From 1d2c646ae17bc06f55678e9d2f182fa953069107 Mon Sep 17 00:00:00 2001 From: fatkodima Date: Fri, 18 Oct 2019 01:23:51 +0300 Subject: [PATCH 01/12] Remove support for ruby 2.3 (cherry picked from commit 56361ab56b96c909d6796f05e05bf224dd05d050) --- .rubocop.yml | 2 +- .travis.yml | 3 --- rack-attack.gemspec | 2 +- 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index 7fe2ca6..b12c0b4 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -6,7 +6,7 @@ inherit_mode: - Exclude AllCops: - TargetRubyVersion: 2.3 + TargetRubyVersion: 2.4 DisabledByDefault: true Exclude: - "examples/instrumentation.rb" diff --git a/.travis.yml b/.travis.yml index 98432ae..1b87613 100644 --- a/.travis.yml +++ b/.travis.yml @@ -8,7 +8,6 @@ rvm: - 2.6.6 - 2.5.8 - 2.4.10 - - 2.3.8 before_install: - yes | gem update --system @@ -40,8 +39,6 @@ matrix: rvm: 2.7.1 - gemfile: gemfiles/rails_6_0.gemfile rvm: 2.4.10 - - gemfile: gemfiles/rails_6_0.gemfile - rvm: 2.3.8 fast_finish: true services: diff --git a/rack-attack.gemspec b/rack-attack.gemspec index 99deeb7..28dd3f8 100644 --- a/rack-attack.gemspec +++ b/rack-attack.gemspec @@ -27,7 +27,7 @@ Gem::Specification.new do |s| "source_code_uri" => "https://github.com/kickstarter/rack-attack" } - s.required_ruby_version = '>= 2.3' + s.required_ruby_version = '>= 2.4' s.add_runtime_dependency 'rack', ">= 1.0", "< 3" From 614e10aa9c01fcb191e8d7c86d94335c9859c13e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lukas=20Spie=C3=9F?= Date: Thu, 12 Dec 2019 18:13:13 +0100 Subject: [PATCH 02/12] Use gender-neutral pronoun in Readme (cherry picked from commit 58b4042e3576bd704ea46b6808f4a4822db71464) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 96d0db8..69c92ad 100644 --- a/README.md +++ b/README.md @@ -343,7 +343,7 @@ end While Rack::Attack's primary focus is minimizing harm from abusive clients, it can also be used to return rate limit data that's helpful for well-behaved clients. -If you want to return to user how many seconds to wait until he can start sending requests again, this can be done through enabling `Retry-After` header: +If you want to return to user how many seconds to wait until they can start sending requests again, this can be done through enabling `Retry-After` header: ```ruby Rack::Attack.throttled_response_retry_after_header = true ``` From 9da0bb77125b75364125160695f690ea20157e5b Mon Sep 17 00:00:00 2001 From: Ryan Laughlin Date: Mon, 18 May 2020 17:41:58 -0400 Subject: [PATCH 03/12] Consolidate #testing section of README (cherry picked from commit 029b5481fe4e5a729d4ac568eee8a7143b4e0ed1) --- README.md | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 69c92ad..6a5dea5 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,6 @@ See the [Backing & Hacking blog post](https://www.kickstarter.com/backing-and-ha - [Testing](#testing) - [How it works](#how-it-works) - [About Tracks](#about-tracks) -- [Testing](#testing) - [Performance](#performance) - [Motivation](#motivation) - [Contributing](#contributing) @@ -401,6 +400,10 @@ end ## Testing +A note on developing and testing apps using Rack::Attack - if you are using throttling in particular, you will +need to enable the cache in your development environment. See [Caching with Rails](http://guides.rubyonrails.org/caching_with_rails.html) +for more on how to do this. + ### Disabling `Rack::Attack.enabled = false` can be used to either completely disable Rack::Attack in your tests, or to disable/enable for specific test cases only. @@ -445,13 +448,6 @@ can cleanly monkey patch helper methods onto the `Rack::Attack.track` doesn't affect request processing. Tracks are an easy way to log and measure requests matching arbitrary attributes. - -## Testing - -A note on developing and testing apps using Rack::Attack - if you are using throttling in particular, you will -need to enable the cache in your development environment. See [Caching with Rails](http://guides.rubyonrails.org/caching_with_rails.html) -for more on how to do this. - ## Performance The overhead of running Rack::Attack is typically negligible (a few milliseconds per request), From 44b6a7353a342b416fae61c63ab33f324143d5c1 Mon Sep 17 00:00:00 2001 From: Olle Jonsson Date: Sun, 24 May 2020 17:50:56 +0200 Subject: [PATCH 04/12] Use RuboCop 0.84.0 - this enables each of the new Cops and marks each with the version they appeared in (cherry picked from commit c07fcdde434b6864c556baf0c5adf1e0edab854c) --- .rubocop.yml | 18 +++++++++++++++--- lib/rack/attack/cache.rb | 1 + lib/rack/attack/check.rb | 1 + lib/rack/attack/throttle.rb | 1 + rack-attack.gemspec | 2 +- 5 files changed, 19 insertions(+), 4 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index b12c0b4..8426f7f 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -21,12 +21,27 @@ Gemspec: Layout: Enabled: true +Layout/EmptyLinesAroundAttributeAccessor: # (0.83) + Enabled: true + +Layout/SpaceAroundMethodCallOperator: # (0.82) + Enabled: true + Layout/LineLength: Max: 120 Lint: Enabled: true +Lint/DeprecatedOpenSSLConstant: # (0.84) + Enabled: true + +Lint/RaiseException: # (0.81) + Enabled: true + +Lint/StructNewOverride: # (0.81) + Enabled: true + Naming: Enabled: true Exclude: @@ -42,9 +57,6 @@ Style/BlockDelimiters: Enabled: true IgnoredMethods: [] # Workaround rubocop bug: https://github.com/rubocop-hq/rubocop/issues/6179 -Style/BracesAroundHashParameters: - Enabled: true - Style/ClassAndModuleChildren: Enabled: true Exclude: diff --git a/lib/rack/attack/cache.rb b/lib/rack/attack/cache.rb index 0defa64..c74bc2a 100644 --- a/lib/rack/attack/cache.rb +++ b/lib/rack/attack/cache.rb @@ -12,6 +12,7 @@ module Rack end attr_reader :store + def store=(store) @store = StoreProxy.build(store) end diff --git a/lib/rack/attack/check.rb b/lib/rack/attack/check.rb index 4c985eb..c9f3ff7 100644 --- a/lib/rack/attack/check.rb +++ b/lib/rack/attack/check.rb @@ -4,6 +4,7 @@ module Rack class Attack class Check attr_reader :name, :block, :type + def initialize(name, options = {}, &block) @name = name @block = block diff --git a/lib/rack/attack/throttle.rb b/lib/rack/attack/throttle.rb index 3b80d9e..96c0f3b 100644 --- a/lib/rack/attack/throttle.rb +++ b/lib/rack/attack/throttle.rb @@ -6,6 +6,7 @@ module Rack MANDATORY_OPTIONS = [:limit, :period].freeze attr_reader :name, :limit, :period, :block, :type + def initialize(name, options, &block) @name = name @block = block diff --git a/rack-attack.gemspec b/rack-attack.gemspec index 28dd3f8..69042f1 100644 --- a/rack-attack.gemspec +++ b/rack-attack.gemspec @@ -37,7 +37,7 @@ Gem::Specification.new do |s| s.add_development_dependency "minitest-stub-const", "~> 0.6" s.add_development_dependency 'rack-test', "~> 1.0" s.add_development_dependency 'rake', "~> 13.0" - s.add_development_dependency "rubocop", "0.78.0" + s.add_development_dependency "rubocop", "0.84.0" s.add_development_dependency "rubocop-performance", "~> 1.5.0" s.add_development_dependency "timecop", "~> 0.9.1" From 48531f546c53230050f31e848f8746565b7c4150 Mon Sep 17 00:00:00 2001 From: Tristan Toye Date: Sun, 7 Jun 2020 12:11:30 -0400 Subject: [PATCH 05/12] Clarify Calling HTTP_APIKey header in example (#488) * Clarify Calling HTTP_ header in example In trying to track down a bug here turns out I was trying to reference the wrong header shown in the readme. Printing our `request.env` it becomes clear this is just the full request object: ``` {"rack.version"=>[1, 3], "rack.errors"=>#>, "rack.multithread"=>true, "rack.multiprocess"=>false, "rack.run_once"=>false, "SCRIPT_NAME"=>"", "QUERY_STRING"=>"", "SERVER_PROTOCOL"=>"HTTP/1.1", "SERVER_SOFTWARE"=>"puma 4.3.5 Mysterious Traveller", "GATEWAY_INTERFACE"=>"CGI/1.2", "REQUEST_METHOD"=>"POST", "REQUEST_PATH"=>"/api/v1/....", "REQUEST_URI"=>"/api/v1/...", "HTTP_VERSION"=>"HTTP/1.1", "HTTP_HOST"=>"example.com", "HTTP_APIKEY"=>"secret_key", "CONTENT_TYPE"=>"application/json", "HTTP_USER_AGENT"=>"PostmanRuntime/7.25.0", "HTTP_ACCEPT"=>"*/*", "HTTP_CACHE_CONTROL"=>"no-cache", ... ``` * Update README.md (cherry picked from commit f92889b3600c37ae0a45649fc75c7eafc8d370f5) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6a5dea5..d43032d 100644 --- a/README.md +++ b/README.md @@ -140,7 +140,7 @@ E.g. # Provided that trusted users use an HTTP request header named APIKey Rack::Attack.safelist("mark any authenticated access safe") do |request| # Requests are allowed if the return value is truthy - request.env["APIKey"] == "secret-string" + request.env["HTTP_APIKEY"] == "secret-string" end # Always allow requests from localhost From 1cd4a1cd79eaa31ada98300984f543d954ccae24 Mon Sep 17 00:00:00 2001 From: Eliot Sykes Date: Tue, 28 Jul 2020 11:17:00 +0100 Subject: [PATCH 06/12] Mitigate login throttle bypasses in docs This commit mitigates rate limit bypasses in the configuration docs by normalizing the email throttle key. (The normalization process used is the same as used by the Clearance gem.) --- Often an authentication process normalizes email addresses and usernames before look up, say by downcasing and removing any whitespace. Throttles that do not perform the same normalization are vulnerable to rate limit bypasses. For example, an attacker can bypass a vulnerable throttle by using unlimited case and whitespace variants for the same email address: - Variant 1: `victim@example.org` - Variant 2: `victim@example. org` (one whitespace) - Variant 3: `victim@example. org` (two whitespaces) - Variant 4: `ViCtIm@eXaMpLe.org` - etc, etc. All of these variants resolve to the same email address, but allow an attacker to bypass a vulnerable throttle. To mitigate, the email throttle key should be normalized using the same logic the authentication process uses for normalizing emails. (cherry picked from commit 03926e0b753e21a5a08ec4e4d1e7106284e047e9) --- README.md | 6 ++++-- docs/example_configuration.md | 7 ++++--- examples/rack_attack.rb | 4 +++- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index d43032d..fe43e41 100644 --- a/README.md +++ b/README.md @@ -263,10 +263,12 @@ Rack::Attack.throttle("requests by ip", limit: 5, period: 2) do |request| end # Throttle login attempts for a given email parameter to 6 reqs/minute -# Return the email as a discriminator on POST /login requests +# Return the *normalized* email as a discriminator on POST /login requests Rack::Attack.throttle('limit logins per email', limit: 6, period: 60) do |req| if req.path == '/login' && req.post? - req.params['email'] + # Normalize the email, using the same logic as your authentication process, to + # protect against rate limit bypasses. + req.params['email'].to_s.downcase.gsub(/\s+/, "") end end diff --git a/docs/example_configuration.md b/docs/example_configuration.md index 069f04e..e1aaa38 100644 --- a/docs/example_configuration.md +++ b/docs/example_configuration.md @@ -53,7 +53,7 @@ class Rack::Attack # Throttle POST requests to /login by email param # - # Key: "rack::attack:#{Time.now.to_i/:period}:logins/email:#{req.email}" + # Key: "rack::attack:#{Time.now.to_i/:period}:logins/email:#{normalized_email}" # # Note: This creates a problem where a malicious user could intentionally # throttle logins for another user and force their login requests to be @@ -61,8 +61,9 @@ class Rack::Attack # on wood!) throttle("logins/email", limit: 5, period: 20.seconds) do |req| if req.path == '/login' && req.post? - # return the email if present, nil otherwise - req.params['email'].presence + # Normalize the email, using the same logic as your authentication process, to + # protect against rate limit bypasses. Return the normalized email if present, nil otherwise. + req.params['email'].to_s.downcase.gsub(/\s+/, "").presence end end diff --git a/examples/rack_attack.rb b/examples/rack_attack.rb index 43f1348..7423f39 100644 --- a/examples/rack_attack.rb +++ b/examples/rack_attack.rb @@ -13,8 +13,10 @@ Rack::Attack.throttle "logins/ip", limit: 2, period: 1 do |req| end # Throttle login attempts per email, 10/minute/email +# Normalize the email, using the same logic as your authentication process, to +# protect against rate limit bypasses. Rack::Attack.throttle "logins/email", limit: 2, period: 60 do |req| - req.post? && req.path == "/login" && req.params['email'] + req.post? && req.path == "/login" && req.params['email'].to_s.downcase.gsub(/\s+/, "") end # blocklist bad IPs from accessing admin pages From 476144ee4002bde9e6396d7bbc16927d60ac4fbf Mon Sep 17 00:00:00 2001 From: Gonzalo Date: Fri, 25 Dec 2020 23:47:14 -0300 Subject: [PATCH 07/12] build: update rubocop to earlier version fixing the LineLength crash (cherry picked from commit cbae022df107b58997ac11f15a442a1631811b39) --- .rubocop.yml | 1 + rack-attack.gemspec | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.rubocop.yml b/.rubocop.yml index 8426f7f..e8b5e04 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -8,6 +8,7 @@ inherit_mode: AllCops: TargetRubyVersion: 2.4 DisabledByDefault: true + NewCops: disable Exclude: - "examples/instrumentation.rb" - "gemfiles/**/*" diff --git a/rack-attack.gemspec b/rack-attack.gemspec index 69042f1..e1c12a0 100644 --- a/rack-attack.gemspec +++ b/rack-attack.gemspec @@ -37,7 +37,7 @@ Gem::Specification.new do |s| s.add_development_dependency "minitest-stub-const", "~> 0.6" s.add_development_dependency 'rack-test', "~> 1.0" s.add_development_dependency 'rake', "~> 13.0" - s.add_development_dependency "rubocop", "0.84.0" + s.add_development_dependency "rubocop", "0.89.1" s.add_development_dependency "rubocop-performance", "~> 1.5.0" s.add_development_dependency "timecop", "~> 0.9.1" From 63160696387c6bef31c57f4ebfacebb9a51b1a9f Mon Sep 17 00:00:00 2001 From: Gonzalo Date: Fri, 25 Dec 2020 23:51:59 -0300 Subject: [PATCH 08/12] docs: update repo references after move to rack org (cherry picked from commit 26476670f40239ff51bb3ab1843e7b71a4255fd4) --- CHANGELOG.md | 92 +++++++++++++++++----------------- CONTRIBUTING.md | 8 +-- README.md | 4 +- docs/advanced_configuration.md | 12 ++--- rack-attack.gemspec | 8 +-- 5 files changed, 62 insertions(+), 62 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d44d1e0..a7940ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -96,9 +96,9 @@ All notable changes to this project will be documented in this file. ### Added -- Support "plain" `Redis` as a cache store backend ([#280](https://github.com/kickstarter/rack-attack/pull/280)). Thanks @bfad and @ryandv. +- Support "plain" `Redis` as a cache store backend ([#280](https://github.com/rack/rack-attack/pull/280)). Thanks @bfad and @ryandv. - When overwriting `Rack::Attack.throttled_response` you can now access the exact epoch integer that was used for caching -so your custom code is less prone to race conditions ([#282](https://github.com/kickstarter/rack-attack/pull/282)). Thanks @doliveirakn. +so your custom code is less prone to race conditions ([#282](https://github.com/rack/rack-attack/pull/282)). Thanks @doliveirakn. ### Dependency changes @@ -120,43 +120,43 @@ so your custom code is less prone to race conditions ([#282](https://github.com/ ### Added -- Add support for [`ActiveSupport::Cache::RedisCacheStore`](http://api.rubyonrails.org/classes/ActiveSupport/Cache/RedisCacheStore.html) as a store backend ([#340](https://github.com/kickstarter/rack-attack/pull/340) and [#350](https://github.com/kickstarter/rack-attack/pull/350)) +- Add support for [`ActiveSupport::Cache::RedisCacheStore`](http://api.rubyonrails.org/classes/ActiveSupport/Cache/RedisCacheStore.html) as a store backend ([#340](https://github.com/rack/rack-attack/pull/340) and [#350](https://github.com/rack/rack-attack/pull/350)) ## [5.2.0] - 2018-03-29 ### Added -- Shorthand for blocking an IP address `Rack::Attack.blocklist_ip("1.2.3.4")` ([#320](https://github.com/kickstarter/rack-attack/pull/320)) -- Shorthand for blocking an IP subnet `Rack::Attack.blocklist_ip("1.2.0.0/16")` ([#320](https://github.com/kickstarter/rack-attack/pull/320)) -- Shorthand for safelisting an IP address `Rack::Attack.safelist_ip("5.6.7.8")` ([#320](https://github.com/kickstarter/rack-attack/pull/320)) -- Shorthand for safelisting an IP subnet `Rack::Attack.safelist_ip("5.6.0.0/16")` ([#320](https://github.com/kickstarter/rack-attack/pull/320)) -- Throw helpful error message when using `allow2ban` but cache store is misconfigured ([#315](https://github.com/kickstarter/rack-attack/issues/315)) -- Throw helpful error message when using `fail2ban` but cache store is misconfigured ([#315](https://github.com/kickstarter/rack-attack/issues/315)) +- Shorthand for blocking an IP address `Rack::Attack.blocklist_ip("1.2.3.4")` ([#320](https://github.com/rack/rack-attack/pull/320)) +- Shorthand for blocking an IP subnet `Rack::Attack.blocklist_ip("1.2.0.0/16")` ([#320](https://github.com/rack/rack-attack/pull/320)) +- Shorthand for safelisting an IP address `Rack::Attack.safelist_ip("5.6.7.8")` ([#320](https://github.com/rack/rack-attack/pull/320)) +- Shorthand for safelisting an IP subnet `Rack::Attack.safelist_ip("5.6.0.0/16")` ([#320](https://github.com/rack/rack-attack/pull/320)) +- Throw helpful error message when using `allow2ban` but cache store is misconfigured ([#315](https://github.com/rack/rack-attack/issues/315)) +- Throw helpful error message when using `fail2ban` but cache store is misconfigured ([#315](https://github.com/rack/rack-attack/issues/315)) ## [5.1.0] - 2018-03-10 - - Fixes edge case bug when using ruby 2.5.0 and redis [#253](https://github.com/kickstarter/rack-attack/issues/253) ([#271](https://github.com/kickstarter/rack-attack/issues/271)) - - Throws errors with better semantics when missing or misconfigured store caches to aid in developers debugging their configs ([#274](https://github.com/kickstarter/rack-attack/issues/274)) - - Removed legacy code that was originally intended for Rails 3 apps ([#264](https://github.com/kickstarter/rack-attack/issues/264)) + - Fixes edge case bug when using ruby 2.5.0 and redis [#253](https://github.com/rack/rack-attack/issues/253) ([#271](https://github.com/rack/rack-attack/issues/271)) + - Throws errors with better semantics when missing or misconfigured store caches to aid in developers debugging their configs ([#274](https://github.com/rack/rack-attack/issues/274)) + - Removed legacy code that was originally intended for Rails 3 apps ([#264](https://github.com/rack/rack-attack/issues/264)) ## [5.0.1] - 2016-08-11 - - Fixes arguments passed to deprecated internal methods. ([#198](https://github.com/kickstarter/rack-attack/issues/198)) + - Fixes arguments passed to deprecated internal methods. ([#198](https://github.com/rack/rack-attack/issues/198)) ## [5.0.0] - 2016-08-09 - - Deprecate `whitelist`/`blacklist` in favor of `safelist`/`blocklist`. ([#181](https://github.com/kickstarter/rack-attack/issues/181), + - Deprecate `whitelist`/`blacklist` in favor of `safelist`/`blocklist`. ([#181](https://github.com/rack/rack-attack/issues/181), thanks @renee-travisci). To upgrade and fix deprecations, find and replace instances of `whitelist` and `blacklist` with `safelist` and `blocklist`. If you reference `rack.attack.match_type`, note that it will have values like `:safelist`/`:blocklist`. - Remove test coverage for unsupported ruby dependencies: ruby 2.0, activesupport 3.2/4.0, and dalli 1. ## [4.4.1] - 2016-02-17 - Fix a bug affecting apps using Redis::Store and ActiveSupport that could generate an error - saying dalli was a required dependency. I learned all about ActiveSupport autoloading. ([#165](https://github.com/kickstarter/rack-attack/issues/165)) + saying dalli was a required dependency. I learned all about ActiveSupport autoloading. ([#165](https://github.com/rack/rack-attack/issues/165)) ## [4.4.0] - 2016-02-10 - - New: support for MemCacheStore ([#153](https://github.com/kickstarter/rack-attack/issues/153)). Thanks @elhu. + - New: support for MemCacheStore ([#153](https://github.com/rack/rack-attack/issues/153)). Thanks @elhu. - Some documentation and test harness improvements. ## [4.3.1] - 2015-12-18 @@ -222,36 +222,36 @@ so your custom code is less prone to race conditions ([#282](https://github.com/ - Remove unused variable - Extract mandatory options to constants -[6.3.1]: https://github.com/kickstarter/rack-attack/compare/v6.3.0...v6.3.1/ -[6.3.0]: https://github.com/kickstarter/rack-attack/compare/v6.2.2...v6.3.0/ -[6.2.2]: https://github.com/kickstarter/rack-attack/compare/v6.2.1...v6.2.2/ -[6.2.1]: https://github.com/kickstarter/rack-attack/compare/v6.2.0...v6.2.1/ -[6.2.0]: https://github.com/kickstarter/rack-attack/compare/v6.1.0...v6.2.0/ -[6.1.0]: https://github.com/kickstarter/rack-attack/compare/v6.0.0...v6.1.0/ -[6.0.0]: https://github.com/kickstarter/rack-attack/compare/v5.4.2...v6.0.0/ -[5.4.2]: https://github.com/kickstarter/rack-attack/compare/v5.4.1...v5.4.2/ -[5.4.1]: https://github.com/kickstarter/rack-attack/compare/v5.4.0...v5.4.1/ -[5.4.0]: https://github.com/kickstarter/rack-attack/compare/v5.3.2...v5.4.0/ -[5.3.2]: https://github.com/kickstarter/rack-attack/compare/v5.3.1...v5.3.2/ -[5.3.1]: https://github.com/kickstarter/rack-attack/compare/v5.3.0...v5.3.1/ -[5.3.0]: https://github.com/kickstarter/rack-attack/compare/v5.2.0...v5.3.0/ -[5.2.0]: https://github.com/kickstarter/rack-attack/compare/v5.1.0...v5.2.0/ -[5.1.0]: https://github.com/kickstarter/rack-attack/compare/v5.0.1...v5.1.0/ -[5.0.1]: https://github.com/kickstarter/rack-attack/compare/v5.0.0...v5.0.1/ -[5.0.0]: https://github.com/kickstarter/rack-attack/compare/v4.4.1...v5.0.0/ -[4.4.1]: https://github.com/kickstarter/rack-attack/compare/v4.4.0...v4.4.1/ -[4.4.0]: https://github.com/kickstarter/rack-attack/compare/v4.3.1...v4.4.0/ -[4.3.1]: https://github.com/kickstarter/rack-attack/compare/v4.3.0...v4.3.1/ -[4.3.0]: https://github.com/kickstarter/rack-attack/compare/v4.2.0...v4.3.0/ -[4.2.0]: https://github.com/kickstarter/rack-attack/compare/v4.1.1...v4.2.0/ -[4.1.1]: https://github.com/kickstarter/rack-attack/compare/v4.1.0...v4.1.1/ -[4.1.0]: https://github.com/kickstarter/rack-attack/compare/v4.0.1...v4.1.0/ -[4.0.1]: https://github.com/kickstarter/rack-attack/compare/v4.0.0...v4.0.1/ -[4.0.0]: https://github.com/kickstarter/rack-attack/compare/v3.0.0...v4.0.0/ -[3.0.0]: https://github.com/kickstarter/rack-attack/compare/v2.3.0...v3.0.0/ -[2.3.0]: https://github.com/kickstarter/rack-attack/compare/v2.2.1...v2.3.0/ -[2.2.1]: https://github.com/kickstarter/rack-attack/compare/v2.2.0...v2.2.1/ -[2.2.0]: https://github.com/kickstarter/rack-attack/compare/v2.1.1...v2.2.0/ +[6.3.1]: https://github.com/rack/rack-attack/compare/v6.3.0...v6.3.1/ +[6.3.0]: https://github.com/rack/rack-attack/compare/v6.2.2...v6.3.0/ +[6.2.2]: https://github.com/rack/rack-attack/compare/v6.2.1...v6.2.2/ +[6.2.1]: https://github.com/rack/rack-attack/compare/v6.2.0...v6.2.1/ +[6.2.0]: https://github.com/rack/rack-attack/compare/v6.1.0...v6.2.0/ +[6.1.0]: https://github.com/rack/rack-attack/compare/v6.0.0...v6.1.0/ +[6.0.0]: https://github.com/rack/rack-attack/compare/v5.4.2...v6.0.0/ +[5.4.2]: https://github.com/rack/rack-attack/compare/v5.4.1...v5.4.2/ +[5.4.1]: https://github.com/rack/rack-attack/compare/v5.4.0...v5.4.1/ +[5.4.0]: https://github.com/rack/rack-attack/compare/v5.3.2...v5.4.0/ +[5.3.2]: https://github.com/rack/rack-attack/compare/v5.3.1...v5.3.2/ +[5.3.1]: https://github.com/rack/rack-attack/compare/v5.3.0...v5.3.1/ +[5.3.0]: https://github.com/rack/rack-attack/compare/v5.2.0...v5.3.0/ +[5.2.0]: https://github.com/rack/rack-attack/compare/v5.1.0...v5.2.0/ +[5.1.0]: https://github.com/rack/rack-attack/compare/v5.0.1...v5.1.0/ +[5.0.1]: https://github.com/rack/rack-attack/compare/v5.0.0...v5.0.1/ +[5.0.0]: https://github.com/rack/rack-attack/compare/v4.4.1...v5.0.0/ +[4.4.1]: https://github.com/rack/rack-attack/compare/v4.4.0...v4.4.1/ +[4.4.0]: https://github.com/rack/rack-attack/compare/v4.3.1...v4.4.0/ +[4.3.1]: https://github.com/rack/rack-attack/compare/v4.3.0...v4.3.1/ +[4.3.0]: https://github.com/rack/rack-attack/compare/v4.2.0...v4.3.0/ +[4.2.0]: https://github.com/rack/rack-attack/compare/v4.1.1...v4.2.0/ +[4.1.1]: https://github.com/rack/rack-attack/compare/v4.1.0...v4.1.1/ +[4.1.0]: https://github.com/rack/rack-attack/compare/v4.0.1...v4.1.0/ +[4.0.1]: https://github.com/rack/rack-attack/compare/v4.0.0...v4.0.1/ +[4.0.0]: https://github.com/rack/rack-attack/compare/v3.0.0...v4.0.0/ +[3.0.0]: https://github.com/rack/rack-attack/compare/v2.3.0...v3.0.0/ +[2.3.0]: https://github.com/rack/rack-attack/compare/v2.2.1...v2.3.0/ +[2.2.1]: https://github.com/rack/rack-attack/compare/v2.2.0...v2.2.1/ +[2.2.0]: https://github.com/rack/rack-attack/compare/v2.1.1...v2.2.0/ [@fatkodima]: https://github.com/fatkodima [@rofreg]: https://github.com/rofreg diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d664561..63817fc 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -8,12 +8,12 @@ This project is intended to be a safe, welcoming space for collaboration, and co Any of the following is greatly appreciated: -* Helping users by answering to their [questions](https://github.com/kickstarter/rack-attack/issues?q=is%3Aopen+is%3Aissue+label%3A%22type%3A+question%22) -* Helping users troubleshoot their [error reports](https://github.com/kickstarter/rack-attack/issues?q=is%3Aissue+is%3Aopen+label%3A%22type%3A+error+report%22) to figure out if the error is caused by an actual bug or some misconfiguration -* Giving feedback by commenting in other users [feature requests](https://github.com/kickstarter/rack-attack/issues?q=is%3Aissue+is%3Aopen+label%3A%22type%3A+feature+request%22) +* Helping users by answering to their [questions](https://github.com/rack/rack-attack/issues?q=is%3Aopen+is%3Aissue+label%3A%22type%3A+question%22) +* Helping users troubleshoot their [error reports](https://github.com/rack/rack-attack/issues?q=is%3Aissue+is%3Aopen+label%3A%22type%3A+error+report%22) to figure out if the error is caused by an actual bug or some misconfiguration +* Giving feedback by commenting in other users [feature requests](https://github.com/rack/rack-attack/issues?q=is%3Aissue+is%3Aopen+label%3A%22type%3A+feature+request%22) * Reporting an error you are experiencing * Suggesting a new feature you think it would be useful for many users -* If you want to work on fixing an actual issue and you don't know where to start, those labeled [good first issue](https://github.com/kickstarter/rack-attack/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) may be a good choice +* If you want to work on fixing an actual issue and you don't know where to start, those labeled [good first issue](https://github.com/rack/rack-attack/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) may be a good choice ## Style Guide diff --git a/README.md b/README.md index fe43e41..da709db 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ __Note__: You are viewing the development version README. -For the README consistent with the latest released version see https://github.com/kickstarter/rack-attack/blob/6-stable/README.md. +For the README consistent with the latest released version see https://github.com/rack/rack-attack/blob/6-stable/README.md. # Rack::Attack @@ -10,7 +10,7 @@ Protect your Rails and Rack apps from bad clients. Rack::Attack lets you easily See the [Backing & Hacking blog post](https://www.kickstarter.com/backing-and-hacking/rack-attack-protection-from-abusive-clients) introducing Rack::Attack. [![Gem Version](https://badge.fury.io/rb/rack-attack.svg)](https://badge.fury.io/rb/rack-attack) -[![Build Status](https://travis-ci.org/kickstarter/rack-attack.svg?branch=master)](https://travis-ci.org/kickstarter/rack-attack) +[![Build Status](https://travis-ci.org/rack/rack-attack.svg?branch=master)](https://travis-ci.org/rack/rack-attack) [![Code Climate](https://codeclimate.com/github/kickstarter/rack-attack.svg)](https://codeclimate.com/github/kickstarter/rack-attack) [![Join the chat at https://gitter.im/rack-attack/rack-attack](https://badges.gitter.im/rack-attack/rack-attack.svg)](https://gitter.im/rack-attack/rack-attack) diff --git a/docs/advanced_configuration.md b/docs/advanced_configuration.md index 0fd1fe4..6d8737e 100644 --- a/docs/advanced_configuration.md +++ b/docs/advanced_configuration.md @@ -6,7 +6,7 @@ If you're feeling ambitious or you have a very particular use-case for Rack::Att ### Exponential Backoff -By layering throttles with linearly increasing limits and exponentially increasing periods, you can mimic an exponential backoff throttle. See [#106](https://github.com/kickstarter/rack-attack/issues/106) for more discussion. +By layering throttles with linearly increasing limits and exponentially increasing periods, you can mimic an exponential backoff throttle. See [#106](https://github.com/rack/rack-attack/issues/106) for more discussion. ```ruby # Allows 20 requests in 8 seconds @@ -24,7 +24,7 @@ end ### Rack::Attack::Request Helpers -You can define helpers on requests like `localhost?` or `subdomain` by monkey-patching `Rack::Attack::Request`. See [#73](https://github.com/kickstarter/rack-attack/issues/73) for more discussion. +You can define helpers on requests like `localhost?` or `subdomain` by monkey-patching `Rack::Attack::Request`. See [#73](https://github.com/rack/rack-attack/issues/73) for more discussion. ```ruby class Rack::Attack::Request < ::Rack::Request @@ -38,7 +38,7 @@ Rack::Attack.safelist("localhost") { |req| req.localhost? } ### Blocklisting From ENV Variables -You can have `Rack::Attack` configure its blocklists from ENV variables to simplify maintenance. See [#110](https://github.com/kickstarter/rack-attack/issues/110) for more discussion. +You can have `Rack::Attack` configure its blocklists from ENV variables to simplify maintenance. See [#110](https://github.com/rack/rack-attack/issues/110) for more discussion. ```ruby class Rack::Attack @@ -57,7 +57,7 @@ end ### Reset Specific Throttles -By doing a bunch of monkey-patching, you can add a helper for resetting specific throttles. The implementation is kind of long, so see [#113](https://github.com/kickstarter/rack-attack/issues/113) for more discussion. +By doing a bunch of monkey-patching, you can add a helper for resetting specific throttles. The implementation is kind of long, so see [#113](https://github.com/rack/rack-attack/issues/113) for more discussion. ```ruby Rack::Attack.reset_throttle "logins/email", "user@example.com" @@ -65,7 +65,7 @@ Rack::Attack.reset_throttle "logins/email", "user@example.com" ### Blocklisting From Rails.cache -You can configure blocklists to check values stored in `Rails.cache` to allow setting blocklists from inside your application. See [#111](https://github.com/kickstarter/rack-attack/issues/111) for more discussion. +You can configure blocklists to check values stored in `Rails.cache` to allow setting blocklists from inside your application. See [#111](https://github.com/rack/rack-attack/issues/111) for more discussion. ```ruby # Block attacks from IPs in cache @@ -78,7 +78,7 @@ end ### Throttle Basic Auth Crackers -An example implementation for blocking hackers who spam basic auth attempts. See [#47](https://github.com/kickstarter/rack-attack/issues/47) for more discussion. +An example implementation for blocking hackers who spam basic auth attempts. See [#47](https://github.com/rack/rack-attack/issues/47) for more discussion. ```ruby # After 5 requests with incorrect auth in 1 minute, diff --git a/rack-attack.gemspec b/rack-attack.gemspec index e1c12a0..34689a3 100644 --- a/rack-attack.gemspec +++ b/rack-attack.gemspec @@ -15,16 +15,16 @@ Gem::Specification.new do |s| s.email = "aaron@ktheory.com" s.files = Dir.glob("{bin,lib}/**/*") + %w(Rakefile README.md) - s.homepage = 'https://github.com/kickstarter/rack-attack' + s.homepage = 'https://github.com/rack/rack-attack' s.rdoc_options = ["--charset=UTF-8"] s.require_paths = ["lib"] s.summary = 'Block & throttle abusive requests' s.test_files = Dir.glob("spec/**/*") s.metadata = { - "bug_tracker_uri" => "https://github.com/kickstarter/rack-attack/issues", - "changelog_uri" => "https://github.com/kickstarter/rack-attack/blob/master/CHANGELOG.md", - "source_code_uri" => "https://github.com/kickstarter/rack-attack" + "bug_tracker_uri" => "https://github.com/rack/rack-attack/issues", + "changelog_uri" => "https://github.com/rack/rack-attack/blob/master/CHANGELOG.md", + "source_code_uri" => "https://github.com/rack/rack-attack" } s.required_ruby_version = '>= 2.4' From 38c89afcf3f4e606f053381833582eb83a5c308c Mon Sep 17 00:00:00 2001 From: Joe Van Dyk Date: Thu, 24 Dec 2020 12:58:47 -0800 Subject: [PATCH 09/12] Fix speling in README (cherry picked from commit 7b3376021b47e2a9bfe20a1e792c9b6e28a6dbcf) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index da709db..86b92c4 100644 --- a/README.md +++ b/README.md @@ -379,7 +379,7 @@ Rack::Attack uses the [ActiveSupport::Notifications](http://api.rubyonrails.org/ You can subscribe to `rack_attack` events and log it, graph it, etc. -To get notified about specific type of events, subscribe to the event name followed by the `rack_attack` namesapce. +To get notified about specific type of events, subscribe to the event name followed by the `rack_attack` namespace. E.g. for throttles use: ```ruby From dda248993602924536aec97f8c29582f348a3b4d Mon Sep 17 00:00:00 2001 From: fukayatsu Date: Tue, 15 Dec 2020 23:20:58 +0900 Subject: [PATCH 10/12] Fix Ruby 2.7 kwargs warning in RedisCacheStoreProxy (cherry picked from commit 9020201ff5be02046c50203959b51b4a3305a374) --- lib/rack/attack/store_proxy/redis_cache_store_proxy.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb b/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb index 1de361c..9d1be74 100644 --- a/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb +++ b/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb @@ -10,7 +10,7 @@ module Rack store.class.name == "ActiveSupport::Cache::RedisCacheStore" end - def increment(name, amount = 1, options = {}) + def increment(name, amount = 1, **options) # RedisCacheStore#increment ignores options[:expires_in]. # # So in order to workaround this we use RedisCacheStore#write (which sets expiration) to initialize From 33d1bac4a56098a02a1afeb2c7392cf9e0943474 Mon Sep 17 00:00:00 2001 From: Gonzalo Date: Sat, 23 Jan 2021 13:58:14 -0300 Subject: [PATCH 11/12] test: update ruby and rails versions --- .travis.yml | 25 ++++++++++++++----- Appraisals | 8 ++++-- .../active_support_redis_cache_store.gemfile | 2 +- ...e_support_redis_cache_store_pooled.gemfile | 2 +- gemfiles/rails_6_1.gemfile | 7 ++++++ rack-attack.gemspec | 2 +- ...e_support_redis_cache_store_pooled_spec.rb | 2 +- .../active_support_redis_cache_store_spec.rb | 2 +- 8 files changed, 37 insertions(+), 13 deletions(-) create mode 100644 gemfiles/rails_6_1.gemfile diff --git a/.travis.yml b/.travis.yml index 1b87613..b2c79be 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,8 +3,8 @@ language: ruby cache: bundler rvm: - - ruby-head - - 2.7.1 + - 3.0.0 + - 2.7.2 - 2.6.6 - 2.5.8 - 2.4.10 @@ -16,6 +16,7 @@ before_install: gemfile: - gemfiles/rack_2.gemfile - gemfiles/rack_1.gemfile + - gemfiles/rails_6_1.gemfile - gemfiles/rails_6_0.gemfile - gemfiles/rails_5_2.gemfile - gemfiles/rails_5_1.gemfile @@ -30,13 +31,25 @@ gemfile: - gemfiles/active_support_redis_store.gemfile matrix: - allow_failures: - - rvm: ruby-head exclude: - gemfile: gemfiles/rack_1.gemfile - rvm: 2.7.1 + rvm: 3.0.0 + - gemfile: gemfiles/rails_5_2.gemfile + rvm: 3.0.0 + - gemfile: gemfiles/rails_5_1.gemfile + rvm: 3.0.0 - gemfile: gemfiles/rails_4_2.gemfile - rvm: 2.7.1 + rvm: 3.0.0 + - gemfile: gemfiles/dalli2.gemfile + rvm: 3.0.0 + - gemfile: gemfiles/connection_pool_dalli.gemfile + rvm: 3.0.0 + - gemfile: gemfiles/rack_1.gemfile + rvm: 2.7.2 + - gemfile: gemfiles/rails_4_2.gemfile + rvm: 2.7.2 + - gemfile: gemfiles/rails_6_1.gemfile + rvm: 2.4.10 - gemfile: gemfiles/rails_6_0.gemfile rvm: 2.4.10 fast_finish: true diff --git a/Appraisals b/Appraisals index ef44d14..d4ee0a3 100644 --- a/Appraisals +++ b/Appraisals @@ -17,6 +17,10 @@ appraise "rack_1" do gem "rack-test", ">= 0.6" end +appraise 'rails_6-1' do + gem 'railties', '~> 6.1.0' +end + appraise 'rails_6-0' do gem 'railties', '~> 6.0.0' end @@ -55,12 +59,12 @@ appraise "connection_pool_dalli" do end appraise "active_support_redis_cache_store" do - gem "activesupport", "~> 5.2.0" + gem "activesupport", ">= 5.2", "< 6.2" gem "redis", "~> 4.0" end appraise "active_support_redis_cache_store_pooled" do - gem "activesupport", "~> 5.2.0" + gem "activesupport", ">= 5.2", "< 6.2" gem "connection_pool", "~> 2.2" gem "redis", "~> 4.0" end diff --git a/gemfiles/active_support_redis_cache_store.gemfile b/gemfiles/active_support_redis_cache_store.gemfile index 30e1e38..ac227aa 100644 --- a/gemfiles/active_support_redis_cache_store.gemfile +++ b/gemfiles/active_support_redis_cache_store.gemfile @@ -2,7 +2,7 @@ source "https://rubygems.org" -gem "activesupport", "~> 5.2.0" +gem "activesupport", ">= 5.2", "< 6.2" gem "redis", "~> 4.0" gemspec path: "../" diff --git a/gemfiles/active_support_redis_cache_store_pooled.gemfile b/gemfiles/active_support_redis_cache_store_pooled.gemfile index 9232a9b..4e3af69 100644 --- a/gemfiles/active_support_redis_cache_store_pooled.gemfile +++ b/gemfiles/active_support_redis_cache_store_pooled.gemfile @@ -2,7 +2,7 @@ source "https://rubygems.org" -gem "activesupport", "~> 5.2.0" +gem "activesupport", ">= 5.2", "< 6.2" gem "connection_pool", "~> 2.2" gem "redis", "~> 4.0" diff --git a/gemfiles/rails_6_1.gemfile b/gemfiles/rails_6_1.gemfile new file mode 100644 index 0000000..4c467fe --- /dev/null +++ b/gemfiles/rails_6_1.gemfile @@ -0,0 +1,7 @@ +# This file was generated by Appraisal + +source "https://rubygems.org" + +gem "railties", "~> 6.1.0" + +gemspec path: "../" diff --git a/rack-attack.gemspec b/rack-attack.gemspec index 34689a3..75ca531 100644 --- a/rack-attack.gemspec +++ b/rack-attack.gemspec @@ -46,5 +46,5 @@ Gem::Specification.new do |s| s.add_development_dependency 'byebug', '~> 11.0' end - s.add_development_dependency 'railties', '>= 4.2', '< 6.1' + s.add_development_dependency 'railties', '>= 4.2', '< 6.2' end diff --git a/spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb b/spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb index 9c26e8d..fe95107 100644 --- a/spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb +++ b/spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb @@ -21,6 +21,6 @@ if should_run Rack::Attack.cache.store.clear end - it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) }) + it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) }) end end diff --git a/spec/acceptance/stores/active_support_redis_cache_store_spec.rb b/spec/acceptance/stores/active_support_redis_cache_store_spec.rb index f595ec2..a824ede 100644 --- a/spec/acceptance/stores/active_support_redis_cache_store_spec.rb +++ b/spec/acceptance/stores/active_support_redis_cache_store_spec.rb @@ -20,6 +20,6 @@ if should_run Rack::Attack.cache.store.clear end - it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) }) + it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) }) end end From 6328ddcb1932c64459b93b7a9bdcbb661e73d3da Mon Sep 17 00:00:00 2001 From: Gonzalo Date: Sat, 23 Jan 2021 14:14:01 -0300 Subject: [PATCH 12/12] Bump gem version to v6.4 --- CHANGELOG.md | 11 +++++++++++ lib/rack/attack/version.rb | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a7940ac..71008c9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,16 @@ All notable changes to this project will be documented in this file. +## [6.4.0] - 2021-01-23 + +### Added + +- Added support for ruby v3.0 + +### Removed + +- Dropped support for ruby v2.3 + ## [6.3.1] - 2020-05-21 ### Fixed @@ -222,6 +232,7 @@ so your custom code is less prone to race conditions ([#282](https://github.com/ - Remove unused variable - Extract mandatory options to constants +[6.4.0]: https://github.com/rack/rack-attack/compare/v6.3.1...v6.4.0/ [6.3.1]: https://github.com/rack/rack-attack/compare/v6.3.0...v6.3.1/ [6.3.0]: https://github.com/rack/rack-attack/compare/v6.2.2...v6.3.0/ [6.2.2]: https://github.com/rack/rack-attack/compare/v6.2.1...v6.2.2/ diff --git a/lib/rack/attack/version.rb b/lib/rack/attack/version.rb index 7b5859c..fb11922 100644 --- a/lib/rack/attack/version.rb +++ b/lib/rack/attack/version.rb @@ -2,6 +2,6 @@ module Rack class Attack - VERSION = '6.3.1' + VERSION = '6.4.0' end end