sjs/rack-attack
1
0
Fork 0
mirror of https://github.com/samsonjs/rack-attack.git synced 2026-03-25 09:25:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
854 commits 1 branch 0 tags 1.1 MiB
Commit graph

7 commits

Author SHA1 Message Date
Katsuhiko YOSHIDA
d3be2f31a5 Replace git.io URL 2022-04-28 19:14:17 +09:00
Gonzalo Rodriguez
c8021da91c
style: avoid compact class/module definitions 2019-08-02 11:17:41 -03:00
Gonzalo Rodriguez
8315a1e7e1
Remove support for unmaintained ruby 2.2 2018-06-28 17:08:15 -03:00
Lucas Mansur
11e9557ccb [Fixes #302] Initial style guide adoption (#330) 
* Initial Rubocop configuration

* Fix Rubocop layout offenses for lib

* Fix some spec offenses

* Fix leftover layout offenses
 2018-03-30 16:08:00 -03:00
Koen Rouwhorst
0457bf22f9 Updated all non-secure HTTP URLs to HTTPS. 2018-03-29 18:41:40 +02:00
Gonzalo Rodriguez
34ee066eac Drop support for Rails 3 2018-01-23 16:12:16 -03:00
Aaron Suggs
76c2e31430 Normalize request paths when using Rails' ActionDispatch 
The issue
---

When using rack-attack with a rails app, developers expect the request
path to be normalized. In particular, trailing slashes are stripped so
a request path "/login/" becomes "/login" by the time you're in
ActionController.

Since Rack::Attack runs before ActionDispatch, the request path is not
yet normalized. This can cause throttles and blacklists to not work as
expected.

E.g., a throttle:

    throttle('logins', ...) {|req| req.path == "/login" }

would not match a request to '/login/', though Rails would route
'/login/' to the same '/login' action.

The solution
---

This patch looks if ActionDispatch's request normalization is loaded,
and if so, uses it to normalize the path before processing throttles,
blacklists, etc.

If it's not loaded, the request path is not modified.

Credit
---
Thanks to Andres Riancho at Include Security for reporting this issue.
 2015-12-18 11:12:11 -05:00