rate_limit 0.0.1

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in rate_limit.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+Copyright (c) 2012 Geoffroy Couprie
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

data/README.md

@@ -0,0 +1,33 @@
+Rate Limit
+======
+
+Filter requests to your controllers, and block bruteforce attacks on your forms.
+
+By limiting the rate of requests, you could, without harming usability:
+* prevent password bruteforce on login forms
+* prevent user enumeration on password reset forms
+* slow significantly site scraping
+
+Features
+--------
+
+* Block requests if they exceed a specified rate (blockBy*)
+* Add a growing delay before accepting requests (slowBy*)
+* Reset the filter if successful use (resetBlockerByKey/resetSlowerByKey)
+
+Code example
+------------
+
+```ruby
+class HelloController < ApplicationController
+  def index
+    if RateLimit.slowByIp(request)
+      puts "not blocking the page"
+    else
+      puts "blocking the page"
+      render :nothing => true, :status => 403
+    end
+  end
+end
+```
+

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/lib/rate_limit.rb

@@ -0,0 +1,84 @@
+require "rate_limit/version"
+require "rate_limit/loader"
+require "rate_limit/visit"
+
+module RateLimit
+
+  ##
+  # Block requests by IP
+  # the request argument is given by the request method of Rails controllers
+
+  def self.limitByIp(request, requests_per_seconds = 1, cache = Rails.cache)
+    key = request.remote_ip+request.fullpath
+    blockByKey(key, requests_per_seconds, cache)
+  end
+
+  ##
+  # Slow requests by IP
+  # the factor parameter is the multiplicating factor for the growing time between requests
+  def self.slowByIp(request, requests_per_seconds = 1, factor = 1, cache = Rails.cache)
+    key = request.remote_ip+request.fullpath
+    slowByKey(key, requests_per_seconds, factor, cache)
+  end
+
+  ##
+  # Block requests by key
+  # You can define wich eky is used to discriminate between requests
+  def self.blockByKey(key, requests_per_seconds = 1, cache = Rails.cache)
+    loader = Loader.new cache
+
+    key = key+"b"
+    timestamp = Time.new.to_time.to_i
+    counter = loader.read key
+    if counter.nil?
+      loader.write key, BlockedVisit.new(1, timestamp)
+      true
+    else
+      counter.visits += 1
+      time = timestamp - counter.start_time
+      loader.write key, counter
+      requests_per_seconds > counter.visits.to_f/time.to_f
+    end
+  end
+
+  ##
+  # Slow requests by key
+  # You can define wich eky is used to discriminate between requests
+  def self.slowByKey(key, requests_per_seconds = 0.5, factor = 1, cache = Rails.cache)
+    loader = Loader.new cache
+
+    key = key+"s"
+    timestamp = Time.new.to_time.to_i
+    counter = loader.read key
+    if counter.nil?
+      loader.write key, SlowedVisit.new(1, timestamp)
+      true
+    else
+      time = timestamp - counter.previous
+      counter.previous = timestamp
+      wait_time = requests_per_seconds*factor*counter.visits
+      if wait_time < time
+        loader.write key, counter
+        true
+      else
+        counter.visits += 1
+        loader.write key, counter
+        false
+      end
+    end
+  end
+
+  ##
+  # Reset the counters for blocked requests
+  def self.resetBlockerByKey(key)
+    loader = Loader.new cache
+    cache.delete(key+"b")
+  end
+
+  ##
+  # Reset the counters for slowed requests
+  def self.resetSlowerByKey(key)
+    loader = Loader.new cache
+    cache.delete(key+"s")
+  end
+end

data/lib/rate_limit/loader.rb

@@ -0,0 +1,18 @@
+class RateLimit::Loader
+  def initialize(cache)
+    @cache = cache
+  end
+
+  def read(key)
+    data = @cache.read(key)
+    Marshal::load(data) unless data.nil?
+  end
+
+  def write(key, data)
+    @cache.write(key, Marshal::dump(data))
+  end
+
+  def delete(key)
+    @cache.delete(key)
+  end
+end

data/lib/rate_limit/version.rb

@@ -0,0 +1,3 @@
+module RateLimit
+  VERSION = "0.0.1"
+end

data/lib/rate_limit/visit.rb

@@ -0,0 +1,15 @@
+class RateLimit::BlockedVisit
+  attr_accessor :visits, :start_time
+  def initialize(visits, date)
+    @visits = visits
+    @start_time = date
+  end
+end
+
+class RateLimit::SlowedVisit
+  attr_accessor :visits, :previous
+  def initialize(visits = 0, previous)
+    @visits = visits
+    @previous = previous
+  end
+end

data/rate_limit.gemspec

@@ -0,0 +1,24 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "rate_limit/version"
+
+Gem::Specification.new do |s|
+  s.name        = "rate_limit"
+  s.version     = RateLimit::VERSION
+  s.authors     = ["Geoffroy Couprie"]
+  s.email       = ["geo.couprie@gmail.com"]
+  s.homepage    = "https://github.com/Geal/rate_limit"
+  s.summary     = %q{rate_limit filters page access in your Rails application}
+  s.description = %q{Limit request frequence by IP, by page, for login or password reset forms}
+
+  s.rubyforge_project = "rate_limit"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  # specify any dependencies here; for example:
+  # s.add_development_dependency "rspec"
+  # s.add_runtime_dependency "rest-client"
+end

metadata

@@ -0,0 +1,64 @@
+--- !ruby/object:Gem::Specification 
+name: rate_limit
+version: !ruby/object:Gem::Version 
+  prerelease: 
+  version: 0.0.1
+platform: ruby
+authors: 
+- Geoffroy Couprie
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2012-07-12 00:00:00 Z
+dependencies: []
+
+description: Limit request frequence by IP, by page, for login or password reset forms
+email: 
+- geo.couprie@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- .gitignore
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- lib/rate_limit.rb
+- lib/rate_limit/loader.rb
+- lib/rate_limit/version.rb
+- lib/rate_limit/visit.rb
+- rate_limit.gemspec
+homepage: https://github.com/Geal/rate_limit
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+requirements: []
+
+rubyforge_project: rate_limit
+rubygems_version: 1.8.8
+signing_key: 
+specification_version: 3
+summary: rate_limit filters page access in your Rails application
+test_files: []
+