RubyGems - rack-attack - Versions diffs - 6.4.0 → 6.5.0 - Mend

rack-attack 6.4.0 → 6.5.0

Files changed (18) hide show

checksums.yaml +4 -4
data/README.md +1 -6
data/lib/rack/attack.rb +10 -8
data/lib/rack/attack/base_proxy.rb +27 -0
data/lib/rack/attack/cache.rb +6 -1
data/lib/rack/attack/railtie.rb +1 -3
data/lib/rack/attack/store_proxy/active_support_redis_store_proxy.rb +2 -2
data/lib/rack/attack/store_proxy/dalli_proxy.rb +2 -2
data/lib/rack/attack/store_proxy/mem_cache_store_proxy.rb +2 -2
data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb +2 -2
data/lib/rack/attack/store_proxy/redis_proxy.rb +3 -3
data/lib/rack/attack/store_proxy/redis_store_proxy.rb +1 -1
data/lib/rack/attack/throttle.rb +9 -2
data/lib/rack/attack/version.rb +1 -1
data/spec/acceptance/rails_middleware_spec.rb +3 -18
data/spec/rack_attack_throttle_spec.rb +44 -0
metadata +4 -4
data/lib/rack/attack/store_proxy.rb +0 -21

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e7d44de650fae1c83d5a3da49dc8f304e44280f72bd209d3f78643b90d573bd8
-  data.tar.gz: a39d0270489617a8c0a49e01868c24cc87311e80457fbc104c86e45d29978f51
+  metadata.gz: 81f6cce465b8441782ffaa3d446e558979de6a2ceadd9d43499b7977fa61586b
+  data.tar.gz: a2ee9b82f1144d483e7d26a893594ab6cada4dc52d98eb08d7615a38b49face8
 SHA512:
-  metadata.gz: 7d9d965cc672bba8ab2b9f333746e32091363d6b65bf290104c248799a811f272ad8388e7f7b3d870d382e9c80a1003a300f9380c2d8082195972817146a281d
-  data.tar.gz: fbfa381116824ea4de492b66408d15bd708692a74275548c9b167868c0bee566f79a216046213c43a8eb3117b869e86ac99f989e5e4c045c30267db2981b2c6b
+  metadata.gz: b90fa7841d1e5319b820d4bca9c1fc8d266fc98c06f2a936ce6d31949d9fdd7ddab9183f82c5bbbc31e3e4280bba8e786bbe155f146fdcfdbf53ad263bfec63f
+  data.tar.gz: c91be495fbf25444632a1734f40f9fa85b35bf19d921a129ca402aceadf0d30b2a7d5797283ca7ac68e8f323569fa3edc1be98bcecd2c72aa15c3956dd611455

data/README.md CHANGED Viewed

@@ -71,12 +71,7 @@ Or install it yourself as:
 Then tell your ruby web application to use rack-attack as a middleware.
-a) For __rails__ applications with versions >= 5.1 it is used by default. For older rails versions you should enable it explicitly:
-```ruby
-# In config/application.rb
-config.middleware.use Rack::Attack
-```
+a) For __rails__ applications it is used by default.
 You can disable it permanently (like for specific environment) or temporarily (can be useful for specific test cases) by writing:

data/lib/rack/attack.rb CHANGED Viewed

@@ -6,6 +6,12 @@ require 'rack/attack/cache'
 require 'rack/attack/configuration'
 require 'rack/attack/path_normalizer'
 require 'rack/attack/request'
+require 'rack/attack/store_proxy/dalli_proxy'
+require 'rack/attack/store_proxy/mem_cache_store_proxy'
+require 'rack/attack/store_proxy/redis_proxy'
+require 'rack/attack/store_proxy/redis_store_proxy'
+require 'rack/attack/store_proxy/redis_cache_store_proxy'
+require 'rack/attack/store_proxy/active_support_redis_store_proxy'
 require 'rack/attack/railtie' if defined?(::Rails)
@@ -21,18 +27,11 @@ module Rack
     autoload :Safelist,             'rack/attack/safelist'
     autoload :Blocklist,            'rack/attack/blocklist'
     autoload :Track,                'rack/attack/track'
-    autoload :StoreProxy,           'rack/attack/store_proxy'
-    autoload :DalliProxy,           'rack/attack/store_proxy/dalli_proxy'
-    autoload :MemCacheStoreProxy,   'rack/attack/store_proxy/mem_cache_store_proxy'
-    autoload :RedisProxy,           'rack/attack/store_proxy/redis_proxy'
-    autoload :RedisStoreProxy,      'rack/attack/store_proxy/redis_store_proxy'
-    autoload :RedisCacheStoreProxy, 'rack/attack/store_proxy/redis_cache_store_proxy'
-    autoload :ActiveSupportRedisStoreProxy, 'rack/attack/store_proxy/active_support_redis_store_proxy'
     autoload :Fail2Ban,             'rack/attack/fail2ban'
     autoload :Allow2Ban,            'rack/attack/allow2ban'
     class << self
-      attr_accessor :enabled, :notifier
+      attr_accessor :enabled, :notifier, :throttle_discriminator_normalizer
       attr_reader :configuration
       def instrument(request)
@@ -84,6 +83,9 @@ module Rack
     # Set defaults
     @enabled = true
     @notifier = ActiveSupport::Notifications if defined?(ActiveSupport::Notifications)
+    @throttle_discriminator_normalizer = lambda do |discriminator|
+      discriminator.to_s.strip.downcase
+    end
     @configuration = Configuration.new
     attr_reader :configuration

data/lib/rack/attack/base_proxy.rb ADDED Viewed

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+require 'delegate'
+module Rack
+  class Attack
+    class BaseProxy < SimpleDelegator
+      class << self
+        def proxies
+          @@proxies ||= []
+        end
+        def inherited(klass)
+          proxies << klass
+        end
+        def lookup(store)
+          proxies.find { |proxy| proxy.handle?(store) }
+        end
+        def handle?(_store)
+          raise NotImplementedError
+        end
+      end
+    end
+  end
+end

data/lib/rack/attack/cache.rb CHANGED Viewed

@@ -14,7 +14,12 @@ module Rack
       attr_reader :store
       def store=(store)
-        @store = StoreProxy.build(store)
+        @store =
+          if (proxy = BaseProxy.lookup(store))
+            proxy.new(store)
+          else
+            store
+          end
       end
       def count(unprefixed_key, period)

data/lib/rack/attack/railtie.rb CHANGED Viewed

@@ -4,9 +4,7 @@ module Rack
   class Attack
     class Railtie < ::Rails::Railtie
       initializer "rack-attack.middleware" do |app|
-        if Gem::Version.new(::Rails::VERSION::STRING) >= Gem::Version.new("5.1")
-          app.middleware.use(Rack::Attack)
-        end
+        app.middleware.use(Rack::Attack)
       end
     end
   end

data/lib/rack/attack/store_proxy/active_support_redis_store_proxy.rb CHANGED Viewed

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
-require 'delegate'
+require 'rack/attack/base_proxy'
 module Rack
   class Attack
     module StoreProxy
-      class ActiveSupportRedisStoreProxy < SimpleDelegator
+      class ActiveSupportRedisStoreProxy < BaseProxy
         def self.handle?(store)
           defined?(::Redis) &&
             defined?(::ActiveSupport::Cache::RedisStore) &&

data/lib/rack/attack/store_proxy/dalli_proxy.rb CHANGED Viewed

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
-require 'delegate'
+require 'rack/attack/base_proxy'
 module Rack
   class Attack
     module StoreProxy
-      class DalliProxy < SimpleDelegator
+      class DalliProxy < BaseProxy
         def self.handle?(store)
           return false unless defined?(::Dalli)

data/lib/rack/attack/store_proxy/mem_cache_store_proxy.rb CHANGED Viewed

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
-require 'delegate'
+require 'rack/attack/base_proxy'
 module Rack
   class Attack
     module StoreProxy
-      class MemCacheStoreProxy < SimpleDelegator
+      class MemCacheStoreProxy < BaseProxy
         def self.handle?(store)
           defined?(::Dalli) &&
             defined?(::ActiveSupport::Cache::MemCacheStore) &&

data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb CHANGED Viewed

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
-require 'delegate'
+require 'rack/attack/base_proxy'
 module Rack
   class Attack
     module StoreProxy
-      class RedisCacheStoreProxy < SimpleDelegator
+      class RedisCacheStoreProxy < BaseProxy
         def self.handle?(store)
           store.class.name == "ActiveSupport::Cache::RedisCacheStore"
         end

data/lib/rack/attack/store_proxy/redis_proxy.rb CHANGED Viewed

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
-require 'delegate'
+require 'rack/attack/base_proxy'
 module Rack
   class Attack
     module StoreProxy
-      class RedisProxy < SimpleDelegator
+      class RedisProxy < BaseProxy
         def initialize(*args)
           if Gem::Version.new(Redis::VERSION) < Gem::Version.new("3")
             warn 'RackAttack requires Redis gem >= 3.0.0.'
@@ -15,7 +15,7 @@ module Rack
         end
         def self.handle?(store)
-          defined?(::Redis) && store.is_a?(::Redis)
+          defined?(::Redis) && store.class == ::Redis
         end
         def read(key)

data/lib/rack/attack/store_proxy/redis_store_proxy.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
-require 'delegate'
+require 'rack/attack/store_proxy/redis_proxy'
 module Rack
   class Attack

data/lib/rack/attack/throttle.rb CHANGED Viewed

@@ -23,8 +23,7 @@ module Rack
       end
       def matched_by?(request)
-        discriminator = block.call(request)
+        discriminator = discriminator_for(request)
         return false unless discriminator
         current_period  = period_for(request)
@@ -50,6 +49,14 @@ module Rack
       private
+      def discriminator_for(request)
+        discriminator = block.call(request)
+        if discriminator && Rack::Attack.throttle_discriminator_normalizer
+          discriminator = Rack::Attack.throttle_discriminator_normalizer.call(discriminator)
+        end
+        discriminator
+      end
       def period_for(request)
         period.respond_to?(:call) ? period.call(request) : period
       end

data/lib/rack/attack/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Rack
   class Attack
-    VERSION = '6.4.0'
+    VERSION = '6.5.0'
   end
 end

data/spec/acceptance/rails_middleware_spec.rb CHANGED Viewed

@@ -12,24 +12,9 @@ if defined?(Rails)
       end
     end
-    if Gem::Version.new(Rails::VERSION::STRING) >= Gem::Version.new("5.1")
-      it "is used by default" do
-        @app.initialize!
-        assert_equal 1, @app.middleware.count(Rack::Attack)
-      end
-      it "is not added when it was explicitly deleted" do
-        @app.config.middleware.delete(Rack::Attack)
-        @app.initialize!
-        refute @app.middleware.include?(Rack::Attack)
-      end
-    end
-    if Gem::Version.new(Rails::VERSION::STRING) < Gem::Version.new("5.1")
-      it "is not used by default" do
-        @app.initialize!
-        assert_equal 0, @app.middleware.count(Rack::Attack)
-      end
+    it "is used by default" do
+      @app.initialize!
+      assert @app.middleware.include?(Rack::Attack)
     end
   end
 end

data/spec/rack_attack_throttle_spec.rb CHANGED Viewed

@@ -144,3 +144,47 @@ describe 'Rack::Attack.throttle with block retuning nil' do
     end
   end
 end
+describe 'Rack::Attack.throttle with throttle_discriminator_normalizer' do
+  before do
+    @period = 60
+    @emails = [
+      "person@example.com",
+      "PERSON@example.com ",
+      " person@example.com\r\n  ",
+    ]
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+    Rack::Attack.throttle('logins/email', limit: 4, period: @period) do |req|
+      if req.path == '/login' && req.post?
+        req.params['email']
+      end
+    end
+  end
+  it 'should not differentiate requests when throttle_discriminator_normalizer is enabled' do
+    post_logins
+    key = "rack::attack:#{Time.now.to_i / @period}:logins/email:person@example.com"
+    _(Rack::Attack.cache.store.read(key)).must_equal 3
+  end
+  it 'should differentiate requests when throttle_discriminator_normalizer is disabled' do
+    begin
+      prev = Rack::Attack.throttle_discriminator_normalizer
+      Rack::Attack.throttle_discriminator_normalizer = nil
+      post_logins
+      @emails.each do |email|
+        key = "rack::attack:#{Time.now.to_i / @period}:logins/email:#{email}"
+        _(Rack::Attack.cache.store.read(key)).must_equal 1
+      end
+    ensure
+      Rack::Attack.throttle_discriminator_normalizer = prev
+    end
+  end
+  def post_logins
+    @emails.each do |email|
+      post '/login', email: email
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-attack
 version: !ruby/object:Gem::Version
-  version: 6.4.0
+  version: 6.5.0
 platform: ruby
 authors:
 - Aaron Suggs
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-01-24 00:00:00.000000000 Z
+date: 2021-02-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -206,6 +206,7 @@ files:
 - Rakefile
 - lib/rack/attack.rb
 - lib/rack/attack/allow2ban.rb
+- lib/rack/attack/base_proxy.rb
 - lib/rack/attack/blocklist.rb
 - lib/rack/attack/cache.rb
 - lib/rack/attack/check.rb
@@ -215,7 +216,6 @@ files:
 - lib/rack/attack/railtie.rb
 - lib/rack/attack/request.rb
 - lib/rack/attack/safelist.rb
-- lib/rack/attack/store_proxy.rb
 - lib/rack/attack/store_proxy/active_support_redis_store_proxy.rb
 - lib/rack/attack/store_proxy/dalli_proxy.rb
 - lib/rack/attack/store_proxy/mem_cache_store_proxy.rb
@@ -290,7 +290,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.6
+rubygems_version: 3.2.8
 signing_key:
 specification_version: 4
 summary: Block & throttle abusive requests

data/lib/rack/attack/store_proxy.rb DELETED Viewed

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-module Rack
-  class Attack
-    module StoreProxy
-      PROXIES = [
-        DalliProxy,
-        MemCacheStoreProxy,
-        RedisStoreProxy,
-        RedisProxy,
-        RedisCacheStoreProxy,
-        ActiveSupportRedisStoreProxy
-      ].freeze
-      def self.build(store)
-        klass = PROXIES.find { |proxy| proxy.handle?(store) }
-        klass ? klass.new(store) : store
-      end
-    end
-  end
-end