sjs/rack-attack
1
0
Fork 0
mirror of https://github.com/samsonjs/rack-attack.git synced 2026-03-25 09:25:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
871 commits 1 branch 0 tags 1.1 MiB
Commit graph

871 commits

This branch
This branch
All branches
Author SHA1 Message Date
Olle Jonsson
44b6a7353a
Use RuboCop 0.84.0 
- this enables each of the new Cops and marks each with the version
they appeared in

(cherry picked from commit c07fcdde43)
 2021-01-23 13:55:46 -03:00
Ryan Laughlin
9da0bb7712
Consolidate #testing section of README 
(cherry picked from commit 029b5481fe)
 2021-01-23 13:55:46 -03:00
Lukas Spieß
614e10aa9c
Use gender-neutral pronoun in Readme 
(cherry picked from commit 58b4042e35)
 2021-01-23 13:55:45 -03:00
fatkodima
1d2c646ae1
Remove support for ruby 2.3 
(cherry picked from commit 56361ab56b)
 2021-01-23 13:55:21 -03:00
brchristian
5945fbcdf5
Use single quotes in example configuration 2021-01-16 10:19:33 -08:00
Gonzalo
55d5e370fd
test: update ruby and rails versions 2020-12-27 16:57:15 -03:00
Gonzalo Rodriguez
e40c3dda44
Merge pull request #509 from fukayatsu/fix-ruby-2.7-kw-warnings-on-increment 
Fix Ruby 2.7 kwargs warning in RedisCacheStoreProxy
 2020-12-27 00:31:32 -03:00
Gonzalo Rodriguez
1cb24da681
Merge pull request #512 from joevandyk/patch-1 
Fix speling in README
 2020-12-26 00:12:36 -03:00
Gonzalo
26476670f4
docs: update repo references after move to rack org 2020-12-25 23:51:59 -03:00
Gonzalo
cbae022df1
build: update rubocop to earlier version fixing the LineLength crash 2020-12-25 23:47:14 -03:00
Joe Van Dyk
7b3376021b
Fix speling in README 2020-12-24 12:58:47 -08:00
fukayatsu
9020201ff5 Fix Ruby 2.7 kwargs warning in RedisCacheStoreProxy 2020-12-15 23:25:37 +09:00
Gonzalo Rodriguez
6d1bc9b617
Merge pull request #493 from eliotsykes/mitigate-throttle-bypass-in-docs 
Mitigate login throttle bypasses in docs
 2020-08-01 17:04:47 -03:00
Eliot Sykes
03926e0b75
Mitigate login throttle bypasses in docs 
This commit mitigates rate limit bypasses in the configuration
docs by normalizing the email throttle key. (The normalization process
used is the same as used by the Clearance gem.)

---

Often an authentication process normalizes email addresses and usernames
before look up, say by downcasing and removing any whitespace.

Throttles that do not perform the same normalization are vulnerable
to rate limit bypasses.

For example, an attacker can bypass a vulnerable throttle by using
unlimited case and whitespace variants for the same email address:

- Variant 1: `victim@example.org`
- Variant 2: `victim@example. org` (one whitespace)
- Variant 3: `victim@example.  org` (two whitespaces)
- Variant 4: `ViCtIm@eXaMpLe.org`
- etc, etc.

All of these variants resolve to the same email address, but allow
an attacker to bypass a vulnerable throttle. To mitigate, the email
throttle key should be normalized using the same logic the
authentication process uses for normalizing emails.
 2020-07-28 11:33:52 +01:00
Tristan Toye
f92889b360
Clarify Calling HTTP_APIKey header in example (#488) 
* Clarify Calling HTTP_ header in example

In trying to track down a bug here turns out I was trying to reference the wrong header shown in the readme. 

Printing our `request.env` it becomes clear this is just the full request object:

```
{"rack.version"=>[1, 3],
 "rack.errors"=>#<IO:<STDERR>>,
 "rack.multithread"=>true,
 "rack.multiprocess"=>false,
 "rack.run_once"=>false,
 "SCRIPT_NAME"=>"",
 "QUERY_STRING"=>"",
 "SERVER_PROTOCOL"=>"HTTP/1.1",
 "SERVER_SOFTWARE"=>"puma 4.3.5 Mysterious Traveller",
 "GATEWAY_INTERFACE"=>"CGI/1.2",
 "REQUEST_METHOD"=>"POST",
 "REQUEST_PATH"=>"/api/v1/....",
 "REQUEST_URI"=>"/api/v1/...",
 "HTTP_VERSION"=>"HTTP/1.1",
 "HTTP_HOST"=>"example.com",
 "HTTP_APIKEY"=>"secret_key",
 "CONTENT_TYPE"=>"application/json",
 "HTTP_USER_AGENT"=>"PostmanRuntime/7.25.0",
 "HTTP_ACCEPT"=>"*/*",
 "HTTP_CACHE_CONTROL"=>"no-cache",
...
```

* Update README.md
 2020-06-07 13:11:30 -03:00
Gonzalo Rodriguez
e148cf2a73
Merge pull request #486 from olleolleolle/rubocop-084 
Use RuboCop 0.84.0
 2020-06-03 19:37:41 -03:00
Olle Jonsson
c07fcdde43 Use RuboCop 0.84.0 
- this enables each of the new Cops and marks each with the version
they appeared in
 2020-05-24 17:50:56 +02:00
Gonzalo Rodriguez
493157d555
Merge branch '6-stable' 2020-05-20 23:53:44 -03:00
Gonzalo Rodriguez
3a5d10c8b3
Bump gem version to v6.3.1 2020-05-20 23:19:26 -03:00
Gonzalo Rodriguez
02f56979f1
Merge pull request #482 from splitwise/rofreg/avoid-rails-5.2.4.3-deprecation-warning 
Fix deprecation warning in Rails 5.2.4.3
 2020-05-20 23:03:29 -03:00
Gonzalo Rodriguez
91596db90f
Merge pull request #482 from splitwise/rofreg/avoid-rails-5.2.4.3-deprecation-warning 
Fix deprecation warning in Rails 5.2.4.3
 2020-05-20 21:33:13 -03:00
Ryan Laughlin
31dd7a8d17 Override RedisCacheStoreProxy#read to always use raw: true 2020-05-20 10:34:58 -04:00
Gonzalo Rodriguez
d92f66c8d9
Merge pull request #483 from splitwise/rofreg/clean-up-documentation 
Consolidate #testing section of README
 2020-05-18 20:24:53 -03:00
Ryan Laughlin
029b5481fe Consolidate #testing section of README 2020-05-18 17:41:58 -04:00
Ryan Laughlin
d5a240d9d2 Fix deprecation warning in Rails 5.2.4.3 2020-05-18 17:14:12 -04:00
Gonzalo Rodriguez
fe5deb9093
Merge branch '6-stable' 2020-04-26 13:09:29 -03:00
Gonzalo Rodriguez
35e4983400
doc: add Testing section to the README 2020-04-26 13:09:13 -03:00
Gonzalo Rodriguez
33b7c3b233
Merge branch '6-stable' 2020-04-26 12:39:42 -03:00
Gonzalo Rodriguez
aa071aa5df
Bump gem version to v6.3.0 2020-04-26 11:57:31 -03:00
Gonzalo Rodriguez
76bbada48f
ci: update rubies 2020-04-25 16:30:34 -03:00
Gonzalo Rodriguez
4c33737ed3
build: update rubocop to v0.78 2020-04-25 16:29:17 -03:00
Gonzalo
8787f7db5a
ci: test against latest rack minor versions 2020-04-25 16:28:48 -03:00
Gonzalo
aeac2d4887
ci: update to final ruby 2.7 2020-04-25 16:28:34 -03:00
Gonzalo Rodriguez
fadb98f25c
ci: update Travis dist to bionic 2020-04-25 16:28:27 -03:00
Gonzalo
8bbd0ab702
ci: test against ruby 2.7.0 
- don't test ruby 2.7.0 with incompatible rails versions
 2020-04-25 16:28:17 -03:00
fatkodima
9923012fe8
Allow to reset state between tests 2020-04-25 16:22:55 -03:00
Gonzalo Rodriguez
64f879395d
Merge commit '8fcd6c855915c802adeeb1784c503fc74115f5a3' into 6-stable 2020-04-25 16:17:37 -03:00
Gonzalo Rodriguez
53c1d93fd1
style: avoid multiline ternary operator 2020-04-25 15:42:30 -03:00
Gonzalo Rodriguez
8ededbc738
ci: update rubies 2020-04-25 15:31:19 -03:00
Gonzalo Rodriguez
1c0c232a63
Revert "docs: help users write more clear bug reports with a template" 
This reverts commit 0a80e30f46.
 2020-04-25 15:29:45 -03:00
Gonzalo Rodriguez
688fee3046
build: update rubocop to v0.78 2020-04-05 19:21:59 -03:00
Gonzalo Rodriguez
580368fadd
Merge pull request #473 from kickstarter/ci 
ci: test against latest rack minor versions
 2020-02-10 14:17:45 -03:00
Gonzalo
9f93d34492
ci: test against latest rack minor versions 2020-02-10 13:16:10 -03:00
Gonzalo
0a80e30f46
docs: help users write more clear bug reports with a template 2020-01-27 16:03:41 -03:00
Gonzalo
addadf6b31
ci: update to final ruby 2.7 2020-01-06 13:09:04 -03:00
Gonzalo Rodriguez
fa5ef552d3 ci: update Travis dist to bionic 2019-12-18 15:06:24 -03:00
Gonzalo
f413efc796 ci: test against ruby 2.7.0 
- don't test ruby 2.7.0 with incompatible rails versions
 2019-12-18 15:03:54 -03:00
Gonzalo
626eb8e133 Merge branch '6-stable' 2019-12-18 13:24:56 -03:00
Gonzalo Rodriguez
da41880663 Bump gem version to v6.2.2 2019-12-18 11:44:15 -03:00
Gonzalo Rodriguez
d7b67011b7 ci: fix rubygems install step 2019-12-18 11:43:42 -03:00