wafris 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: dd571cbf8934f0b14384e1b85d42d5a70ffaaa98f17e8fcfd3545553b6b1d6af
+  data.tar.gz: a5a053621c83c0ed2892a8aca08fc26439e6e0cff95bcdbf8787b35c0ad1eaf3
+SHA512:
+  metadata.gz: 339e8b1fee46d79287716e20edfc24b80c720a82f12d07485508c0beb16c9813f4f35530b7473d0711d75a6e316e97236d7912024b984e96524649021d58be19
+  data.tar.gz: c674ca5de599c5f0bb7f7bfb6beba19d4bec38411f66cddf27897c4ecafe9a3486e723b30e39a7cb63472106ca62483ee7ffc5b98fd31dd331d7eae82efc13df

data/lib/wafris/configuration.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Wafris
+  class Configuration
+    attr_accessor :redis
+    attr_accessor :redis_pool_size
+
+    def initialize
+      @redis = Redis.new
+      @redis_pool_size = 20
+    end
+
+    def connection_pool
+      @connection_pool ||=
+        ConnectionPool.new(size: redis_pool_size) { redis }
+    end
+
+    def enabled?
+      redis.ping
+
+      return true
+    rescue Redis::CannotConnectError
+      raise <<~CONNECTION_ERROR
+        Wafris cannot connect to Redis.
+
+        The current Redis instance points to a connection that
+        cannot be pinged.
+      CONNECTION_ERROR
+    end
+
+    def script_sha
+      @script_sha ||= redis.script(:load, wafris_core)
+    end
+
+    def wafris_core
+      File.read(
+        File.join(
+          File.dirname(__FILE__),
+          'wafris_core.lua'
+        )
+      )
+    end
+  end
+end

data/lib/wafris/middleware.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Wafris
+  class Middleware
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      request = Rack::Request.new(env)
+
+      if Wafris.configuration.enabled? && Wafris.allow_request?(request)
+        @app.call(env)
+      else
+        puts 'blocked'
+        [403, {}, ['Blocked']]
+      end
+    end
+  end
+end

data/lib/wafris/railtie.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Wafris
+  class Railtie < ::Rails::Railtie
+    initializer 'wafris.middleware' do |app|
+      app.middleware.use(Wafris::Middleware)
+    end
+  end
+end

data/lib/wafris/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Wafris
+  VERSION = "0.0.1"
+end

data/lib/wafris/wafris_core.lua

@@ -0,0 +1,42 @@
+local LAST_REQUESTS_TIME = 'last_requests_time'
+local TWENTY_FOUR_HOURS = 86400
+
+local ip = ARGV[1]
+local ip_to_decimal = ARGV[2]
+local unix_time = ARGV[3]
+local expire_time = unix_time - TWENTY_FOUR_HOURS
+local ip_request_string = "ip-requests-" .. ip
+local hour_bucket = ARGV[4]
+
+-- LEADERBOARD DATA COLLECTION
+-- Add IP to last_requests_time key by integer timestamp
+-- ZADD last_requets_time 1661356145 '192.168.1.1'
+redis.call('ZADD', LAST_REQUESTS_TIME, unix_time, ip)
+-- Remove IP from last_requests_time if it has been there for 24 hours
+-- ZREMRANGEBYSCORE last_requests_time 0 (1661356145 - 86400)
+redis.call('ZREMRANGEBYSCORE', LAST_REQUESTS_TIME, 0, expire_time)
+-- Add IP to ip-requests-<ip> for leaderboard tracking
+-- LPUSH ip-requests-192.168.1.1 1661356145
+redis.call('LPUSH', ip_request_string, unix_time)
+-- Have the key expire in 24 hours
+-- EXPIRE ip-requests-192.168.1.1 86400
+redis.call('EXPIRE', ip_request_string, TWENTY_FOUR_HOURS)
+
+-- GRAPH DATA COLLECTION
+-- Increment counter for hourly buckets
+-- INC all-ips:2022-10-01:12
+redis.call('INCR', hour_bucket)
+-- EXPIRE all-ips:2022-10-01:12 86400
+redis.call('EXPIRE', hour_bucket, TWENTY_FOUR_HOURS)
+
+-- BLOCKING LOGIC
+-- Safelist Range Check
+if next(redis.call('ZRANGEBYSCORE', 'allowed_ranges', ip_to_decimal, "+inf", "LIMIT", 0, 1)) then
+  return 'Allowed'
+-- Blocklist Range Check
+elseif next(redis.call('ZRANGEBYSCORE', 'blocked_ranges', ip_to_decimal, "+inf", "LIMIT", 0, 1)) then
+  return 'Blocked'
+-- No Matches
+else
+  return 'Not found'
+end

data/lib/wafris.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'connection_pool'
+require 'rails'
+require 'redis'
+
+require 'wafris/configuration'
+require 'wafris/middleware'
+
+require 'wafris/railtie' if defined?(Rails::Railtie)
+
+module Wafris
+  class << self
+    def configure
+      yield configuration
+    end
+
+    def configuration
+      @configuration ||= Wafris::Configuration.new
+    end
+
+    def reset
+      @configuration = Wafris::Configuration.new
+    end
+
+    # ip: the IP of the client making the request, may be from x-forwarded-for
+    # user_agent: full user agent making the request
+    # path: path including parameters of the request
+    # host: host (website/domain) making the request
+    # time: UTC time of the request (from the logs to match things up)
+
+    def allow_request?(request)
+      configuration.connection_pool.with do |conn|
+        time = Time.now
+        status = conn.evalsha(
+          configuration.script_sha,
+          argv: [
+            request.ip,
+            IPAddr.new(request.ip).to_i,
+            time.to_i,
+            "all-ips:#{time.strftime('%Y-%m-%d')}:#{time.hour}"
+          ]
+        )
+
+        if status.eql? 'Blocked'
+          return false
+        else
+          return true
+        end
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,217 @@
+--- !ruby/object:Gem::Specification
+name: wafris
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Micahel Buckbee
+- Ryan Castillo
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2023-02-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: connection_pool
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.3.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.3.0
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: redis
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.8'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.8.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.8'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.8.0
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.1'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.14'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.14.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.14'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.14.1
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.2
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.0.4
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.0.4
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.0.4
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.0.4
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 13.0.6
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 13.0.6
+description:
+email:
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/wafris.rb
+- lib/wafris/configuration.rb
+- lib/wafris/middleware.rb
+- lib/wafris/railtie.rb
+- lib/wafris/version.rb
+- lib/wafris/wafris_core.lua
+homepage:
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.5'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.26
+signing_key:
+specification_version: 4
+summary: Web application firewall for Rack apps
+test_files: []