trackguard 0.24.0 → 0.27.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5aa174f1f8378c716f8e601ed6d3f44b2b0efc3b6edfc81adeb50748f0e05474
-  data.tar.gz: 9170569fe975d076478d533eb4358f15f0537ef443ab13fb8438ce2c2d08c17d
+  metadata.gz: 8e9860b115149813503e2063f8ed18c86fe82510c392a12a15eec6ecda39abbc
+  data.tar.gz: 34f0816d3a6193f71b985336fec9076e8c7889ff583c60165b0ddbcfc7a118da
 SHA512:
-  metadata.gz: 0a7d7bd33d7060fd30d59594485082a2e549fb1b5f8daef66835ae1e005f1a03065626608a372b7a346a9335a888685ed3fe20397b00e10c01a3f4af90b48d67
-  data.tar.gz: 3b1911ae2d9e9826166bad1c8539a227b73627991c9d5928a2bf07abb0e58ad7408331b191353cabac544acbae30ad56f65c41db42cece8357f04e16989fa0ea
+  metadata.gz: 8bccd308249f6c1dc2413abeb2b4c0e133736b3e75bd8f325ca64d042e9989c6b6c826d2959d92912965974062cb73b031f74413587bb2439b48dc1eef5e1a50
+  data.tar.gz: 5d56636a21dd20f458b48047ea2749ad54994e11db96c70574148b267440a0da0bd05706cd6ca9d22e1192b1d7f7b498c0733a75bed260a088978e08886f152e

data/app/controllers/trackguard/admin/blocked_paths_controller.rb

@@ -0,0 +1,27 @@
+module Trackguard
+  module Admin
+    class BlockedPathsController < BaseController
+      skip_before_action :verify_authenticity_token, if: :valid_api_token?
+
+      def index
+        render json: BlockedPath.order(:pattern).pluck(:pattern)
+      end
+
+      def create
+        record = BlockedPath.find_or_create_by!(pattern: params.fetch(:pattern))
+        Rails.cache.delete(BlockedPath::CACHE_KEY)
+        render json: { status: "ok", pattern: record.pattern }
+      rescue ActionController::ParameterMissing, ActiveRecord::RecordInvalid => e
+        render json: { status: "error", message: e.message }, status: :unprocessable_content
+      end
+
+      private
+
+      def authenticate_admin!
+        return if valid_api_token?
+
+        super
+      end
+    end
+  end
+end

data/app/jobs/trackguard/detect_suspicious_visitors_job.rb

@@ -5,14 +5,13 @@ module Trackguard
     HARD_FLAG_THRESHOLD  = 50
     HIGH_VOLUME_MIN      = 20
     MEDIUM_VOLUME_MIN    = 10
-    FLAG_SCORE_THRESHOLD = 6
+    FLAG_SCORE_THRESHOLD = 5
     MIN_VIEWS            = 3
 
     WEIGHTS = {
       high_volume: 4,
       medium_volume: 2,
-      no_session: 3,
-      no_referer: 2
+      no_session: 3
     }.freeze
 
     def perform
@@ -55,12 +54,17 @@ module Trackguard
         return
       end
 
+      if (path = probe_path_hit(views))
+        flag!(visitor, "probe path hit: #{path}", name: name)
+        return
+      end
+
       # Don't flag casual visitors with very few views — on a single-page site,
       # legitimate users naturally hit only "/" once or twice.
       return if count < MIN_VIEWS
 
-      if views.all? { |pv| pv.session_id.nil? && pv.referer.nil? && pv.path == "/" }
-        flag!(visitor, "no session, no referrer, single root hit", name: name)
+      if views.all? { |pv| pv.session_id.nil? && pv.referer.nil? } && views.map(&:path).uniq.size == 1
+        flag!(visitor, "no session, no referrer, single path hit", name: name)
         return
       end
 
@@ -80,11 +84,6 @@ module Trackguard
         reasons << "#{pct(views, :session_id)}% of views had no session"
       end
 
-      if blank_ratio(views, :referer) > 0.0
-        score += WEIGHTS[:no_referer]
-        reasons << "#{pct(views, :referer)}% of views had no referer"
-      end
-
       return if score < FLAG_SCORE_THRESHOLD
 
       flag!(visitor, reasons.join("; "), name: name)
@@ -114,8 +113,16 @@ module Trackguard
         end
     end
 
+    def probe_path_hit(views)
+      views.find { |pv| BlockedPath.blocked?(pv.path) }&.path
+    end
+
     def ua_flag_reason(user_agent)
-      "blank or minimal user-agent" if user_agent.blank? || user_agent.to_s.length < 10
+      return "blank or minimal user-agent" if user_agent.blank? || user_agent.to_s.length < 10
+      return "bare Mozilla/5.0 user-agent" if user_agent.strip == "Mozilla/5.0"
+      return "malformed user-agent (quoted)" if user_agent.start_with?('"')
+
+      "malformed user-agent (duplicate)" if user_agent.scan("Mozilla/5.0").size > 1
     end
 
     def flag!(visitor, reason, name: nil)

data/app/models/trackguard/blocked_path.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Trackguard
+  class BlockedPath < ApplicationRecord
+    self.table_name = "trackguard_blocked_paths"
+
+    CACHE_KEY = "trackguard/blocked_path_patterns"
+
+    validates :pattern, presence: true, uniqueness: true
+
+    def self.blocked?(path)
+      patterns = Rails.cache.fetch(CACHE_KEY, expires_in: 10.minutes) do
+        pluck(:pattern)
+      end
+      patterns.any? { |p| path.to_s.downcase.include?(p.downcase) }
+    end
+
+    def self.matching_pattern(path)
+      patterns = Rails.cache.fetch(CACHE_KEY, expires_in: 10.minutes) do
+        pluck(:pattern)
+      end
+      patterns.find { |p| path.to_s.downcase.include?(p.downcase) }
+    end
+  end
+end

data/app/models/trackguard/blocked_request.rb

@@ -4,10 +4,12 @@ module Trackguard
   class BlockedRequest < Visit
     REASON_SCANNER = "trackguard/block known scanners"
     REASON_FLAGGED = "trackguard/flagged visitors"
+    REASON_PROBE   = "trackguard/block known paths"
 
     validates :path, :block_reason, presence: true
 
     scope :scanners, -> { where(block_reason: REASON_SCANNER) }
     scope :flagged,  -> { where(block_reason: REASON_FLAGGED) }
+    scope :probes,   -> { where(block_reason: REASON_PROBE) }
   end
 end

data/config/routes.rb

@@ -6,6 +6,7 @@ Trackguard::Engine.routes.draw do
     resource  :analytics, only: :show
     resources :visits,              only: :index
     resources :blocked_user_agents, only: %i[index create]
+    resources :blocked_paths,       only: %i[index create]
     patch "visitors/flag",        to: "visitors#flag",              as: :flag_visitor
     patch "visitors/unflag",      to: "visitors#unflag",            as: :unflag_visitor
     patch "visitors/whitelist",   to: "whitelisted_ips#create",     as: :whitelist_visitor

data/lib/generators/trackguard/install_generator.rb

@@ -11,14 +11,20 @@ module Trackguard
       ActiveRecord::Generators::Base.next_migration_number(dirname)
     end
 
-    def create_migration_file
-      migration_template "create_trackguard_tables.rb", "db/migrate/create_trackguard_tables.rb"
+    def create_migration_files
+      migration_template "create_trackguard_visitors.rb",           "db/migrate/create_trackguard_visitors.rb"
+      migration_template "create_trackguard_visits.rb",             "db/migrate/create_trackguard_visits.rb"
+      migration_template "create_trackguard_whitelisted_ips.rb",    "db/migrate/create_trackguard_whitelisted_ips.rb"
+      migration_template "create_trackguard_blocked_user_agents.rb",
+                         "db/migrate/create_trackguard_blocked_user_agents.rb"
+      migration_template "create_trackguard_blocked_paths.rb", "db/migrate/create_trackguard_blocked_paths.rb"
     end
 
     def print_next_steps
       say "\nNext steps:", :green
       say "  1. rails db:migrate"
       say "  2. rails trackguard:seed_blocked_user_agents"
+      say "  3. rails trackguard:seed_blocked_paths"
     end
   end
 end

data/lib/generators/trackguard/templates/create_trackguard_blocked_paths.rb

@@ -0,0 +1,10 @@
+class CreateTrackguardBlockedPaths < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  def change
+    create_table :trackguard_blocked_paths do |t|
+      t.string :pattern, null: false
+      t.timestamps
+    end
+
+    add_index :trackguard_blocked_paths, :pattern, unique: true
+  end
+end

data/lib/generators/trackguard/templates/create_trackguard_blocked_user_agents.rb

@@ -0,0 +1,10 @@
+class CreateTrackguardBlockedUserAgents < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  def change
+    create_table :trackguard_blocked_user_agents do |t|
+      t.string :pattern, null: false
+      t.timestamps
+    end
+
+    add_index :trackguard_blocked_user_agents, :pattern, unique: true
+  end
+end

data/lib/generators/trackguard/templates/create_trackguard_visitors.rb

@@ -0,0 +1,17 @@
+class CreateTrackguardVisitors < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  def change
+    create_table :trackguard_visitors do |t|
+      t.string   :ip
+      t.string   :name
+      t.string   :user_agent
+      t.datetime :first_seen_at, null: false
+      t.datetime :last_seen_at,  null: false
+      t.datetime :flagged_at
+      t.string   :flag_reason
+      t.string   :flagged_by
+      t.timestamps
+    end
+
+    add_index :trackguard_visitors, :ip, unique: true
+  end
+end

data/lib/generators/trackguard/templates/create_trackguard_visits.rb

@@ -0,0 +1,23 @@
+class CreateTrackguardVisits < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  def change
+    create_table :trackguard_visits do |t|
+      t.string    :type
+      t.string    :path,         null: false
+      t.string    :user_agent
+      t.string    :referer
+      t.string    :session_id
+      t.string    :trace_id
+      t.string    :source
+      t.string    :block_reason
+      t.string    :http_method
+      t.references :visitor,     null: false, foreign_key: { to_table: :trackguard_visitors }
+      t.datetime  :created_at,   null: false
+    end
+
+    add_index :trackguard_visits, :type
+    add_index :trackguard_visits, :path
+    add_index :trackguard_visits, :created_at
+    add_index :trackguard_visits, :source
+    add_index :trackguard_visits, :block_reason
+  end
+end

data/lib/generators/trackguard/templates/create_trackguard_whitelisted_ips.rb

@@ -0,0 +1,13 @@
+class CreateTrackguardWhitelistedIps < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  def change
+    create_table :trackguard_whitelisted_ips do |t|
+      t.string   :ip,         null: false
+      t.datetime :expires_at, null: false
+      t.references :visitor,  foreign_key: { to_table: :trackguard_visitors }
+      t.timestamps
+    end
+
+    add_index :trackguard_whitelisted_ips, :ip,         unique: true
+    add_index :trackguard_whitelisted_ips, :expires_at
+  end
+end

data/lib/tasks/trackguard.rake

@@ -29,4 +29,97 @@ namespace :trackguard do
     puts "Done: #{inserted} inserted, #{patterns.size - inserted} already existed " \
          "(#{Trackguard::BlockedUserAgent.count} total)"
   end
+
+  desc "Seed default blocked path patterns into trackguard_blocked_paths"
+  task seed_blocked_paths: :environment do
+    patterns = [
+      # WordPress
+      "wp-login.php", "wp-admin", "wp-config.php", "xmlrpc.php",
+      # Other CMS admin panels
+      "/administrator", "/typo3/",
+      # PHP shells & backdoors
+      "shell.php", "cmd.php", "c99.php", "r57.php", "webshell", "backdoor.php",
+      # Environment & config leaks
+      "/.env", "/web.config",
+      "phpinfo.php", "info.php", "test.php",
+      # Database admin tools
+      "/phpmyadmin", "/pma/", "/myadmin", "adminer.php",
+      # Source control leaks
+      "/.git/config", "/.git/HEAD", "/.svn/",
+      # Cloud credential leaks
+      "/.aws/credentials",
+      # Spring Boot / Java actuator
+      "/actuator/env", "/actuator/mappings", "/solr/admin/"
+    ]
+
+    inserted = patterns.count do |p|
+      Trackguard::BlockedPath.find_or_create_by!(pattern: p).previously_new_record?
+    end
+
+    puts "Done: #{inserted} inserted, #{patterns.size - inserted} already existed " \
+         "(#{Trackguard::BlockedPath.count} total)"
+  end
+
+  desc "Replace the monolithic create_trackguard_tables migration with individual per-table migrations"
+  task cleanup_monolithic_migration: :environment do
+    require "erb"
+
+    migrate_dir  = Rails.root.join("db", "migrate")
+    monolithic   = Dir[migrate_dir.join("*_create_trackguard_tables.rb")].first
+
+    unless monolithic
+      puts "No create_trackguard_tables migration found — nothing to do."
+      next
+    end
+
+    base_version = File.basename(monolithic).match(/\A(\d{14})/)[1].to_i
+    template_dir = Trackguard::Engine.root.join("lib", "generators", "trackguard", "templates")
+
+    splits = [
+      [ base_version,     "create_trackguard_visitors" ],
+      [ base_version + 1, "create_trackguard_visits" ],
+      [ base_version + 2, "create_trackguard_whitelisted_ips" ],
+      [ base_version + 3, "create_trackguard_blocked_user_agents" ],
+      [ base_version + 4, "create_trackguard_blocked_paths" ]
+    ]
+
+    create_list = splits.map { |ts, name| "  db/migrate/#{ts}_#{name}.rb" }.join("\n")
+
+    puts "This will make the following changes to your application:"
+    puts ""
+    puts "  Remove:  db/migrate/#{File.basename(monolithic)}"
+    puts "  Create (table/index creation guarded with if_not_exists):"
+    puts create_list
+    puts ""
+    puts "  Run `rails db:migrate` afterwards — existing tables and indexes are skipped safely."
+    puts ""
+
+    $stdout.print "Proceed? [y/N] "
+    input = $stdin.gets.to_s.strip.downcase
+    unless input == "y"
+      puts "Aborted."
+      next
+    end
+
+    puts ""
+
+    splits.each do |ts, name|
+      path = migrate_dir.join("#{ts}_#{name}.rb")
+      if path.exist?
+        puts "  skip   #{path.basename}"
+      else
+        raw = ERB.new(File.read(template_dir.join("#{name}.rb"))).result(binding)
+        guarded = raw
+                  .gsub(/create_table (\S+) do/, 'create_table \1, if_not_exists: true do')
+                  .gsub(/^(\s+add_index .+)$/, '\1, if_not_exists: true')
+        path.write(guarded)
+        puts "  create #{path.basename}"
+      end
+    end
+
+    FileUtils.rm(monolithic)
+    puts "  remove #{File.basename(monolithic)}"
+
+    puts "\nDone. Run `rails db:migrate` to apply any missing migrations."
+  end
 end

data/lib/trackguard/adapters/base.rb

@@ -4,11 +4,13 @@ module Trackguard
   module Adapters
     class Base
       def blocked_user_agent?(user_agent) = raise NotImplementedError, "#{self.class}#blocked_user_agent?"
+      def blocked_path?(path)             = raise NotImplementedError, "#{self.class}#blocked_path?"
       def whitelisted_ip?(ip)             = raise NotImplementedError, "#{self.class}#whitelisted_ip?"
       def flagged_visitor?(ip)            = raise NotImplementedError, "#{self.class}#flagged_visitor?"
 
       def track_page_view(path:, ip:, user_agent:, referer:, session_id:, trace_id:, source:, initial:, http_method:)
         return if blocked_user_agent?(user_agent)
+        return if blocked_path?(path)
         return if path.blank? || path.start_with?(Trackguard.admin_path)
 
         perform_track_page_view(

data/lib/trackguard/adapters/local.rb

@@ -7,6 +7,10 @@ module Trackguard
         BlockedUserAgent.blocked?(user_agent)
       end
 
+      def blocked_path?(path)
+        BlockedPath.blocked?(path)
+      end
+
       def whitelisted_ip?(ip)
         WhitelistedIp.whitelisted?(ip)
       end

data/lib/trackguard/rack_attack.rb

@@ -4,6 +4,7 @@ require "rack/attack"
 
 module Trackguard
   module RackAttack
+    # rubocop:disable Metrics/MethodLength
     def self.configure
       adapter = Trackguard.adapter
 
@@ -19,6 +20,10 @@ module Trackguard
         adapter.blocked_user_agent?(req.user_agent)
       end
 
+      ::Rack::Attack.blocklist("trackguard/block known paths") do |req|
+        adapter.blocked_path?(req.path)
+      end
+
       ::Rack::Attack.blocklist("trackguard/flagged visitors") do |req|
         adapter.flagged_visitor?(req.ip)
       end
@@ -31,6 +36,7 @@ module Trackguard
 
       subscribe_to_blocked_requests(adapter)
     end
+    # rubocop:enable Metrics/MethodLength
 
     def self.subscribe_to_blocked_requests(adapter)
       @subscribe_to_blocked_requests ||= ActiveSupport::Notifications.subscribe("rack.attack") do |*, payload|

data/lib/trackguard/version.rb

@@ -1,3 +1,3 @@
 module Trackguard
-  VERSION = "0.24.0".freeze
+  VERSION = "0.27.1".freeze
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: trackguard
 version: !ruby/object:Gem::Version
-  version: 0.24.0
+  version: 0.27.1
 platform: ruby
 authors:
 - Krzysztof Rygielski
@@ -50,6 +50,7 @@ files:
 - app/controllers/concerns/trackguard/page_tracker.rb
 - app/controllers/trackguard/admin/analytics_controller.rb
 - app/controllers/trackguard/admin/base_controller.rb
+- app/controllers/trackguard/admin/blocked_paths_controller.rb
 - app/controllers/trackguard/admin/blocked_user_agents_controller.rb
 - app/controllers/trackguard/admin/dashboards_controller.rb
 - app/controllers/trackguard/admin/visitors_controller.rb
@@ -60,6 +61,7 @@ files:
 - app/jobs/trackguard/detect_suspicious_visitors_job.rb
 - app/jobs/trackguard/track_blocked_request_job.rb
 - app/jobs/trackguard/track_page_view_job.rb
+- app/models/trackguard/blocked_path.rb
 - app/models/trackguard/blocked_request.rb
 - app/models/trackguard/blocked_user_agent.rb
 - app/models/trackguard/page_view.rb
@@ -79,12 +81,12 @@ files:
 - app/views/trackguard/admin/visits/index.html.erb
 - config/importmap.rb
 - config/routes.rb
-- db/migrate/20260505191009_add_name_to_trackguard_visitors.rb
 - lib/generators/trackguard/install_generator.rb
-- lib/generators/trackguard/templates/add_trackguard_visits.rb
-- lib/generators/trackguard/templates/add_visitor_name.rb
-- lib/generators/trackguard/templates/create_trackguard_tables.rb
-- lib/generators/trackguard/upgrade_generator.rb
+- lib/generators/trackguard/templates/create_trackguard_blocked_paths.rb
+- lib/generators/trackguard/templates/create_trackguard_blocked_user_agents.rb
+- lib/generators/trackguard/templates/create_trackguard_visitors.rb
+- lib/generators/trackguard/templates/create_trackguard_visits.rb
+- lib/generators/trackguard/templates/create_trackguard_whitelisted_ips.rb
 - lib/tasks/trackguard.rake
 - lib/trackguard.rb
 - lib/trackguard/adapters/base.rb

data/db/migrate/20260505191009_add_name_to_trackguard_visitors.rb

@@ -1,5 +0,0 @@
-class AddNameToTrackguardVisitors < ActiveRecord::Migration[8.0]
-  def change
-    add_column :trackguard_visitors, :name, :string
-  end
-end

data/lib/generators/trackguard/templates/add_trackguard_visits.rb

@@ -1,27 +0,0 @@
-# frozen_string_literal: true
-
-class AddTrackguardVisits < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
-  def up
-    rename_table :trackguard_page_views, :trackguard_visits
-
-    add_column :trackguard_visits, :type,         :string
-    add_column :trackguard_visits, :block_reason, :string
-    add_column :trackguard_visits, :http_method,  :string
-
-    add_index :trackguard_visits, :type
-    add_index :trackguard_visits, :block_reason
-
-    execute "UPDATE trackguard_visits SET type = 'Trackguard::PageView'"
-  end
-
-  def down
-    remove_index :trackguard_visits, :block_reason
-    remove_index :trackguard_visits, :type
-
-    remove_column :trackguard_visits, :http_method
-    remove_column :trackguard_visits, :block_reason
-    remove_column :trackguard_visits, :type
-
-    rename_table :trackguard_visits, :trackguard_page_views
-  end
-end

data/lib/generators/trackguard/templates/add_visitor_name.rb

@@ -1,7 +0,0 @@
-# frozen_string_literal: true
-
-class AddVisitorName < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
-  def change
-    add_column :trackguard_visitors, :name, :string
-  end
-end

data/lib/generators/trackguard/templates/create_trackguard_tables.rb

@@ -1,54 +0,0 @@
-class CreateTrackguardTables < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
-  def change
-    create_table :trackguard_visitors do |t|
-      t.string   :ip
-      t.string   :name
-      t.string   :user_agent
-      t.datetime :first_seen_at, null: false
-      t.datetime :last_seen_at,  null: false
-      t.datetime :flagged_at
-      t.string   :flag_reason
-      t.string   :flagged_by
-      t.timestamps
-    end
-
-    add_index :trackguard_visitors, :ip, unique: true
-
-    create_table :trackguard_visits do |t|
-      t.string    :type
-      t.string    :path,         null: false
-      t.string    :user_agent
-      t.string    :referer
-      t.string    :session_id
-      t.string    :trace_id
-      t.string    :source
-      t.string    :block_reason
-      t.string    :http_method
-      t.references :visitor,     null: false, foreign_key: { to_table: :trackguard_visitors }
-      t.datetime  :created_at,   null: false
-    end
-
-    add_index :trackguard_visits, :type
-    add_index :trackguard_visits, :path
-    add_index :trackguard_visits, :created_at
-    add_index :trackguard_visits, :source
-    add_index :trackguard_visits, :block_reason
-
-    create_table :trackguard_whitelisted_ips do |t|
-      t.string   :ip,         null: false
-      t.datetime :expires_at, null: false
-      t.references :visitor,  foreign_key: { to_table: :trackguard_visitors }
-      t.timestamps
-    end
-
-    add_index :trackguard_whitelisted_ips, :ip,         unique: true
-    add_index :trackguard_whitelisted_ips, :expires_at
-
-    create_table :trackguard_blocked_user_agents do |t|
-      t.string :pattern, null: false
-      t.timestamps
-    end
-
-    add_index :trackguard_blocked_user_agents, :pattern, unique: true
-  end
-end

data/lib/generators/trackguard/upgrade_generator.rb

@@ -1,27 +0,0 @@
-require "rails/generators"
-require "rails/generators/active_record"
-
-module Trackguard
-  class UpgradeGenerator < Rails::Generators::Base
-    include Rails::Generators::Migration
-
-    source_root File.expand_path("templates", __dir__)
-
-    def self.next_migration_number(dirname)
-      ActiveRecord::Generators::Base.next_migration_number(dirname)
-    end
-
-    def create_visits_migration_file
-      migration_template "add_trackguard_visits.rb", "db/migrate/add_trackguard_visits.rb"
-    end
-
-    def create_visitor_name_migration_file
-      migration_template "add_visitor_name.rb", "db/migrate/add_visitor_name.rb"
-    end
-
-    def print_next_steps
-      say "\nNext steps:", :green
-      say "  1. rails db:migrate"
-    end
-  end
-end