sjs/rack-attack
1
0
Fork 0
mirror of https://github.com/samsonjs/rack-attack.git synced 2026-03-25 09:25:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
871 commits 1 branch 0 tags 1.1 MiB
Commit graph

200 commits

Author SHA1 Message Date
Gonzalo Rodriguez
4862ca5a00
Acceptance test ability to subscribe to safelisting events 2018-03-26 16:20:51 -03:00
Gonzalo Rodriguez
576a97c2a5
Acceptance test ability to subscribe to throttling events 2018-03-26 16:16:44 -03:00
Gonzalo Rodriguez
21fe32b895
Acceptance test ability to subscribe to blocking events 2018-03-26 16:00:32 -03:00
Gonzalo Rodriguez
7a87ca2ff7
Give clearer error message for misconfigured cache store for allow/fail2ban 2018-03-23 14:18:07 -03:00
Gonzalo Rodriguez
f99a7a0745
Merge pull request #311 from grzuy/acceptance_test_match_data 
Acceptance test access to match data in custom responses
 2018-03-22 17:41:52 -03:00
Gonzalo Rodriguez
3f5574c4e4
Acceptance test ability to access match data in #throttled_response 2018-03-22 11:48:56 -03:00
Gonzalo Rodriguez
da1f54b6fc
Acceptance test ability to access match data in #blocklisted_response 2018-03-22 11:44:41 -03:00
Gonzalo Rodriguez
ba91e23419
Acceptance test ability to extend the request object 2018-03-22 10:44:32 -03:00
Gonzalo Rodriguez
0ff1b5be83
Make throttling_spec work when running it with rails 4.2 2018-03-21 17:29:44 -03:00
Gonzalo Rodriguez
08b2cc4d95
Acceptance test throttling with a dynamic period 2018-03-21 17:10:27 -03:00
Domenoth
5004b04ac7 Change object type yielded to ActiveSupport::Subscribers 
https://github.com/kickstarter/rack-attack/issues/255

Change the object type from instances of type Rack::Attack::Request to
instances of type Hash. (`req` becomes `request: req`).
 2018-03-21 11:32:09 -07:00
Gonzalo Rodriguez
e17d2d8974
Acceptance test throttling with a dynamic limit 2018-03-20 19:07:31 -03:00
Gonzalo Rodriguez
8b4f27827d
Merge pull request #307 from grzuy/acceptance_test_store_config 
Acceptance test cache store config when Rails is present
 2018-03-20 18:15:25 -03:00
Gonzalo Rodriguez
330d25c832
Acceptance test cache store config when Rails is present 2018-03-20 11:42:27 -03:00
Gonzalo Rodriguez
5e0cd031b6
Acceptance test throttle Retry-After header 2018-03-20 10:24:25 -03:00
Gonzalo Rodriguez
bde30e38d7
Acceptance test cache store config for allow2ban 2018-03-16 18:20:27 -03:00
Gonzalo Rodriguez
32ec6f778a
Acceptance test cache store config for fail2ban 2018-03-16 18:11:45 -03:00
Gonzalo Rodriguez
9e16049d00
Merge branch 'acceptance_test_fail2ban' 2018-03-16 16:44:03 -03:00
Gonzalo Rodriguez
4d5a6936ce
Acceptance test allow2ban 2018-03-16 16:14:52 -03:00
Gonzalo Rodriguez
14c8b9261c
Acceptance test fail2ban 2018-03-16 15:29:01 -03:00
Gonzalo Rodriguez
666dc3d894
Acceptance test ability to customize blocked/throttled responses (#298) 
* Acceptance test ability to customize blocked/throttled responses

* Don't let customizations to blocklisted/throttled responses leak to other test cases
 2018-03-15 15:24:22 -03:00
Gonzalo Rodriguez
02908ce5ca
Acceptance test cache store config for throttle without Rails 2018-03-14 17:40:30 -03:00
Gonzalo Rodriguez
564cbedb36
Acceptance test that tracking throttles doesn't actually throttle requests 2018-03-13 18:27:19 -03:00
Gonzalo Rodriguez
066434973f
Acceptance test Rack::Attack#track for throttle 2018-03-13 14:43:37 -03:00
Gonzalo Rodriguez
569ecec7c7
Acceptance test Rack::Attack#track 2018-03-13 14:19:22 -03:00
Gonzalo Rodriguez
2406435663
Ability to use byebug easily while developing/testing 2018-03-09 13:52:06 -03:00
Gonzalo Rodriguez
922917d5a4
Merge pull request #274 from grzuy/help_debug_cache_issues 
Help users understand more clearly when the store is misconfigured
 2018-03-09 10:28:08 -03:00
Gonzalo Rodriguez
53b0561e7f
Merge pull request #272 from grzuy/rack_lint 
Use Rack::Lint in tests to check any change continues to comply with the rack spec
 2018-03-09 10:11:05 -03:00
Gonzalo Rodriguez
8603a3e056
Merge pull request #266 from grzuy/test_understandability 
Attempt to make it easier to understand that the method is making assertions
 2018-03-09 10:10:48 -03:00
Gonzalo Rodriguez
66909c6419
Merge pull request #269 from grzuy/acceptance_tests 
Adds acceptance-oriented tests
 2018-03-08 18:17:35 -03:00
Kyle d'Oliveira
9dbece5272 Add an reader for the epoch_time variable in the cache so that it can also be returned in the data from the throttle. 
This is allows access to the same time that the cache uses for the count. This can be important for clients that want to provide rate limit information for well-behaved clients
 2018-02-15 14:45:35 -08:00
Gonzalo Rodriguez
7bb7a05987 Help users understand more clearly when the store is misconfigured 2018-02-01 10:06:39 -03:00
Gonzalo Rodriguez
f27432df91 Use Rack::Lint in tests to check any change continues complying with the rack spec 2018-01-30 10:08:20 -03:00
Gonzalo Rodriguez
980633e1a9 Adds acceptance-oriented tests 2018-01-25 18:21:29 -03:00
Gonzalo Rodriguez
73e267782b Remove request duplication in rack_attack_spec.rb 2018-01-25 10:54:19 -03:00
Gonzalo Rodriguez
ca739946ce Attempt to make it easier to understand that the method is making assertions 2018-01-25 10:53:47 -03:00
Corey Farwell
6f545e2665
Merge pull request #262 from grzuy/legibility 
Attempt to improve legibility
 2018-01-23 17:46:03 -05:00
Corey Farwell
f91f3a403c
Merge pull request #264 from grzuy/drop_support_for_rails_3 
Drop support for unmaintaned Rails 3
 2018-01-23 17:45:29 -05:00
Gonzalo Rodriguez
34ee066eac Drop support for Rails 3 2018-01-23 16:12:16 -03:00
Gonzalo Rodriguez
e8102910bf Fixes warning 'DEPRECATED: Use assert_nil if expecting nil from ...' 2018-01-23 15:07:49 -03:00
Gonzalo
79d21fc3ac Attempt to improve legibility 2018-01-19 12:00:38 -03:00
Mike Ferrier
031efcd123 add a spec to specify the behavior of non-matching throttle blocks 2016-07-13 10:20:08 -04:00
Aaron Suggs
ff22014a03 [tests] Fix gotcha with new activesupport redis versions 
This fixes the error:

    uninitialized constant ActiveSupport::VERSION

when loading active_support/cache/redis_store
 2016-07-11 15:23:06 -04:00
Aaron Suggs
f5f08d56e5 More safelist/blocklist refactoring 
- Add Rack::Attack namespace to deprecation warning.
- Add deprecated Rack::Attack.blacklisted_response attr methods.
 2016-07-04 21:42:41 -04:00
Renée Hendricksen
e1a0c804e1 suggesting changing whitelist/blacklist language to less controversial safelist/blocklist language 
add deprication warnings

fix the method signatures
 2016-07-01 21:44:45 -04:00
Vincent Boisard
297ef4a2ae Merge branch 'master' of github.com:kickstarter/rack-attack 2015-12-29 10:10:36 +01:00
Aaron Suggs
76c2e31430 Normalize request paths when using Rails' ActionDispatch 
The issue
---

When using rack-attack with a rails app, developers expect the request
path to be normalized. In particular, trailing slashes are stripped so
a request path "/login/" becomes "/login" by the time you're in
ActionController.

Since Rack::Attack runs before ActionDispatch, the request path is not
yet normalized. This can cause throttles and blacklists to not work as
expected.

E.g., a throttle:

    throttle('logins', ...) {|req| req.path == "/login" }

would not match a request to '/login/', though Rails would route
'/login/' to the same '/login' action.

The solution
---

This patch looks if ActionDispatch's request normalization is loaded,
and if so, uses it to normalize the path before processing throttles,
blacklists, etc.

If it's not loaded, the request path is not modified.

Credit
---
Thanks to Andres Riancho at Include Security for reporting this issue.
 2015-12-18 11:12:11 -05:00
Aaron Suggs
11faea4526 specs: use pry instead of debugger 2015-12-18 08:55:09 -05:00
Vincent Boisard
397a7ce7b4 feature: support for ActiveSupport::MemCacheStore 2015-12-08 10:53:53 +01:00
Aaron Suggs
64fe10f64e Clarifying comments for #delete spec method 2015-05-22 13:48:32 -04:00
Stan Hu
91947b83a4 Support the ability to reset Fail2Ban count and ban flag 
Closes #113
 2015-05-22 09:47:32 -04:00
Stan Hu
ff15447f3a Support delete method for Redis 2015-03-15 12:13:44 -07:00
Aaron Suggs
b0bf74f9d9 Fix test assertion 2015-01-27 16:18:55 -05:00
Genadi Samokovarov
d9a5587676 Allow throttle period option to be a proc 
I need to filter requests on a period I need to get dynamically out of
information I have in the requests. Currently, I can work out the limit,
as it can be a `Proc`, however I can't do that with the period.

This PR adds support for that. Tried to do it in a way that doesn't
brake backwards compatibility, as periods are coerced to numbers during
`Rack::Throttle` initialization.
 2014-09-19 19:32:39 +02:00
Paul Coates
e8d98a7ad3 Changed track checker to track filter. Made track filter tests more clear. 2014-05-22 10:11:23 -07:00
Paul Coates
1ebe1c3517 Added limit and period options to track. Delegates [] to Throttle if they are present otherwise Check. 2014-05-19 11:11:01 -07:00
blahed
97dce48bfc add throttle discriminator to rack env 2014-05-01 22:20:13 -04:00
Aaron Suggs
833e1e937d Integration tests: use 127.0.0.1 instead of localhost 2014-04-25 13:19:22 -05:00
hakanensari
5ff5bf44ba Don't memoize in test 
I don’t think this has any side effect, but still…
 2014-04-17 18:21:13 +01:00
hakanensari
5d72c6e5f9 Move individual proxy classes to separate files 2014-04-15 16:19:43 +01:00
hakanensari
bf40123c04 Move offline case to separate file 2014-04-15 16:17:27 +01:00
hakanensari
f0a53f474e Stub #with on delegator 2014-04-09 13:15:00 +01:00
hakanensari
937cd3ca20 Merge branch 'master' into patch-3 2014-04-09 12:17:10 +01:00
hakanensari
1c0bc3da4d Merge branch 'patch-2' into patch-3 
Conflicts:
	lib/rack/attack/store_proxy.rb
 2014-04-09 12:16:16 +01:00
Tristan Dunn
16f1cfc578 Add a custom request class to allow for helper methods. 
Fixes #58.
 2014-04-04 14:41:59 -05:00
hakanensari
128c5aa9bf Support a Dalli Connection Pool 2014-04-01 12:10:32 +01:00
hakanensari
adab844784 Support older dalli client versions 2014-04-01 11:21:14 +01:00
hakanensari
a7ec48fb44 Implement Proxy for Dalli 
kickstarter/rack-attack#52
 2014-03-26 21:54:12 +00:00
Aaron Suggs
671f3d4c40 [travisci] Fix Errno::ENETUNREACH errors in redis integration tests 2014-03-15 14:51:15 -04:00
Aaron Suggs
2a7ae7d84d Integration tests: less flakiness by sleeping more 2014-03-15 14:41:50 -04:00
Aaron Suggs
cabadf3dc0 Better organize integration tests 
Add rake tasks `test:units` and `test:integration`

Run integration tests by default on TravisCi.
Run memcached and redis on TravisCi.
 2014-03-15 14:21:37 -04:00
Will Kimeria
87f628d0c1 If redis client throws exception, don't raise it 
For throttling, when the redis client throws an exception, the request
ends up getting rate limited. Modify this to be similar to how
ActiveSupport.MemCacheStore functions (the read, write and increment
methods do not raise exceptions)
 2014-03-14 11:50:59 -07:00
Carsten Zimmermann
1095f85242 Change response body to 'Forbidden' 2014-02-06 23:29:44 +01:00
Carsten Zimmermann
97a43f7e66 Return 403 Forbidden instead of 401 
401 Unauthorized suggests that the requests can be
retried with appropriate credentials. 403 explicitly
states that the request should not be repeated.

See #41
 2014-02-06 21:32:51 +01:00
Aaron Suggs
c42e035f62 specs: fix MiniTest typo for older ruby versions 2013-10-09 15:31:52 -04:00
Jordan Moncharmont
273e045f10 fix edge case, if maxretry is 1, let them get 1 request in 2013-09-27 17:35:01 -07:00
Jordan Moncharmont
ef59c5182a Allow2Ban 
An alternate to fail2ban that allows clients until they hit the
thresholds, then blocks them.  Think of it like a throttle where you can
block for more than one period.
 2013-09-27 17:18:52 -07:00
Aaron Suggs
1d367f5acd version 2.3.0, update changelog, copy tweaks 2013-08-20 11:39:44 -04:00
Pedro Nascimento
ab6d7b239d Allow limit option to be a proc. 
This allows you to do stuff like:
`req.env["USER"] == "god" ? 1000 : 1`
 2013-08-19 19:47:48 -03:00
Alex Volkovitsky & Sachin Maharjan
f348643c24 Fix spec expectations 2013-06-28 13:59:31 -07:00
Aaron Suggs
24143dd195 Cleanup whitespace 2013-06-20 10:19:56 -04:00
madlep
2819e0d7a4 collapse fail2ban name/discriminator into one argument 2013-06-17 08:50:39 +10:00
madlep
baffa83687 spec for Fail2Ban 2013-06-14 15:37:02 +10:00
madlep
6c259ea9be delegate Redis custom logic to StoreProxy 
this removes ugly `if redis blah` code from cache
 2013-06-12 15:03:39 +10:00
madlep
22fc386bad add read/write methods to cache 2013-06-12 15:03:24 +10:00
Vipul A M
384892ce4c Make debugger dependency only for ruby platforms 2013-05-06 20:58:01 +05:30
Vipul A M
4fcbe790ed Remove debugger dependency, as it isn't used 2013-05-06 11:53:58 +05:30
Aaron Suggs
ecec8576ae Show some minitest pride 2013-03-04 21:06:53 -05:00
Aaron Suggs
cf508e1d18 Support RedisStore as cache store 
Add tests for different cache stores
 2013-02-25 12:09:59 -05:00
Aaron Suggs
80367e1e4a Add Rack::Attack.track. 
track will fire notifications, but not alter request processing
 2013-01-10 19:02:49 -05:00
Aaron Suggs
e7aa5f4abe Use rotating cache keys for throttle (instead of expiring) 
Throttles use a cache key with a timestamp (Time.now.to_i/period), so a
new cache key is used for each period.

No longer set an explicit expiry on each cache key (though it may
inherit a default expiry from the cache store).

Also, set env['rack.attack.throttle_data'] with info about incremented
(but not necessarily exceeded) throttles.
 2012-08-08 14:59:42 -04:00
Aaron Suggs
8e59e84e00 Response header values must be strings 2012-08-02 12:15:16 -04:00
Aaron Suggs
ccdc1f993a Change instrumentation API for simpler notifications 2012-07-30 15:44:22 -04:00
Aaron Suggs
61a046a203 Cleanup instrumentation interface 2012-07-30 09:34:30 -04:00
Aaron Suggs
c90a0182eb Allow custom responses based on env 2012-07-28 19:51:24 -04:00
Aaron Suggs
dc2e402812 Initial working version 2012-07-27 17:40:11 -04:00
Aaron Suggs
e166e87fb9 Add throttle support 2012-07-27 17:22:49 -04:00
Aaron Suggs
9284a08cc3 Whitelists support 2012-07-26 17:29:09 -04:00
Aaron Suggs
7fab5df499 WIP 2012-07-24 19:59:46 -04:00
Aaron Suggs
140ea86b7c Initial commit 2012-07-24 19:40:55 -04:00