rack-shield 1.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 91381e561f753758f33de1f296eaf6df921d131d8780ec5d3ca6d21a1cabc022
+  data.tar.gz: 737b223d0e6990ad9447f8f82b725d4a0e7bdfed9dc53d59085d78363c9d2e8b
+SHA512:
+  metadata.gz: 31d9e273c7837fa8e6626247b1cc361e5f4138cf3061cc0c8fc605b717e962e48272d17b00ab3afd36374710422e4bb340322562835522c66ee7103c938b9870
+  data.tar.gz: cfe65f88d463b9874d3e7b01045171c909fa74bede02f98b79bf5f57a32b3b648e43ee82d7c897b817ee11b95ffa6742c6e55a2663acc31809cf6f3d147449d0

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Matthias Grosser
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,62 @@
+![Shield](https://raw.githubusercontent.com/mtgrosser/rack-shield/master/doc/shield.svg)
+
+# Rack::Shield
+
+Simple frontend to block and unblock evil requests with `Rack::Attack`
+
+## Installation
+
+In your Gemfile:
+
+```ruby
+gem 'rack-attack-shield'
+```
+
+## Usage
+
+Check whether request is evil:
+
+```ruby
+Rack::Shield.evil?(request)
+```
+
+With `Rack::Attack::Fail2Ban`:
+
+```ruby
+# After one blocked request in 10 minutes, block all requests from that IP for 5 minutes.
+Rack::Attack.blocklist('fail2ban pentesters') do |req|
+  Rack::Attack::Fail2Ban.filter("pentesters-#{req.ip}", maxretry: 1, findtime: 10.minutes, bantime: 5.minutes) do
+    Rack::Shield.evil?(req)
+  end
+end
+```
+
+## Configuration
+
+Adding to path matchers:
+
+```ruby
+# Regexp will be matched
+Rack::Shield.evil_paths << /\.sql\z/
+
+# String will be checked for inclusion
+Rack::Shield.evil_paths << '/wp-admin'
+```
+Defaults are defined in `Rack::Shield::DEFAULT_EVIL_PATHS`.
+
+## Blocked response
+
+By default, the blocked response is generated automatically:
+
+```ruby
+# default
+Rack::Shield.response = Rack::Shield::Response
+```
+
+It can be set to any `call`able object which conforms to the `Rack` interface:
+
+```ruby
+Rack::Shield.response = ->(env) { [403, { 'Content-Type' => 'text/html' }, ["Blocked!\n"]]
+```
+
+In Rails apps, the blocked response will be generated from `app/views/layouts/shield.html`.

data/Rakefile

@@ -0,0 +1,26 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+  t.warning = false
+end
+
+task :default => :test
+
+namespace :rack do
+  namespace :shield do
+    task :install do
+      require 'rack/shield'
+      file = defined?(Rails) ? Rails.root.join('app', 'views', 'layouts', 'shield.html') : 'shield.html'
+      if file.exist?
+        puts "skipping #{file}"
+      else
+        file.write(Rack::Shield::Response.default_template.read)
+        puts "create #{file}"
+      end
+    end
+  end
+end

data/lib/rack/shield/request_ext.rb

@@ -0,0 +1,11 @@
+module Rack
+  module Shield
+    module RequestExt
+      def raw_post_data
+        env['RAW_POST_DATA']
+      end
+    end
+  end
+end
+
+Rack::Attack::Request.include Rack::Shield::RequestExt

data/lib/rack/shield/responder.rb

@@ -0,0 +1,51 @@
+module Rack
+  module Shield
+    class Responder
+      attr_reader :request
+      
+      class << self
+        attr_writer :template
+        
+        def template
+          @template ||= if defined?(Rails)
+            Rails.root.join('app', 'views', 'layouts', 'shield.html')
+          else
+            default_template
+          end
+        end
+        
+        def default_template
+          Pathname.new(__FILE__).dirname.join('..', '..', '..', '..', 'templates', 'shield.html')
+        end
+        
+        def call(request)
+          new(request).render
+        end
+      end
+      
+      def initialize(request)
+        @request = request
+      end
+      
+      def env
+        request.env
+      end
+      
+      def render
+        return [403, { 'Content-Type' => 'text/html' }, []] if head?
+        html = self.class.template.read.gsub('%REQUEST_IP%', request_ip.to_s)
+        [403, { 'Content-Type' => 'text/html' }, ["#{html}\n"]]
+      end
+      
+      private
+      
+      def request_ip
+        env['HTTP_X_REAL_IP'] || env['REMOTE_ADDR']
+      end
+      
+      def head?
+        request.head?
+      end
+    end
+  end
+end

data/lib/rack/shield/version.rb

@@ -0,0 +1,5 @@
+module Rack
+  module Shield
+    VERSION = '1.1.0'
+  end
+end

data/lib/rack/shield.rb

@@ -0,0 +1,106 @@
+require 'pathname'
+require 'rack/attack'
+require_relative 'shield/version'
+require_relative 'shield/responder'
+require_relative 'shield/request_ext'
+
+module Rack
+  module Shield
+    DEFAULT_PATHS = [/\/wp-(includes|content|admin|json|config)/,
+                     /\.(php|cgi|asp|aspx|shtml|log|(my)?sql(\.tar)?(\.t?(gz|zip))?|cfm|py|lasso|e?rb|pl|jsp|do|action|sh)\z/i,
+                    'cgi-bin',
+                    'phpmyadmin',
+                    '/pma/',
+                    '/boaform/',
+                    'sqlbuddy',
+                    /(my)?sql-backup/,
+                    'etc/passwd',
+                    '/php/',
+                    '.php/',
+                    '/browsedisk',
+                    '/mambo/',
+                    '/jenkins/',
+                    '/joomla/',
+                    '/varien/js.js',
+                    '/drupal.js',
+                    'RELEASE_NOTES.txt',
+                    '/phpunit/',
+                    '/magento/',
+                    '/mage/',
+                    '/magento_version',
+                    '/mifs/',
+                    '/js/varien/',
+                    '/includes/',
+                    '/HNAP1',
+                    '/stalker_portal/',
+                    '/nmaplowercheck',
+                    '/solr/admin/',
+                    '/axis2/axis2-admin',
+                    '/telescope/requests',
+                    '/RELEASE_NOTES.txt',
+                    'deployment-config.json',
+                    'ftpsync.settings',
+                    '/_profiler/latest',
+                    '/_ignition/execute-solution',
+                    '/_wpeprivate/',
+                    '/Config/SaveUploadedHotspotLogoFile',
+                    'ALFA_DATA',
+                    'cgialfa',
+                    'alfacgiapi',
+                    /\A\/"/,
+                    /\/\.(hg|git|svn|bzr|htaccess|ftpconfig|vscode|remote-sync|aws|env|DS_Store)/,
+                    /\/old\/?\z/,
+                    /\/\.env\z/,
+                    /\A\/old-wp/,
+                    /\A\/(wordpress|wp)(\/|\z)/]
+    
+    DEFAULT_QUERIES = [/SELECT.+FROM.+/i,
+                       /SELECT.+COUNT/i,
+                       /SELECT.+UNION/i,
+                       /UNION.+SELECT/i,
+                       /INFORMATION_SCHEMA/i,
+                       '--%20',
+                       '-- ',
+                       '%2Fscript%3E',
+                       '<script>', '</script>',
+                       '<php>', '</php>',
+                       'XDEBUG_SESSION_START',
+                       'phpstorm',
+                       '<php>',
+                       'onload=confirm',
+                       'HelloThinkCMF',
+                       'XDEBUG_SESSION_START',
+                     ]
+
+    class << self
+
+      attr_accessor :paths, :queries, :checks, :responder
+  
+      def evil?(req)
+        (req.path && paths.any? { |matcher| match?(req.path, matcher) }) ||
+        (req.query_string && queries.any? { |matcher| match?(req.query_string, matcher) }) ||
+        (checks.any? { |matcher| match?(req, matcher) })
+      end
+      
+      def template
+        Pathname.new(__FILE__).dirname.join('..', '..', '..', 'templates', 'shield.html')
+      end
+  
+      private
+  
+      def match?(obj, matcher)
+        case matcher
+        when String then obj.include?(matcher)
+        when Regexp then obj.match?(matcher)
+        when Proc   then matcher.call(obj)
+        end
+      end
+    end
+
+    self.paths     = DEFAULT_PATHS.dup
+    self.queries   = DEFAULT_QUERIES.dup
+    self.checks    = []
+    self.responder = Responder
+
+  end
+end

data/lib/rack-shield.rb

@@ -0,0 +1 @@
+require 'rack/shield'

data/templates/shield.html

@@ -0,0 +1,146 @@
+<!DOCTYPE html>
+
+<html>
+
+<head>
+  <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+  <title>Access blocked</title>
+  <link rel="icon" href="data:,">
+  <style type="text/css">
+    @import 'https://fonts.googleapis.com/css?family=Roboto:300,500';
+    
+    body {
+      background-color: white;
+      color: #666;
+      text-align: center;
+      font-family: 'Roboto', sans-serif;
+      font-weight: 300;
+      font-size: 18px;
+      line-height: 1.5em;
+    }
+    
+    div#centerbox {
+       display: block;
+       position: absolute;
+       width: 100%;
+       height: 1px;
+       top: 50%;
+       left: 0px;
+       overflow: visible;
+       visibility: visible;
+    }
+
+    div#centerbox #dialog {
+       position: absolute;
+       width: 600px;
+       height: 500px;
+       top: -250px;
+       left: 50%;
+       margin-left: -300px;
+       overflow:visible;
+    }
+    
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: auto;
+      //border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    
+    h1 {
+      font-size: 40px;
+      font-weight: 100;
+      line-height: 1.5em;
+    }
+    
+    a {
+      color: #428aff;
+      text-decoration: none;
+    }
+    
+    #checkbox-unchecked, #checkbox-checked {
+      width: 40px;
+      height: 40px;
+      vertical-align: middle;
+    }
+    
+    #checkbox-checked {
+      display: none;
+    }
+    
+    .norobot {
+      line-height: 45px;
+    }
+  </style>
+</head>
+
+<body class="blocked-page">
+  <div id="centerbox">
+    <div id="dialog">
+      <img id="logo" src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIxMDAiIGhlaWdodD0iMTAwIiB2aWV3Qm94PSIwIDAgMjQgMjQiIGZpbGw9Im5vbmUiIHN0cm9rZT0iIzJkNjhjNCIgc3Ryb2tlLXdpZHRoPSIyLjUiIHN0cm9rZS1saW5lY2FwPSJyb3VuZCIgc3Ryb2tlLWxpbmVqb2luPSJyb3VuZCIgY2xhc3M9ImZlYXRoZXIgZmVhdGhlci1zaGllbGQiPjxwYXRoIGQ9Ik0xMiAyMnM4LTQgOC0xMFY1bC04LTMtOCAzdjdjMCA2IDggMTAgOCAxMHoiPjwvcGF0aD48L3N2Zz4=" alt="Shield"/>
+      <br/><br/>
+      <div lang="de">
+        <h1>Diese Webseite ist geschützt.</h1>
+        <p>
+          Wir haben eine ungewöhnliche Aktivität von Ihrer IP-Adresse <strong>%REQUEST_IP%</strong> festgestellt und den Zugriff auf diese Webseite blockiert.<br/>
+          <br/>
+          <strong>Bitte bestätigen Sie, dass Sie kein Roboter sind:</strong>
+        </p>
+      </div>
+      <div lang="en" style="display: none;">
+        <h1>This website is protected.</h1>
+        <p>
+          We have noticed an unusual activity from your IP <strong>%REQUEST_IP%</strong> and blocked access to this website.<br/>
+          <br/>
+          <strong>Please confirm that you are not a robot:</strong>
+        </p>
+      </div>
+      <div>
+        <p>
+          <img id="checkbox-unchecked" src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI0MCIgaGVpZ2h0PSI0MCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9IiM2NjY2NjYiIHN0cm9rZS13aWR0aD0iMSIgc3Ryb2tlLWxpbmVjYXA9InJvdW5kIiBzdHJva2UtbGluZWpvaW49InJvdW5kIiBjbGFzcz0iZmVhdGhlciBmZWF0aGVyLXNxdWFyZSI+PHJlY3QgeD0iMyIgeT0iMyIgd2lkdGg9IjE4IiBoZWlnaHQ9IjE4IiByeD0iMiIgcnk9IjIiPjwvcmVjdD48L3N2Zz4=">
+          <img id="checkbox-checked" src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI0MCIgaGVpZ2h0PSI0MCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9IiM2NjY2NjYiIHN0cm9rZS13aWR0aD0iMSIgc3Ryb2tlLWxpbmVjYXA9InJvdW5kIiBzdHJva2UtbGluZWpvaW49InJvdW5kIiBjbGFzcz0iZmVhdGhlciBmZWF0aGVyLWNoZWNrLXNxdWFyZSI+PHBvbHlsaW5lIHBvaW50cz0iOSAxMSAxMiAxNCAyMiA0Ij48L3BvbHlsaW5lPjxwYXRoIGQ9Ik0yMSAxMnY3YTIgMiAwIDAgMS0yIDJINWEyIDIgMCAwIDEtMi0yVjVhMiAyIDAgMCAxIDItMmgxMSI+PC9wYXRoPjwvc3ZnPg==">
+          &nbsp;<span class="norobot" lang="de">Ich bin kein Roboter.</span><span class="norobot" lang="en" style="display: none;">I'm not a robot.</span>
+          <input type="hidden" name="foobar">
+        </p>
+      </div>
+    </div>
+  </div>
+  <script>
+    var token = '%TOKEN%';
+  
+    var hide = function(elt) {
+      elt.style.display = 'none';
+    };
+  
+    var unhide = function(elt) {
+      switch (elt.tagName.toLowerCase()) {
+        case 'span':
+        case 'img':
+          elt.style.display = 'inline';
+          break;
+        default:
+          elt.style.display = 'block';
+      }
+    };
+    
+    var language = window.navigator.userLanguage || window.navigator.language;
+    if ( language && language.toLowerCase().startsWith('en') ) {
+      document.querySelectorAll('[lang=de]').forEach((elt) => { elt.style.display = 'none' });
+      document.querySelectorAll('[lang=en]').forEach(unhide);
+    }
+    
+    var unchecked = document.getElementById('checkbox-unchecked');
+    var checked = document.getElementById('checkbox-checked');
+    unchecked.addEventListener('click', function() {
+      hide(unchecked);
+      unhide(checked);
+    });
+    checked.addEventListener('click', function() {
+      hide(checked);
+      unhide(unchecked);
+    }); 
+  </script>
+</body>
+</html>

metadata

@@ -0,0 +1,66 @@
+--- !ruby/object:Gem::Specification
+name: rack-shield
+version: !ruby/object:Gem::Version
+  version: 1.1.0
+platform: ruby
+authors:
+- Matthias Grosser
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2022-08-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack-attack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.6.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.6.0
+description: Plugin for rack-attack to block and unblock evil requests
+email:
+- mtgrosser@gmx.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- Rakefile
+- lib/rack-shield.rb
+- lib/rack/shield.rb
+- lib/rack/shield/request_ext.rb
+- lib/rack/shield/responder.rb
+- lib/rack/shield/version.rb
+- templates/shield.html
+homepage: https://github.com/mtgrosser/rack-shield
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.4
+signing_key: 
+specification_version: 4
+summary: Block and unblock evil requests
+test_files: []