From f5f08d56e5869d9b9505f2625eba9b8641f11554 Mon Sep 17 00:00:00 2001 From: Aaron Suggs Date: Mon, 4 Jul 2016 21:11:35 -0400 Subject: [PATCH 1/4] More safelist/blocklist refactoring - Add Rack::Attack namespace to deprecation warning. - Add deprecated Rack::Attack.blacklisted_response attr methods. --- README.md | 4 ++-- lib/rack/attack.rb | 24 +++++++++++++++++------- spec/rack_attack_spec.rb | 31 ++++++++++++++++++++++++++----- 3 files changed, 45 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 6480b87e..635228d5 100644 --- a/README.md +++ b/README.md @@ -97,7 +97,7 @@ Define safelists, blocklists, throttles, and tracks as blocks that return truthy these go in an initializer in `config/initializers/`. A [Rack::Request](http://www.rubydoc.info/gems/rack/Rack/Request) object is passed to the block (named 'req' in the examples). -### safelists +### Safelists ```ruby # Always allow requests from localhost @@ -108,7 +108,7 @@ Rack::Attack.safelist('allow from localhost') do |req| end ``` -### blocklists +### Blocklists ```ruby # Block requests from 1.2.3.4 diff --git a/lib/rack/attack.rb b/lib/rack/attack.rb index 744f77a0..f5189d9f 100644 --- a/lib/rack/attack.rb +++ b/lib/rack/attack.rb @@ -24,9 +24,9 @@ class << self def safelist(name, &block) self.safelists[name] = Safelist.new(name, block) end - + def whitelist(name, &block) - warn "[DEPRECATION] 'whitelist' is deprecated. Please use 'safelist' instead." + warn "[DEPRECATION] 'Rack::Attack.whitelist' is deprecated. Please use 'safelist' instead." safelist(name, &block) end @@ -35,7 +35,7 @@ def blocklist(name, &block) end def blacklist(name, &block) - warn "[DEPRECATION] 'blacklist' is deprecated. Please use 'blocklist' instead." + warn "[DEPRECATION] 'Rack::Attack.blacklist' is deprecated. Please use 'blocklist' instead." blocklist(name, &block) end @@ -53,12 +53,12 @@ def throttles; @throttles ||= {}; end def tracks; @tracks ||= {}; end def whitelists - warn "[DEPRECATION] 'whitelists' is deprecated. Please use 'safelists' instead." + warn "[DEPRECATION] 'Rack::Attack.whitelists' is deprecated. Please use 'safelists' instead." safelists end def blacklists - warn "[DEPRECATION] 'blacklists' is deprecated. Please use 'blocklists' instead." + warn "[DEPRECATION] 'Rack::Attack.blacklists' is deprecated. Please use 'blocklists' instead." blocklists end @@ -69,7 +69,7 @@ def safelisted?(req) end def whitelisted? - warn "[DEPRECATION] 'whitelisted?' is deprecated. Please use 'safelisted?' instead." + warn "[DEPRECATION] 'Rack::Attack.whitelisted?' is deprecated. Please use 'safelisted?' instead." safelisted? end @@ -80,7 +80,7 @@ def blocklisted?(req) end def blacklisted? - warn "[DEPRECATION] 'blacklisted?' is deprecated. Please use 'blocklisted?' instead." + warn "[DEPRECATION] 'Rack::Attack.blacklisted?' is deprecated. Please use 'blocklisted?' instead." blocklisted? end @@ -108,6 +108,16 @@ def clear! @safelists, @blocklists, @throttles, @tracks = {}, {}, {}, {} end + def blacklisted_response=(res) + warn "[DEPRECATION] 'Rack::Attack.blacklisted_response=' is deprecated. Please use 'blocklisted_response=' instead." + self.blocklisted_response=(res) + end + + def blacklisted_response + warn "[DEPRECATION] 'Rack::Attack.blacklisted_response' is deprecated. Please use 'blocklisted_response' instead." + self.blocklisted_response + end + end # Set defaults diff --git a/spec/rack_attack_spec.rb b/spec/rack_attack_spec.rb index 6d29c9c4..8b2f942c 100644 --- a/spec/rack_attack_spec.rb +++ b/spec/rack_attack_spec.rb @@ -23,12 +23,12 @@ it('has a blocklist') { Rack::Attack.blocklists.key?("ip #{@bad_ip}").must_equal true } - + it('has a blacklist with a deprication warning') { - stdout, stderror = capture_io do + _, stderror = capture_io do Rack::Attack.blacklists.key?("ip #{@bad_ip}").must_equal true end - assert_match "[DEPRECATION] 'blacklists' is deprecated. Please use 'blocklists' instead.", stderror + assert_match "[DEPRECATION] 'Rack::Attack.blacklists' is deprecated. Please use 'blocklists' instead.", stderror } describe "a bad request" do @@ -55,10 +55,10 @@ it('has a safelist'){ Rack::Attack.safelists.key?("good ua") } it('has a whitelist with a deprication warning') { - stdout, stderror = capture_io do + _, stderror = capture_io do Rack::Attack.whitelists.key?("good ua") end - assert_match "[DEPRECATION] 'whitelists' is deprecated. Please use 'safelists' instead.", stderror + assert_match "[DEPRECATION] 'Rack::Attack.whitelists' is deprecated. Please use 'safelists' instead.", stderror } describe "with a request match both safelist & blocklist" do @@ -73,6 +73,27 @@ end end end + + describe '#blocklisted_response' do + it 'should exist' do + Rack::Attack.blocklisted_response.must_respond_to :call + end + + it 'should give a deprication warning for blacklisted_response' do + _, stderror = capture_io do + Rack::Attack.blacklisted_response + end + assert_match "[DEPRECATION] 'Rack::Attack.blacklisted_response' is deprecated. Please use 'blocklisted_response' instead.", stderror + + end + end + + describe '#throttled_response' do + it 'should exist' do + Rack::Attack.throttled_response.must_respond_to :call + end + end + end end From e8433f769309ad11a2aae9d39316cf301e289e57 Mon Sep 17 00:00:00 2001 From: Aaron Suggs Date: Mon, 4 Jul 2016 21:12:35 -0400 Subject: [PATCH 2/4] Bump to version v5.0.0.beta1 --- CHANGELOG.md | 9 +++++++++ lib/rack/attack/version.rb | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b5056899..082f6cd9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,15 @@ ## master (unreleased) +## v5.0.0 (beta) + + - Deprecate `whitelist`/`blacklist` in favor of `safelist`/`blocklist`. (#181, + thanks @renee-travisci). + +To upgrade and fix deprecations, find and replace instances of `whitelist` and +`blacklist` with `safelist` and `blocklist`. If you reference `rack.attack.match_type`, +note that it will have values like `:safelist`/`:blocklist`. + ## v4.4.1 17 Feb 2016 - Fix a bug affecting apps using Redis::Store and ActiveSupport that could generate an error diff --git a/lib/rack/attack/version.rb b/lib/rack/attack/version.rb index 2c31f649..4f917c7c 100644 --- a/lib/rack/attack/version.rb +++ b/lib/rack/attack/version.rb @@ -1,5 +1,5 @@ module Rack class Attack - VERSION = '4.4.1' + VERSION = '5.0.0.beta1' end end From eb9331fb8c41cb0888cd03682a813e5c9fbc0d9c Mon Sep 17 00:00:00 2001 From: Aaron Suggs Date: Mon, 4 Jul 2016 21:17:11 -0400 Subject: [PATCH 3/4] whitespace --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 635228d5..0f62f7ee 100644 --- a/README.md +++ b/README.md @@ -138,11 +138,11 @@ Rack::Attack.blocklist('fail2ban pentesters') do |req| # so the request is blocked Rack::Attack::Fail2Ban.filter("pentesters-#{req.ip}", :maxretry => 3, :findtime => 10.minutes, :bantime => 5.minutes) do # The count for the IP is incremented if the return value is truthy - CGI.unescape(req.query_string) =~ %r{/etc/passwd} || + CGI.unescape(req.query_string) =~ %r{/etc/passwd} || req.path.include?('/etc/passwd') || - req.path.include?('wp-admin') || + req.path.include?('wp-admin') || req.path.include?('wp-login') - + end end ``` From f6762dfc63de1d70f116f6b4b9aefbb16e3e5e30 Mon Sep 17 00:00:00 2001 From: Aaron Suggs Date: Mon, 4 Jul 2016 22:12:55 -0400 Subject: [PATCH 4/4] Drop test coverage for activesupport 3.2/4.0; dalli 1.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit They’re EOL, and the tests are a pain to maintain. --- .travis.yml | 3 --- gemfiles/activesupport3.2.gemfile | 15 --------------- gemfiles/activesupport4.0.gemfile | 15 --------------- gemfiles/dalli1.1.gemfile | 16 ---------------- 4 files changed, 49 deletions(-) delete mode 100644 gemfiles/activesupport3.2.gemfile delete mode 100644 gemfiles/activesupport4.0.gemfile delete mode 100644 gemfiles/dalli1.1.gemfile diff --git a/.travis.yml b/.travis.yml index 92cd7e14..285e73fb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,11 +6,8 @@ rvm: - jruby-19mode gemfile: - - gemfiles/activesupport3.2.gemfile - - gemfiles/activesupport4.0.gemfile - gemfiles/activesupport4.1.gemfile - gemfiles/activesupport4.2.gemfile - - gemfiles/dalli1.1.gemfile - gemfiles/dalli2.gemfile services: diff --git a/gemfiles/activesupport3.2.gemfile b/gemfiles/activesupport3.2.gemfile deleted file mode 100644 index 682f93a6..00000000 --- a/gemfiles/activesupport3.2.gemfile +++ /dev/null @@ -1,15 +0,0 @@ -# This file was generated by Appraisal - -source "https://rubygems.org" - -gem "activesupport", "~> 3.2.0" -gem "actionpack", "~> 3.2.0" -gem "listen", "<= 3.0.6", platforms: [:ruby_20, :ruby_21, :jruby] - -group :development do - gem "pry" - gem "guard" - gem "guard-minitest" -end - -gemspec :path => "../" diff --git a/gemfiles/activesupport4.0.gemfile b/gemfiles/activesupport4.0.gemfile deleted file mode 100644 index c80a0f42..00000000 --- a/gemfiles/activesupport4.0.gemfile +++ /dev/null @@ -1,15 +0,0 @@ -# This file was generated by Appraisal - -source "https://rubygems.org" - -gem "activesupport", "~> 4.0.0" -gem "actionpack", "~> 4.0.0" -gem "listen", "<= 3.0.6", platforms: [:ruby_20, :ruby_21, :jruby] - -group :development do - gem "pry" - gem "guard" - gem "guard-minitest" -end - -gemspec :path => "../" diff --git a/gemfiles/dalli1.1.gemfile b/gemfiles/dalli1.1.gemfile deleted file mode 100644 index f22d7ab9..00000000 --- a/gemfiles/dalli1.1.gemfile +++ /dev/null @@ -1,16 +0,0 @@ -# This file was generated by Appraisal - -source "https://rubygems.org" - -gem "dalli", "1.1.5" -gem "rack", "<= 1.4.7", platforms: [:ruby_20, :ruby_21, :jruby] -gem "activesupport", "<= 3.2.22.2", platforms: [:ruby_20, :ruby_21, :jruby] -gem "listen", "<= 3.0.6", platforms: [:ruby_20, :ruby_21, :jruby] - -group :development do - gem "pry" - gem "guard" - gem "guard-minitest" -end - -gemspec :path => "../"