sjs/rack-attack
1
0
Fork 0
mirror of https://github.com/samsonjs/rack-attack.git synced 2026-03-25 09:25:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
822 commits 1 branch 0 tags 1.1 MiB
Commit graph

822 commits

This branch
This branch
All branches
Author SHA1 Message Date
Gonzalo
f5f92f4459
Bump gem version to v6.6.1 2022-04-13 22:50:01 -03:00
Gonzalo
07822ada92
ci: update rubies 2022-04-13 22:47:06 -03:00
Gonzalo
b0be38334a
Merge pull request #575 from sixpark/adriancb/update_readme 
fix(documentation): Updating README with non-deprecated configuration.
 2022-03-19 22:19:11 -03:00
Adrian CB
8313e38df3 fix(documentation): Updating README with non-deprecated configuration. 2022-03-08 16:58:58 +11:00
Samuel Williams
933c0576b8
Lower case headers. (#573) 2022-02-19 13:56:02 +13:00
Gonzalo
d41abd7908
Merge pull request #572 from ixti/ixti/fix-redis-4.6.0-warnings 
fix: Fix redis-rb 4.6.0 deprecation warnings
 2022-02-07 14:51:53 -03:00
Alexey Zapparov
c01208afe6
fix: Fix redis-rb 4.6.0 deprecation warnings 
Redis 4.6.0 deprecated calling commands on `Redis` inside `#pipelined`:

    redis.pipelined do
      redis.get("key")
    end

The above should be:

    redis.pipelined do |pipeline|
      pipeline.get("key")
    end

See: https://github.com/redis/redis-rb/pull/1059
 2022-02-04 21:14:00 +01:00
Gonzalo
82181325bc
docs: update docs to point to main branch 2022-02-01 09:48:23 -03:00
Gonzalo
d0ec4de69b
Bump gem version to v6.6.0 2022-01-29 16:15:15 -03:00
Gonzalo
3eca60dba1
Merge pull request #556 from zarqman/dalli3-and-rails7 
Add support for Rails 7.0
 2022-01-29 16:02:28 -03:00
Gonzalo
97abc93889
test: update rails 7 appraisal after final release 2022-01-29 15:52:40 -03:00
Gonzalo
8d9c884d40
Merge branch 'master' into dalli3-and-rails7 2022-01-29 15:51:25 -03:00
Gonzalo
d2040063fb
Merge branch 'ruby-3-1' 2022-01-29 15:39:18 -03:00
Gonzalo
9ccf6286d1
Merge pull request #565 from orhantoy/include-license-in-gem-build 
Include LICENSE in gem build
 2022-01-29 15:37:06 -03:00
Gonzalo
501ab01573
ci: run tests against ruby 3.1 2022-01-29 15:36:58 -03:00
Gonzalo
aaeff6d0ae
feat: deprecate throttled_response and blocklisted_response 2022-01-29 15:22:19 -03:00
Gonzalo
8bf9d4efad
refactor: attempt to make method name more self explanatory and clear 2022-01-29 15:06:13 -03:00
Orhan Toy
c95f9624aa
Include LICENSE in gem build 2022-01-28 19:04:52 +01:00
Gonzalo
a92513fb3e
Merge pull request #562 from johlym/patch-1 
Update README to mention .clear_configuration
 2022-01-18 09:40:06 -03:00
Johnathan Lyman
4e90859a37
Update README to mention .clear_configuration 
Adds a line to the Test case isolation section about `.clear_configuration`.
 2022-01-17 12:25:43 -08:00
Gonzalo
7bcd3b1529
ci: update rubies 2021-12-15 11:59:52 -03:00
Gonzalo
e31488aeba
Merge pull request #558 from agbaber/fix-rack-spec-doc-link 
docs: update link to rack spec in README
 2021-11-26 13:26:41 -03:00
Andrew Baber
78bc155ac9 docs: update link to rack spec in README 2021-11-19 12:34:50 -05:00
thomas morgan
2fc8c7b65f support rails 7.0 2021-11-17 11:33:17 -07:00
Gonzalo
f920e635f6
Merge pull request #557 from zarqman/dalli3 
Test against dalli 3.0
 2021-11-16 16:18:04 -03:00
thomas morgan
0fbfda0146 test against dalli 3.0 2021-11-16 10:04:16 -07:00
Gonzalo
1a872aa24c
docs: update CI badge 2021-07-21 19:16:32 -03:00
Gonzalo
a20d58e022
ci: update machine os 2021-07-21 18:59:09 -03:00
Gonzalo
511efd15c9
ci: update rubies 2021-07-21 18:58:13 -03:00
Gonzalo
7f2ccca650
ci: run GitHub Actions CI for pull requests 2021-07-21 18:52:11 -03:00
Gonzalo
50b9f37156
ci: move from TravisCI to GitHub Actions 2021-07-19 21:27:02 -03:00
Gonzalo
17b7368a95
docs: attempt to avoid README version confusion 2021-06-15 12:29:14 -03:00
Gonzalo
2257f00876
docs: update 'How can I help?' section 2021-03-21 18:28:59 -03:00
Gonzalo
886ba3a18d
Merge branch '6-stable' 2021-02-07 16:46:46 -03:00
Gonzalo
12a8390d2d
Bump gem version to v6.5 2021-02-07 13:34:46 -03:00
Gonzalo
f3f0df3fc0
refactor: attempt to avoid user confusion by clarifying method is used by throttle 2021-02-07 13:34:26 -03:00
brchristian
0f1a72a4d4
Use single quotes in example configuration 2021-02-07 13:02:33 -03:00
Gonzalo
d1b01f0b4a
test: update ruby and rails versions 2021-02-07 13:02:16 -03:00
fatkodima
1e5fb868f6
Auto include middleware for older railses 2021-02-07 12:57:24 -03:00
fatkodima
e131750a6b
Make store proxies lookup dynamic 2021-02-07 12:56:50 -03:00
fatkodima
df354cd141
Make discriminators case-insensitive by default 2021-02-07 12:55:03 -03:00
Gonzalo Rodriguez
23f7e7f53b
Merge pull request #514 from brchristian/patch-1 
Use single quotes in example configuration
 2021-01-24 13:04:47 -03:00
Gonzalo
1c460b179e
Merge branch '6-stable' 2021-01-23 22:38:36 -03:00
Gonzalo
6328ddcb19
Bump gem version to v6.4 2021-01-23 21:26:11 -03:00
Gonzalo
33d1bac4a5
test: update ruby and rails versions 2021-01-23 21:26:11 -03:00
fukayatsu
dda2489936
Fix Ruby 2.7 kwargs warning in RedisCacheStoreProxy 
(cherry picked from commit 9020201ff5)
 2021-01-23 13:55:48 -03:00
Joe Van Dyk
38c89afcf3
Fix speling in README 
(cherry picked from commit 7b3376021b)
 2021-01-23 13:55:48 -03:00
Gonzalo
6316069638
docs: update repo references after move to rack org 
(cherry picked from commit 26476670f4)
 2021-01-23 13:55:48 -03:00
Gonzalo
476144ee40
build: update rubocop to earlier version fixing the LineLength crash 
(cherry picked from commit cbae022df1)
 2021-01-23 13:55:47 -03:00
Eliot Sykes
1cd4a1cd79
Mitigate login throttle bypasses in docs 
This commit mitigates rate limit bypasses in the configuration
docs by normalizing the email throttle key. (The normalization process
used is the same as used by the Clearance gem.)

---

Often an authentication process normalizes email addresses and usernames
before look up, say by downcasing and removing any whitespace.

Throttles that do not perform the same normalization are vulnerable
to rate limit bypasses.

For example, an attacker can bypass a vulnerable throttle by using
unlimited case and whitespace variants for the same email address:

- Variant 1: `victim@example.org`
- Variant 2: `victim@example. org` (one whitespace)
- Variant 3: `victim@example.  org` (two whitespaces)
- Variant 4: `ViCtIm@eXaMpLe.org`
- etc, etc.

All of these variants resolve to the same email address, but allow
an attacker to bypass a vulnerable throttle. To mitigate, the email
throttle key should be normalized using the same logic the
authentication process uses for normalizing emails.

(cherry picked from commit 03926e0b75)
 2021-01-23 13:55:47 -03:00