rack-attack 6.3.1 → 6.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3735d065000def3fce68a51f86fd46eec60d8ce8aac80991bd4c1fd05cf2babd
-  data.tar.gz: def7883dbc56f61163d54104e6a9b1aa87a93f47cdfefe60bb81880a7237aa8b
+  metadata.gz: e7d44de650fae1c83d5a3da49dc8f304e44280f72bd209d3f78643b90d573bd8
+  data.tar.gz: a39d0270489617a8c0a49e01868c24cc87311e80457fbc104c86e45d29978f51
 SHA512:
-  metadata.gz: 4c40ef6a1a7f2c1692b5bf3c46cb4f7e25bec5f413c9f96ee8b37b62e67b9f2e31e3c8067c9ecf19af4be16bbc01e016a3921052ed08c42c8a72b8a7696653e1
-  data.tar.gz: 3bb4d54e791d056a5e905e72b325a1eb733a6f3b660601f4d4ac39aa1b46cf480879bfae72575ce8ed8420961166ef3273cbe3590f60efa552946fbfb20cd7c2
+  metadata.gz: 7d9d965cc672bba8ab2b9f333746e32091363d6b65bf290104c248799a811f272ad8388e7f7b3d870d382e9c80a1003a300f9380c2d8082195972817146a281d
+  data.tar.gz: fbfa381116824ea4de492b66408d15bd708692a74275548c9b167868c0bee566f79a216046213c43a8eb3117b869e86ac99f989e5e4c045c30267db2981b2c6b

data/README.md

@@ -1,5 +1,5 @@
 __Note__: You are viewing the development version README.
-For the README consistent with the latest released version see https://github.com/kickstarter/rack-attack/blob/6-stable/README.md.
+For the README consistent with the latest released version see https://github.com/rack/rack-attack/blob/6-stable/README.md.
 
 # Rack::Attack
 
@@ -10,7 +10,7 @@ Protect your Rails and Rack apps from bad clients. Rack::Attack lets you easily
 See the [Backing & Hacking blog post](https://www.kickstarter.com/backing-and-hacking/rack-attack-protection-from-abusive-clients) introducing Rack::Attack.
 
 [![Gem Version](https://badge.fury.io/rb/rack-attack.svg)](https://badge.fury.io/rb/rack-attack)
-[![Build Status](https://travis-ci.org/kickstarter/rack-attack.svg?branch=master)](https://travis-ci.org/kickstarter/rack-attack)
+[![Build Status](https://travis-ci.org/rack/rack-attack.svg?branch=master)](https://travis-ci.org/rack/rack-attack)
 [![Code Climate](https://codeclimate.com/github/kickstarter/rack-attack.svg)](https://codeclimate.com/github/kickstarter/rack-attack)
 [![Join the chat at https://gitter.im/rack-attack/rack-attack](https://badges.gitter.im/rack-attack/rack-attack.svg)](https://gitter.im/rack-attack/rack-attack)
 
@@ -40,7 +40,6 @@ See the [Backing & Hacking blog post](https://www.kickstarter.com/backing-and-ha
 - [Testing](#testing)
 - [How it works](#how-it-works)
   - [About Tracks](#about-tracks)
-- [Testing](#testing)
 - [Performance](#performance)
 - [Motivation](#motivation)
 - [Contributing](#contributing)
@@ -141,7 +140,7 @@ E.g.
 # Provided that trusted users use an HTTP request header named APIKey
 Rack::Attack.safelist("mark any authenticated access safe") do |request|
   # Requests are allowed if the return value is truthy
-  request.env["APIKey"] == "secret-string"
+  request.env["HTTP_APIKEY"] == "secret-string"
 end
 
 # Always allow requests from localhost
@@ -264,10 +263,12 @@ Rack::Attack.throttle("requests by ip", limit: 5, period: 2) do |request|
 end
 
 # Throttle login attempts for a given email parameter to 6 reqs/minute
-# Return the email as a discriminator on POST /login requests
+# Return the *normalized* email as a discriminator on POST /login requests
 Rack::Attack.throttle('limit logins per email', limit: 6, period: 60) do |req|
   if req.path == '/login' && req.post?
-    req.params['email']
+    # Normalize the email, using the same logic as your authentication process, to
+    # protect against rate limit bypasses.
+    req.params['email'].to_s.downcase.gsub(/\s+/, "")
   end
 end
 
@@ -343,7 +344,7 @@ end
 While Rack::Attack's primary focus is minimizing harm from abusive clients, it
 can also be used to return rate limit data that's helpful for well-behaved clients.
 
-If you want to return to user how many seconds to wait until he can start sending requests again, this can be done through enabling `Retry-After` header:
+If you want to return to user how many seconds to wait until they can start sending requests again, this can be done through enabling `Retry-After` header:
 ```ruby
 Rack::Attack.throttled_response_retry_after_header = true
 ```
@@ -378,7 +379,7 @@ Rack::Attack uses the [ActiveSupport::Notifications](http://api.rubyonrails.org/
 
 You can subscribe to `rack_attack` events and log it, graph it, etc.
 
-To get notified about specific type of events, subscribe to the event name followed by the `rack_attack` namesapce.
+To get notified about specific type of events, subscribe to the event name followed by the `rack_attack` namespace.
 E.g. for throttles use:
 
 ```ruby
@@ -401,6 +402,10 @@ end
 
 ## Testing
 
+A note on developing and testing apps using Rack::Attack - if you are using throttling in particular, you will
+need to enable the cache in your development environment. See [Caching with Rails](http://guides.rubyonrails.org/caching_with_rails.html)
+for more on how to do this.
+
 ### Disabling
 
 `Rack::Attack.enabled = false` can be used to either completely disable Rack::Attack in your tests, or to disable/enable for specific test cases only.
@@ -445,13 +450,6 @@ can cleanly monkey patch helper methods onto the
 
 `Rack::Attack.track` doesn't affect request processing. Tracks are an easy way to log and measure requests matching arbitrary attributes.
 
-
-## Testing
-
-A note on developing and testing apps using Rack::Attack - if you are using throttling in particular, you will
-need to enable the cache in your development environment. See [Caching with Rails](http://guides.rubyonrails.org/caching_with_rails.html)
-for more on how to do this.
-
 ## Performance
 
 The overhead of running Rack::Attack is typically negligible (a few milliseconds per request),

data/lib/rack/attack/cache.rb

@@ -12,6 +12,7 @@ module Rack
       end
 
       attr_reader :store
+
       def store=(store)
         @store = StoreProxy.build(store)
       end

data/lib/rack/attack/check.rb

@@ -4,6 +4,7 @@ module Rack
   class Attack
     class Check
       attr_reader :name, :block, :type
+
       def initialize(name, options = {}, &block)
         @name = name
         @block = block

data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb

@@ -10,7 +10,7 @@ module Rack
           store.class.name == "ActiveSupport::Cache::RedisCacheStore"
         end
 
-        def increment(name, amount = 1, options = {})
+        def increment(name, amount = 1, **options)
           # RedisCacheStore#increment ignores options[:expires_in].
           #
           # So in order to workaround this we use RedisCacheStore#write (which sets expiration) to initialize

data/lib/rack/attack/throttle.rb

@@ -6,6 +6,7 @@ module Rack
       MANDATORY_OPTIONS = [:limit, :period].freeze
 
       attr_reader :name, :limit, :period, :block, :type
+
       def initialize(name, options, &block)
         @name = name
         @block = block

data/lib/rack/attack/version.rb

@@ -2,6 +2,6 @@
 
 module Rack
   class Attack
-    VERSION = '6.3.1'
+    VERSION = '6.4.0'
   end
 end

data/spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb

@@ -21,6 +21,6 @@ if should_run
       Rack::Attack.cache.store.clear
     end
 
-    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) })
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) })
   end
 end

data/spec/acceptance/stores/active_support_redis_cache_store_spec.rb

@@ -20,6 +20,6 @@ if should_run
       Rack::Attack.cache.store.clear
     end
 
-    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) })
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) })
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-attack
 version: !ruby/object:Gem::Version
-  version: 6.3.1
+  version: 6.4.0
 platform: ruby
 authors:
 - Aaron Suggs
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-21 00:00:00.000000000 Z
+date: 2021-01-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -126,14 +126,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.78.0
+        version: 0.89.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.78.0
+        version: 0.89.1
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -185,7 +185,7 @@ dependencies:
         version: '4.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '6.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -195,7 +195,7 @@ dependencies:
         version: '4.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '6.2'
 description: A rack middleware for throttling and blocking abusive requests
 email: aaron@ktheory.com
 executables: []
@@ -204,7 +204,6 @@ extra_rdoc_files: []
 files:
 - README.md
 - Rakefile
-- bin/setup
 - lib/rack/attack.rb
 - lib/rack/attack/allow2ban.rb
 - lib/rack/attack/blocklist.rb
@@ -268,13 +267,13 @@ files:
 - spec/rack_attack_track_spec.rb
 - spec/spec_helper.rb
 - spec/support/cache_store_helper.rb
-homepage: https://github.com/kickstarter/rack-attack
+homepage: https://github.com/rack/rack-attack
 licenses:
 - MIT
 metadata:
-  bug_tracker_uri: https://github.com/kickstarter/rack-attack/issues
-  changelog_uri: https://github.com/kickstarter/rack-attack/blob/master/CHANGELOG.md
-  source_code_uri: https://github.com/kickstarter/rack-attack
+  bug_tracker_uri: https://github.com/rack/rack-attack/issues
+  changelog_uri: https://github.com/rack/rack-attack/blob/master/CHANGELOG.md
+  source_code_uri: https://github.com/rack/rack-attack
 post_install_message: 
 rdoc_options:
 - "--charset=UTF-8"
@@ -284,57 +283,57 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.3
+rubygems_version: 3.2.6
 signing_key: 
 specification_version: 4
 summary: Block & throttle abusive requests
 test_files:
-- spec/integration/offline_spec.rb
-- spec/rack_attack_path_normalizer_spec.rb
-- spec/acceptance/safelisting_subnet_spec.rb
-- spec/acceptance/rails_middleware_spec.rb
-- spec/acceptance/track_throttle_spec.rb
-- spec/acceptance/cache_store_config_for_fail2ban_spec.rb
-- spec/acceptance/cache_store_config_with_rails_spec.rb
-- spec/acceptance/cache_store_config_for_allow2ban_spec.rb
-- spec/acceptance/safelisting_ip_spec.rb
-- spec/acceptance/track_spec.rb
-- spec/acceptance/blocking_subnet_spec.rb
-- spec/acceptance/blocking_ip_spec.rb
 - spec/acceptance/allow2ban_spec.rb
-- spec/acceptance/throttling_spec.rb
+- spec/acceptance/blocking_ip_spec.rb
 - spec/acceptance/blocking_spec.rb
+- spec/acceptance/blocking_subnet_spec.rb
+- spec/acceptance/cache_store_config_for_allow2ban_spec.rb
+- spec/acceptance/cache_store_config_for_fail2ban_spec.rb
+- spec/acceptance/cache_store_config_for_throttle_spec.rb
+- spec/acceptance/cache_store_config_with_rails_spec.rb
+- spec/acceptance/customizing_blocked_response_spec.rb
 - spec/acceptance/customizing_throttled_response_spec.rb
 - spec/acceptance/extending_request_object_spec.rb
-- spec/acceptance/safelisting_spec.rb
-- spec/acceptance/cache_store_config_for_throttle_spec.rb
 - spec/acceptance/fail2ban_spec.rb
+- spec/acceptance/rails_middleware_spec.rb
+- spec/acceptance/safelisting_ip_spec.rb
+- spec/acceptance/safelisting_spec.rb
+- spec/acceptance/safelisting_subnet_spec.rb
+- spec/acceptance/stores/active_support_dalli_store_spec.rb
 - spec/acceptance/stores/active_support_mem_cache_store_pooled_spec.rb
-- spec/acceptance/stores/active_support_redis_cache_store_spec.rb
-- spec/acceptance/stores/active_support_memory_store_spec.rb
-- spec/acceptance/stores/active_support_redis_store_spec.rb
 - spec/acceptance/stores/active_support_mem_cache_store_spec.rb
+- spec/acceptance/stores/active_support_memory_store_spec.rb
 - spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb
+- spec/acceptance/stores/active_support_redis_cache_store_spec.rb
+- spec/acceptance/stores/active_support_redis_store_spec.rb
 - spec/acceptance/stores/connection_pool_dalli_client_spec.rb
-- spec/acceptance/stores/active_support_dalli_store_spec.rb
-- spec/acceptance/stores/redis_store_spec.rb
 - spec/acceptance/stores/dalli_client_spec.rb
 - spec/acceptance/stores/redis_spec.rb
-- spec/acceptance/customizing_blocked_response_spec.rb
-- spec/spec_helper.rb
+- spec/acceptance/stores/redis_store_spec.rb
+- spec/acceptance/throttling_spec.rb
+- spec/acceptance/track_spec.rb
+- spec/acceptance/track_throttle_spec.rb
 - spec/allow2ban_spec.rb
-- spec/rack_attack_instrumentation_spec.rb
+- spec/fail2ban_spec.rb
+- spec/integration/offline_spec.rb
 - spec/rack_attack_dalli_proxy_spec.rb
+- spec/rack_attack_instrumentation_spec.rb
+- spec/rack_attack_path_normalizer_spec.rb
+- spec/rack_attack_request_spec.rb
 - spec/rack_attack_spec.rb
 - spec/rack_attack_throttle_spec.rb
-- spec/rack_attack_request_spec.rb
-- spec/fail2ban_spec.rb
 - spec/rack_attack_track_spec.rb
+- spec/spec_helper.rb
 - spec/support/cache_store_helper.rb

data/bin/setup

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-IFS=$'\n\t'
-set -vx
-
-bundle install
-
-# Do any other automated setup that you need to do here