web_shield 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 7770e88cb028cf1b22ef97d1fe7b4cfdfdacd668
+  data.tar.gz: 8d6ca04e94a030f8549519dc612b21fb9b44615a
+SHA512:
+  metadata.gz: 90b662cce0a88025b954d57ee89212574afec1d91f11e98afc25ae301d42e13a0635a5d387f88b0e20e9734c2b2c3f57becf51db42af74dff0415c1116f52142
+  data.tar.gz: 5abad4f941f28c259ba8acc486fd75d7d975481aff5cce472e5831db775a8fc689591d4686b346b59f9009f71b6b9a1d9553fc975c76f29cdea34c6c6ab10ec8

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+*.swp

data/.rspec

@@ -0,0 +1,4 @@
+--format documentation
+--require gem_helper
+--color
+

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.2.3
+before_install: gem install bundler -v 1.10.6

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in web_shield.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 jiangzhi.xie
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,59 @@
+# WebShield
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'web_shield'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install web_shield
+
+## Usage
+
+See `exmaples/base_config.rb`
+
+### Config options
+
+* `store`: 请求记录存储位置
+* `logger`: Logger instance
+* `user_parser`: 每个请求的限制都是按用户来的
+* `blocked_response`: 当 block 时返回的内容
+* `build_shield`: 构建防御，一个请求过来请会按构建的顺序去一一检查，如果有一个未通过，直接拒绝请求，如果带 skip_shields，当此 shield 被匹配时，如果通过则执行正常的业务，如果不通过则拒绝请求
+
+### Build shield options
+
+* `period`: required, 配合 limit ，在此周期内，如果请求数达到 limit 定义的上限，则 block 此次请求
+* `limit`: required, 周期内请求数上限
+* `method`: optional, default: nil, 匹配 request method, 比如 'get', 'post' 等
+* `dictatorial`: optional, default: false, 如果 request.path 与 rails_routes_matcher 匹配，那么无论是否有 block 此请求，都不再执行之后的 shields
+* `path_sensitive`: optional, default: false, 针对每个 request.path 来设置防护，防止同一个 path 被刷
+
+## TODO
+
+* UserShield: user whitelist and blacklist
+* HoneypotShield: 
+* Auto block request:
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/web_shield. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](contributor-covenant.org) code of conduct.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "web_shield"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/examples/base_config.rb

@@ -0,0 +1,23 @@
+require 'web_shield'
+
+config = WebShield::Config.new
+config.store = WebShield::MemoryStore.new # or WebShield::RedisStore.new(redis: Redis.current)
+
+config.user_parser = Proc.new {|request| request.params[:token] || request.ip }
+
+base_path = '/api/v1'
+
+# filter order
+config.build_shield "#{base_path}/sessions", {period: 10, limit: 3, dictatorial: true}
+config.build_shield "#{base_path}/callbacks/app_store", {period: 10, limit: 5, dictatorial: true}
+config.build_shield "#{base_path}/callbacks/alipay", {period: 10, limit: 6, dictatorial: true}
+config.build_shield "#{base_path}/callbacks/xyz", {period: 10, limit: 4, dictatorial: true}
+config.build_shield "#{base_path}/users/change_password", {
+  period: 15, limit: 3, dictatorial: true, method: :post
+}
+config.build_shield "#{base_path}/*", {period: 10, limit: 3, path_sensitive: true}
+config.build_shield "/api/config", {period: 10, limit: 2}
+config.build_shield "/api/test", {period: 0, limit: 3}
+
+$base_config = config
+

data/examples/config.ru

@@ -0,0 +1,43 @@
+#\ -s webrick
+
+require 'pry'
+require File.expand_path('../base_config', __FILE__)
+require File.expand_path('../more_shields_config', __FILE__)
+
+class RackBenchmark
+  def initialize(app)
+    @app = app
+    @counter = {}
+  end
+
+  def call(env)
+    $req = request = Rack::Request.new(env)
+    s = Time.now
+    @app.call(env).tap do
+      cost = (Time.now - s) * 1000
+      path_counter = @counter[request.path] ||= [0, 0]
+      path_counter[0] += 1
+      path_counter[1] += cost
+      puts "#{cost} ms, avg #{path_counter[1] / path_counter[0]} ms"
+    end
+  end
+end
+
+use RackBenchmark
+
+app = Proc.new {|env| [200, {'Content-Type' => 'text/html'}, ['Hello WebShield']] }
+
+map '/normal' do
+  run app
+end
+
+map '/api/v1' do
+  use WebShield::Middleware, $base_config
+  run app
+end
+
+map '/api/v2' do
+  use WebShield::Middleware, $more_shields_config
+  run app
+end
+

data/examples/more_shields_config.rb

@@ -0,0 +1,33 @@
+require 'web_shield'
+
+config = WebShield::Config.new
+config.store = WebShield::MemoryStore.new # or WebShield::RedisStore.new(redis: Redis.current)
+
+config.user_parser = Proc.new {|request| request.params[:token] || request.ip }
+
+base_path = '/api/v2'
+
+100.times do |i|
+  config.build_shield "#{base_path}/#{i}", {
+    period: 10, limit: 3, dictatorial: true
+  }
+end
+
+config.build_shield "#{base_path}/callbacks/app_store", {
+  period: 10, limit: 5, dictatorial: true
+}
+config.build_shield "#{base_path}/callbacks/alipay", {
+  period: 10, limit: 6, dictatorial: true
+}
+config.build_shield "#{base_path}/callbacks/xyz", {
+  period: 10, limit: 4, dictatorial: true
+}
+config.build_shield "#{base_path}/users/change_password", {
+  period: 15, limit: 3, dictatorial: true
+}
+config.build_shield "#{base_path}/*", {period: 10, limit: 3}
+config.build_shield "#{base_path}/config", {period: 10, limit: 2}
+config.build_shield "#{base_path}//test", {period: 0, limit: 3}
+
+$more_shields_config = config
+

data/lib/web_shield/config.rb

@@ -0,0 +1,39 @@
+require 'logger'
+
+module WebShield
+  class Config
+    attr_accessor :store, :user_parser, :blocked_response, :logger
+    attr_reader :shields
+
+    def initialize
+      @shields = []
+      @shield_counter = 0
+
+      @user_parser = Proc.new {|req| req.ip }
+      @blocked_response = Proc.new {|req| [429, {}, ['Too Many Requests']] }
+      @logger = Logger.new($stdout)
+    end
+
+    def store=(store)
+      if store.respond_to?(:incr)
+        @store = store
+      else
+        raise Error, 'Invalid store, interface :incr is need'
+      end
+    end
+
+    def user_parser=(parser)
+      if parser.respond_to?(:call)
+        @user_parser = parser
+      else
+        raise Error, 'Invalid parser, interface :cal is need'
+      end
+    end
+
+    def build_shield(path_matcher, options, shield_class = ThrottleShield)
+      shields << shield_class.new(@shield_counter += 1, path_matcher, options, self)
+      logger.info("Build shield #{shields.last.id} #{path_matcher} #{options}")
+    end
+  end
+end
+

data/lib/web_shield/memory_store.rb

@@ -0,0 +1,38 @@
+require 'monitor'
+
+module WebShield
+  class MemoryStore
+    def initialize
+      @data = {}
+      @lock = Monitor.new
+    end
+
+    def incr(key, period = 0)
+      key = key.to_sym
+      current_period = period > 0 ? (Time.now.to_i / period) : 0
+
+      @lock.synchronize do
+        if @data[key]
+          if @data[key][1] == current_period
+            @data[key][0] += 1
+          else
+            @data[key][1] = current_period
+            @data[key][0] = 1
+          end
+        else
+          @data[key] = [1, current_period]
+          1
+        end
+      end
+    end
+
+    def reset(key)
+      @data.delete(key.to_sym)
+    end
+
+    def clear
+      @data.clear
+    end
+  end
+end
+

data/lib/web_shield/middleware.rb

@@ -0,0 +1,35 @@
+require 'rack'
+
+module WebShield
+  class Middleware
+    def initialize(app, config)
+      @app = app
+      @config = config
+    end
+
+    def call(env)
+      request = Rack::Request.new(env)
+
+      @config.shields.each do |shield|
+        result, response = shield.filter(request)
+
+        case result
+        when :block
+          return @config.blocked_response.call(request)
+        when :response
+          return response
+        when :pass
+          if shield.dictatorial?
+            # skip other shields
+            return @app.call(env)
+          end
+        else
+          # not match
+        end
+      end
+
+      @app.call(env)
+    end
+  end
+end
+

data/lib/web_shield/shield.rb

@@ -0,0 +1,54 @@
+require 'digest'
+
+module WebShield
+  class Shield
+    attr_reader :id, :shield_path, :path_matcher, :options, :config
+    OPTION_KEYS =[:period, :limit, :method, :path_sensitive, :dictatorial]
+
+    # Params:
+    #   path:
+    #   options:
+    #     period: required
+    #     limit: required
+    #     method: optional
+    #     path_sensitive: optional, defualt false
+    def initialize(id, shield_path, options, config)
+      @id = id
+      @shield_path = shield_path
+      @path_matcher = build_path_matcher(shield_path)
+      @options = hash_to_symbol_keys(options)
+      @config = config
+    end
+
+    # Returns: :pass, :block, [:response, rack_response], nil
+    def filter(request)
+      raise Error, "implement me"
+    end
+
+    def dictatorial?
+      @options[:dictatorial]
+    end
+
+
+    private
+
+    # Support symbols: :name, (), *
+    def build_path_matcher(path)
+      regexp_str = Regexp.escape(path)
+      regexp_str.gsub!(/\\\((.+)\\\)/, '(\1)?')
+      regexp_str.gsub!(/:[^\/\)]+(\)|\/)?/) {|str| "[^/]+#{$1 ? $1 : nil}" }
+      regexp_str.gsub!(/\/$/, '/?')
+      regexp_str.gsub!("\\*", '.*')
+      Regexp.new("\\A#{regexp_str}\\z", 'i')
+    end
+
+    def hash_to_symbol_keys(hash)
+      hash.each_with_object({}) do |kv, result|
+        key, val = kv[0].to_sym, kv[1]
+        raise Error, "Invalid shield option '#{key}'" unless OPTION_KEYS.include?(key)
+        result[key] = val
+      end
+    end
+  end
+end
+

data/lib/web_shield/throttle_shield.rb

@@ -0,0 +1,30 @@
+require 'digest'
+
+module WebShield
+  class ThrottleShield < Shield
+
+    def filter(request)
+      req_path = request.path
+      return unless path_matcher.match(req_path)
+      return :block if options[:limit] <= 0
+      return if options[:method] && options[:method].to_s.upcase != request.request_method
+
+      user = config.user_parser.call(request)
+      store_keys = [id.to_s, user.to_s]
+      if options[:path_sensitive]
+        route = [request.request_method, req_path]
+      else
+        route = (options[:method] ? [options[:method].to_s.upcase, shield_path] : [shield_path])
+      end
+      store_keys << Digest::MD5.hexdigest(route.join('-'))
+
+      if @config.store.incr(store_keys.join('-'), options[:period]) <= options[:limit]
+        :pass
+      else
+        config.logger.info("[#{id}] Block '#{user}' #{request.request_method} #{req_path}")
+        :block
+      end
+    end
+  end
+end
+

data/lib/web_shield/version.rb

@@ -0,0 +1,3 @@
+module WebShield
+  VERSION = "0.1.0"
+end

data/lib/web_shield.rb

@@ -0,0 +1,24 @@
+require "web_shield/version"
+
+require 'rack'
+# require 'active_support'
+# require 'active_support/core_ext'
+
+module WebShield
+  class Error < StandardError; end
+
+  autoload :Config, 'web_shield/config'
+  autoload :MemoryStore, 'web_shield/memory_store'
+  autoload :Shield, 'web_shield/shield'
+  autoload :ThrottleShield, 'web_shield/throttle_shield'
+  autoload :Middleware, 'web_shield/middleware'
+
+  class << self
+    attr_reader :config
+
+    def configure(&block)
+      @config = Config.new
+      block.call(@config)
+    end
+  end
+end

data/web_shield.gemspec

@@ -0,0 +1,28 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'web_shield/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "web_shield"
+  spec.version       = WebShield::VERSION
+  spec.authors       = ["jiangzhi.xie"]
+  spec.email         = ["xiejiangzhi@gmail.com"]
+
+  spec.summary       = %q{Rack request shield}
+  spec.description   = %q{Rack request shield}
+  spec.homepage      = "https://github.com/xjz19901211/web_shield"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.10"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "pry"
+
+  spec.add_dependency "rack"
+end

metadata

@@ -0,0 +1,134 @@
+--- !ruby/object:Gem::Specification
+name: web_shield
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- jiangzhi.xie
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2016-07-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Rack request shield
+email:
+- xiejiangzhi@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- examples/base_config.rb
+- examples/config.ru
+- examples/more_shields_config.rb
+- lib/web_shield.rb
+- lib/web_shield/config.rb
+- lib/web_shield/memory_store.rb
+- lib/web_shield/middleware.rb
+- lib/web_shield/shield.rb
+- lib/web_shield/throttle_shield.rb
+- lib/web_shield/version.rb
+- web_shield.gemspec
+homepage: https://github.com/xjz19901211/web_shield
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.1
+signing_key: 
+specification_version: 4
+summary: Rack request shield
+test_files: []