sjs/rack-attack
1
0
Fork 0
mirror of https://github.com/samsonjs/rack-attack.git synced 2026-03-25 09:25:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
359 commits 1 branch 0 tags 1.1 MiB
Commit graph

62 commits

Author SHA1 Message Date
Corey Farwell
f91f3a403c
Merge pull request #264 from grzuy/drop_support_for_rails_3 
Drop support for unmaintaned Rails 3
 2018-01-23 17:45:29 -05:00
Gonzalo Rodriguez
34ee066eac Drop support for Rails 3 2018-01-23 16:12:16 -03:00
Gonzalo Rodriguez
e8102910bf Fixes warning 'DEPRECATED: Use assert_nil if expecting nil from ...' 2018-01-23 15:07:49 -03:00
Mike Ferrier
031efcd123 add a spec to specify the behavior of non-matching throttle blocks 2016-07-13 10:20:08 -04:00
Aaron Suggs
ff22014a03 [tests] Fix gotcha with new activesupport redis versions 
This fixes the error:

    uninitialized constant ActiveSupport::VERSION

when loading active_support/cache/redis_store
 2016-07-11 15:23:06 -04:00
Aaron Suggs
f5f08d56e5 More safelist/blocklist refactoring 
- Add Rack::Attack namespace to deprecation warning.
- Add deprecated Rack::Attack.blacklisted_response attr methods.
 2016-07-04 21:42:41 -04:00
Renée Hendricksen
e1a0c804e1 suggesting changing whitelist/blacklist language to less controversial safelist/blocklist language 
add deprication warnings

fix the method signatures
 2016-07-01 21:44:45 -04:00
Vincent Boisard
297ef4a2ae Merge branch 'master' of github.com:kickstarter/rack-attack 2015-12-29 10:10:36 +01:00
Aaron Suggs
76c2e31430 Normalize request paths when using Rails' ActionDispatch 
The issue
---

When using rack-attack with a rails app, developers expect the request
path to be normalized. In particular, trailing slashes are stripped so
a request path "/login/" becomes "/login" by the time you're in
ActionController.

Since Rack::Attack runs before ActionDispatch, the request path is not
yet normalized. This can cause throttles and blacklists to not work as
expected.

E.g., a throttle:

    throttle('logins', ...) {|req| req.path == "/login" }

would not match a request to '/login/', though Rails would route
'/login/' to the same '/login' action.

The solution
---

This patch looks if ActionDispatch's request normalization is loaded,
and if so, uses it to normalize the path before processing throttles,
blacklists, etc.

If it's not loaded, the request path is not modified.

Credit
---
Thanks to Andres Riancho at Include Security for reporting this issue.
 2015-12-18 11:12:11 -05:00
Aaron Suggs
11faea4526 specs: use pry instead of debugger 2015-12-18 08:55:09 -05:00
Vincent Boisard
397a7ce7b4 feature: support for ActiveSupport::MemCacheStore 2015-12-08 10:53:53 +01:00
Aaron Suggs
64fe10f64e Clarifying comments for #delete spec method 2015-05-22 13:48:32 -04:00
Stan Hu
91947b83a4 Support the ability to reset Fail2Ban count and ban flag 
Closes #113
 2015-05-22 09:47:32 -04:00
Stan Hu
ff15447f3a Support delete method for Redis 2015-03-15 12:13:44 -07:00
Aaron Suggs
b0bf74f9d9 Fix test assertion 2015-01-27 16:18:55 -05:00
Genadi Samokovarov
d9a5587676 Allow throttle period option to be a proc 
I need to filter requests on a period I need to get dynamically out of
information I have in the requests. Currently, I can work out the limit,
as it can be a `Proc`, however I can't do that with the period.

This PR adds support for that. Tried to do it in a way that doesn't
brake backwards compatibility, as periods are coerced to numbers during
`Rack::Throttle` initialization.
 2014-09-19 19:32:39 +02:00
Paul Coates
e8d98a7ad3 Changed track checker to track filter. Made track filter tests more clear. 2014-05-22 10:11:23 -07:00
Paul Coates
1ebe1c3517 Added limit and period options to track. Delegates [] to Throttle if they are present otherwise Check. 2014-05-19 11:11:01 -07:00
blahed
97dce48bfc add throttle discriminator to rack env 2014-05-01 22:20:13 -04:00
Aaron Suggs
833e1e937d Integration tests: use 127.0.0.1 instead of localhost 2014-04-25 13:19:22 -05:00
hakanensari
5ff5bf44ba Don't memoize in test 
I don’t think this has any side effect, but still…
 2014-04-17 18:21:13 +01:00
hakanensari
5d72c6e5f9 Move individual proxy classes to separate files 2014-04-15 16:19:43 +01:00
hakanensari
bf40123c04 Move offline case to separate file 2014-04-15 16:17:27 +01:00
hakanensari
f0a53f474e Stub #with on delegator 2014-04-09 13:15:00 +01:00
hakanensari
937cd3ca20 Merge branch 'master' into patch-3 2014-04-09 12:17:10 +01:00
hakanensari
1c0bc3da4d Merge branch 'patch-2' into patch-3 
Conflicts:
	lib/rack/attack/store_proxy.rb
 2014-04-09 12:16:16 +01:00
Tristan Dunn
16f1cfc578 Add a custom request class to allow for helper methods. 
Fixes #58.
 2014-04-04 14:41:59 -05:00
hakanensari
128c5aa9bf Support a Dalli Connection Pool 2014-04-01 12:10:32 +01:00
hakanensari
adab844784 Support older dalli client versions 2014-04-01 11:21:14 +01:00
hakanensari
a7ec48fb44 Implement Proxy for Dalli 
kickstarter/rack-attack#52
 2014-03-26 21:54:12 +00:00
Aaron Suggs
671f3d4c40 [travisci] Fix Errno::ENETUNREACH errors in redis integration tests 2014-03-15 14:51:15 -04:00
Aaron Suggs
2a7ae7d84d Integration tests: less flakiness by sleeping more 2014-03-15 14:41:50 -04:00
Aaron Suggs
cabadf3dc0 Better organize integration tests 
Add rake tasks `test:units` and `test:integration`

Run integration tests by default on TravisCi.
Run memcached and redis on TravisCi.
 2014-03-15 14:21:37 -04:00
Will Kimeria
87f628d0c1 If redis client throws exception, don't raise it 
For throttling, when the redis client throws an exception, the request
ends up getting rate limited. Modify this to be similar to how
ActiveSupport.MemCacheStore functions (the read, write and increment
methods do not raise exceptions)
 2014-03-14 11:50:59 -07:00
Carsten Zimmermann
1095f85242 Change response body to 'Forbidden' 2014-02-06 23:29:44 +01:00
Carsten Zimmermann
97a43f7e66 Return 403 Forbidden instead of 401 
401 Unauthorized suggests that the requests can be
retried with appropriate credentials. 403 explicitly
states that the request should not be repeated.

See #41
 2014-02-06 21:32:51 +01:00
Aaron Suggs
c42e035f62 specs: fix MiniTest typo for older ruby versions 2013-10-09 15:31:52 -04:00
Jordan Moncharmont
273e045f10 fix edge case, if maxretry is 1, let them get 1 request in 2013-09-27 17:35:01 -07:00
Jordan Moncharmont
ef59c5182a Allow2Ban 
An alternate to fail2ban that allows clients until they hit the
thresholds, then blocks them.  Think of it like a throttle where you can
block for more than one period.
 2013-09-27 17:18:52 -07:00
Aaron Suggs
1d367f5acd version 2.3.0, update changelog, copy tweaks 2013-08-20 11:39:44 -04:00
Pedro Nascimento
ab6d7b239d Allow limit option to be a proc. 
This allows you to do stuff like:
`req.env["USER"] == "god" ? 1000 : 1`
 2013-08-19 19:47:48 -03:00
Alex Volkovitsky & Sachin Maharjan
f348643c24 Fix spec expectations 2013-06-28 13:59:31 -07:00
Aaron Suggs
24143dd195 Cleanup whitespace 2013-06-20 10:19:56 -04:00
madlep
2819e0d7a4 collapse fail2ban name/discriminator into one argument 2013-06-17 08:50:39 +10:00
madlep
baffa83687 spec for Fail2Ban 2013-06-14 15:37:02 +10:00
madlep
6c259ea9be delegate Redis custom logic to StoreProxy 
this removes ugly `if redis blah` code from cache
 2013-06-12 15:03:39 +10:00
madlep
22fc386bad add read/write methods to cache 2013-06-12 15:03:24 +10:00
Vipul A M
384892ce4c Make debugger dependency only for ruby platforms 2013-05-06 20:58:01 +05:30
Vipul A M
4fcbe790ed Remove debugger dependency, as it isn't used 2013-05-06 11:53:58 +05:30
Aaron Suggs
ecec8576ae Show some minitest pride 2013-03-04 21:06:53 -05:00