Here's an example response that includes conventional `X-RateLimit-*` headers:
 
 ```ruby
 Rack::Attack.throttled_response = lambda do |env|
-  now = Time.now
   match_data = env['rack.attack.match_data']
+  now = match_data[:epoch_time]
 
   headers = {
     'X-RateLimit-Limit' => match_data[:limit].to_s,
     'X-RateLimit-Remaining' => '0',
-    'X-RateLimit-Reset' => (now + (match_data[:period] - now.to_i % match_data[:period])).to_s
+    'X-RateLimit-Reset' => (now + (match_data[:period] - now % match_data[:period])).to_s
   }
 
   [ 429, headers, ["Throttled\n"]]
@@ -320,7 +320,7 @@ end
 For responses that did not exceed a throttle limit, Rack::Attack annotates the env with match data:
 
 ```ruby
-request.env['rack.attack.throttle_data'][name] # => { :count => n, :period => p, :limit => l }
+request.env['rack.attack.throttle_data'][name] # => { :count => n, :period => p, :limit => l, :epoch_time => t }
 ```
 
 ## Logging & Instrumentation

data/Rakefile

@@ -20,7 +20,8 @@ namespace :test do
   end
 end
 
-desc 'Run tests'
-task :test => %w[test:units test:integration test:acceptance]
+Rake::TestTask.new(:test) do |t|
+  t.pattern = "spec/**/*_spec.rb"
+end
 
 task :default => [:rubocop, :test]

data/lib/rack/attack.rb

@@ -17,6 +17,7 @@ class Rack::Attack
   autoload :StoreProxy,           'rack/attack/store_proxy'
   autoload :DalliProxy,           'rack/attack/store_proxy/dalli_proxy'
   autoload :MemCacheProxy,        'rack/attack/store_proxy/mem_cache_proxy'
+  autoload :RedisProxy,           'rack/attack/store_proxy/redis_proxy'
   autoload :RedisStoreProxy,      'rack/attack/store_proxy/redis_store_proxy'
   autoload :RedisCacheStoreProxy, 'rack/attack/store_proxy/redis_cache_store_proxy'
   autoload :Fail2Ban,             'rack/attack/fail2ban'

data/lib/rack/attack/cache.rb

@@ -2,6 +2,7 @@ module Rack
   class Attack
     class Cache
       attr_accessor :prefix
+      attr_reader :last_epoch_time
 
       def initialize
         self.store = ::Rails.cache if defined?(::Rails.cache)
@@ -41,10 +42,10 @@ module Rack
       private
 
       def key_and_expiry(unprefixed_key, period)
-        epoch_time = Time.now.to_i
+        @last_epoch_time = Time.now.to_i
         # Add 1 to expires_in to avoid timing error: https://git.io/i1PHXA
-        expires_in = (period - (epoch_time % period) + 1).to_i
-        ["#{prefix}:#{(epoch_time / period).to_i}:#{unprefixed_key}", expires_in]
+        expires_in = (period - (@last_epoch_time % period) + 1).to_i
+        ["#{prefix}:#{(@last_epoch_time / period).to_i}:#{unprefixed_key}", expires_in]
       end
 
       def do_count(key, expires_in)

data/lib/rack/attack/store_proxy.rb

@@ -1,7 +1,7 @@
 module Rack
   class Attack
     module StoreProxy
-      PROXIES = [DalliProxy, MemCacheProxy, RedisStoreProxy, RedisCacheStoreProxy].freeze
+      PROXIES = [DalliProxy, MemCacheProxy, RedisStoreProxy, RedisProxy, RedisCacheStoreProxy].freeze
 
       ACTIVE_SUPPORT_WRAPPER_CLASSES = Set.new(['ActiveSupport::Cache::MemCacheStore', 'ActiveSupport::Cache::RedisStore', 'ActiveSupport::Cache::RedisCacheStore']).freeze
       ACTIVE_SUPPORT_CLIENTS = Set.new(['Redis::Store', 'Dalli::Client', 'MemCache']).freeze

data/lib/rack/attack/store_proxy/redis_proxy.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require 'delegate'
+
+module Rack
+  class Attack
+    module StoreProxy
+      class RedisProxy < SimpleDelegator
+        def initialize(*args)
+          if Gem::Version.new(Redis::VERSION) < Gem::Version.new("3")
+            warn 'RackAttack requires Redis gem >= 3.0.0.'
+          end
+
+          super(*args)
+        end
+
+        def self.handle?(store)
+          defined?(::Redis) && store.is_a?(::Redis)
+        end
+
+        def read(key)
+          get(key)
+        rescue Redis::BaseError
+        end
+
+        def write(key, value, options = {})
+          if (expires_in = options[:expires_in])
+            setex(key, expires_in, value)
+          else
+            set(key, value)
+          end
+        rescue Redis::BaseError
+        end
+
+        def increment(key, amount, options = {})
+          count = nil
+
+          pipelined do
+            count = incrby(key, amount)
+            expire(key, options[:expires_in]) if options[:expires_in]
+          end
+
+          count.value if count
+        rescue Redis::BaseError
+        end
+
+        def delete(key, _options = {})
+          del(key)
+        rescue Redis::BaseError
+        end
+      end
+    end
+  end
+end

data/lib/rack/attack/store_proxy/redis_store_proxy.rb

@@ -3,15 +3,11 @@ require 'delegate'
 module Rack
   class Attack
     module StoreProxy
-      class RedisStoreProxy < SimpleDelegator
+      class RedisStoreProxy < RedisProxy
         def self.handle?(store)
           defined?(::Redis::Store) && store.is_a?(::Redis::Store)
         end
 
-        def initialize(store)
-          super(store)
-        end
-
         def read(key)
           get(key, raw: true)
         rescue Redis::BaseError
@@ -25,23 +21,6 @@ module Rack
           end
         rescue Redis::BaseError
         end
-
-        def increment(key, amount, options = {})
-          count = nil
-
-          pipelined do
-            count = incrby(key, amount)
-            expire(key, options[:expires_in]) if options[:expires_in]
-          end
-
-          count.value if count
-        rescue Redis::BaseError
-        end
-
-        def delete(key, _options = {})
-          del(key)
-        rescue Redis::BaseError
-        end
       end
     end
   end

data/lib/rack/attack/throttle.rb

@@ -26,12 +26,15 @@ module Rack
         current_limit  = limit.respond_to?(:call) ? limit.call(request) : limit
         key            = "#{name}:#{discriminator}"
         count          = cache.count(key, current_period)
+        epoch_time     = cache.last_epoch_time
 
         data = {
           :count => count,
           :period => current_period,
-          :limit => current_limit
+          :limit => current_limit,
+          :epoch_time => epoch_time
         }
+
         (request.env['rack.attack.throttle_data'] ||= {})[name] = data
 
         (count > current_limit).tap do |throttled|

data/lib/rack/attack/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class Attack
-    VERSION = '5.3.2'
+    VERSION = '5.4.0'
   end
 end

data/spec/acceptance/stores/redis_spec.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require_relative "../../spec_helper"
+
+if defined?(::Redis)
+  require_relative "../../support/cache_store_helper"
+  require "timecop"
+
+  describe "Plain redis as a cache backend" do
+    before do
+      Rack::Attack.cache.store = Redis.new
+    end
+
+    after do
+      Rack::Attack.cache.store.flushdb
+    end
+
+    it_works_for_cache_backed_features
+
+    it "doesn't leak keys" do
+      Rack::Attack.throttle("by ip", limit: 1, period: 1) do |request|
+        request.ip
+      end
+
+      key = nil
+
+      # Freeze time during these statement to be sure that the key used by rack attack is the same
+      # we pre-calculate in local variable `key`
+      Timecop.freeze do
+        key = "rack::attack:#{Time.now.to_i}:by ip:1.2.3.4"
+
+        get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      end
+
+      assert Rack::Attack.cache.store.get(key)
+
+      sleep 2.1
+
+      assert_nil Rack::Attack.cache.store.get(key)
+    end
+  end
+end

data/spec/rack_attack_throttle_spec.rb

@@ -20,7 +20,7 @@ describe 'Rack::Attack.throttle' do
     end
 
     it 'should populate throttle data' do
-      data = { :count => 1, :limit => 1, :period => @period }
+      data = { :count => 1, :limit => 1, :period => @period, epoch_time: Rack::Attack.cache.last_epoch_time.to_i }
       last_request.env['rack.attack.throttle_data']['ip/sec'].must_equal data
     end
   end
@@ -37,7 +37,7 @@ describe 'Rack::Attack.throttle' do
     it 'should tag the env' do
       last_request.env['rack.attack.matched'].must_equal 'ip/sec'
       last_request.env['rack.attack.match_type'].must_equal :throttle
-      last_request.env['rack.attack.match_data'].must_equal(:count => 2, :limit => 1, :period => @period)
+      last_request.env['rack.attack.match_data'].must_equal(:count => 2, :limit => 1, :period => @period, epoch_time: Rack::Attack.cache.last_epoch_time.to_i)
       last_request.env['rack.attack.match_discriminator'].must_equal('1.2.3.4')
     end
 
@@ -65,7 +65,7 @@ describe 'Rack::Attack.throttle with limit as proc' do
     end
 
     it 'should populate throttle data' do
-      data = { :count => 1, :limit => 1, :period => @period }
+      data = { :count => 1, :limit => 1, :period => @period, epoch_time: Rack::Attack.cache.last_epoch_time.to_i }
       last_request.env['rack.attack.throttle_data']['ip/sec'].must_equal data
     end
   end
@@ -89,7 +89,7 @@ describe 'Rack::Attack.throttle with period as proc' do
     end
 
     it 'should populate throttle data' do
-      data = { :count => 1, :limit => 1, :period => @period }
+      data = { :count => 1, :limit => 1, :period => @period, epoch_time: Rack::Attack.cache.last_epoch_time.to_i }
       last_request.env['rack.attack.throttle_data']['ip/sec'].must_equal data
     end
   end

data/spec/spec_helper.rb

@@ -1,4 +1,3 @@
-require "rubygems"
 require "bundler/setup"
 
 require "minitest/autorun"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-attack
 version: !ruby/object:Gem::Version
-  version: 5.3.2
+  version: 5.4.0
 platform: ruby
 authors:
 - Aaron Suggs
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-06-25 00:00:00.000000000 Z
+date: 2018-07-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -16,14 +16,20 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: appraisal
   requirement: !ruby/object:Gem::Requirement
@@ -38,6 +44,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -140,30 +160,30 @@ dependencies:
   name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.0.0
+        version: '5.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.0.0
+        version: '5.2'
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.0.0
+        version: '5.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.0.0
+        version: '5.2'
 description: A rack middleware for throttling and blocking abusive requests
 email: aaron@ktheory.com
 executables: []
@@ -185,6 +205,7 @@ files:
 - lib/rack/attack/store_proxy/dalli_proxy.rb
 - lib/rack/attack/store_proxy/mem_cache_proxy.rb
 - lib/rack/attack/store_proxy/redis_cache_store_proxy.rb
+- lib/rack/attack/store_proxy/redis_proxy.rb
 - lib/rack/attack/store_proxy/redis_store_proxy.rb
 - lib/rack/attack/throttle.rb
 - lib/rack/attack/track.rb
@@ -212,6 +233,7 @@ files:
 - spec/acceptance/stores/active_support_redis_store_spec.rb
 - spec/acceptance/stores/connection_pool_dalli_client_spec.rb
 - spec/acceptance/stores/dalli_client_spec.rb
+- spec/acceptance/stores/redis_spec.rb
 - spec/acceptance/stores/redis_store_spec.rb
 - spec/acceptance/throttling_spec.rb
 - spec/acceptance/track_spec.rb
@@ -284,6 +306,7 @@ test_files:
 - spec/acceptance/stores/active_support_dalli_store_spec.rb
 - spec/acceptance/stores/redis_store_spec.rb
 - spec/acceptance/stores/dalli_client_spec.rb
+- spec/acceptance/stores/redis_spec.rb
 - spec/acceptance/customizing_blocked_response_spec.rb
 - spec/spec_helper.rb
 - spec/allow2ban_spec.rb