https://github.com/rack/rack-attack - v6.8.0

What's Changed

Changed

• Avoid RedisCacheStore#increment on Rails 6+ (which might improve performance) by @jdelStrother (#597)

Fixed

• Fix #588 don't fail if request.ip is missing, by @santib (#630)
• Fix reset! when using namespaced cache store by @santib (#673)

Deprecated

• Soft deprecate integration with rack 1.x, may or may not work with it.
• Soft deprecate integration with rails 5.2 or less, may or may not work with it.

Removed

• Remove support for unmaintained ActiveSupport::Cache::RedisStore, by @mitchellhenke (#625)

New Contributors

• @floehopper made their first contribution in https://github.com/rack/rack-attack/pull/618
• @mttkay made their first contribution in https://github.com/rack/rack-attack/pull/622
• @mitchellhenke made their first contribution in https://github.com/rack/rack-attack/pull/625
• @santib made their first contribution in https://github.com/rack/rack-attack/pull/629
• @tisba made their first contribution in https://github.com/rack/rack-attack/pull/654
• @fynsta made their first contribution in https://github.com/rack/rack-attack/pull/658
• @alexsmartens made their first contribution in https://github.com/rack/rack-attack/pull/664

Full Changelog: https://github.com/rack/rack-attack/compare/v6.7.0...v6.8.0

- Ruby
Published by grzuy 5 months ago

https://github.com/rack/rack-attack - v6.7.0

What's Changed

• Replace git.io URL by @kyoshidajp in https://github.com/rack/rack-attack/pull/579
• test: update rack-test to v2 from v1 by @grzuy in https://github.com/rack/rack-attack/pull/587
• Update example description to not suggest using a deprecated method by @MaksimAbramchuk in https://github.com/rack/rack-attack/pull/589
• Add note about cache stores and in-memory caches. by @nateberkopec in https://github.com/rack/rack-attack/pull/604
• ci: tests against redis gem v5 by @grzuy in https://github.com/rack/rack-attack/pull/612
• Support rack 3 by @ioquatix in https://github.com/rack/rack-attack/pull/586
• Gem release management. by @ioquatix in https://github.com/rack/rack-attack/pull/614

New Contributors

• @kyoshidajp made their first contribution in https://github.com/rack/rack-attack/pull/579
• @MaksimAbramchuk made their first contribution in https://github.com/rack/rack-attack/pull/589
• @nateberkopec made their first contribution in https://github.com/rack/rack-attack/pull/604

Full Changelog: https://github.com/rack/rack-attack/compare/v6.6.1...v6.7.0

- Ruby
Published by ioquatix over 2 years ago

https://github.com/rack/rack-attack - v6.6.1

Details in CHANGELOG entry.

- Ruby
Published by grzuy almost 4 years ago

https://github.com/rack/rack-attack - v6.6.0

Details in CHANGELOG entry.

- Ruby
Published by grzuy about 4 years ago

https://github.com/rack/rack-attack - v6.5.0

Details in CHANGELOG entry.

- Ruby
Published by grzuy about 5 years ago

https://github.com/rack/rack-attack - v6.4.0

Details in CHANGELOG entry.

- Ruby
Published by grzuy about 5 years ago

https://github.com/rack/rack-attack - v6.2.2

Fixed

• Fixed occasional Redis::FutureNotReady error (#445) (@fatkodima)

- Ruby
Published by grzuy about 6 years ago

https://github.com/rack/rack-attack - v6.2.1

Fixed

• Remove unintended side-effects on Rails app initialization order. It was potentially affecting the order of config/initializers/* in respect to gems initializers (#457)

- Ruby
Published by grzuy about 6 years ago

https://github.com/rack/rack-attack - v6.2.0

Added

• Failsafe on Redis error replies in RedisCacheStoreProxy (#421) (@cristiangreco)
• Rack::Attack middleware is now auto added for Rails 5.1+ apps to simplify gem setup (#431) (@fatkodima)
• You can disable Rack::Attack with Rack::Attack.enabled = false (#431) (@fatkodima)

- Ruby
Published by grzuy about 6 years ago

https://github.com/rack/rack-attack - v6.1.0

Added

• Provide throttle discriminator in the env throttle_data

- Ruby
Published by grzuy about 6 years ago

https://github.com/rack/rack-attack - v6.0.0

Added

• #blocklist and #safelist name argument (the first one) is now optional.
• Added support to subscribe only to specific event types via ActiveSupport::Notifications, e.g. subscribe to the
  throttle.rack_attack or the blocklist.rack_attack event.

Changed

• Changed ActiveSupport::Notifications event naming to comply with the recommneded format.

Deprecated

• Subscriptions via ActiveSupport::Notifications to the "rack.attack" event will continue to work (receive event
  notifications), but it is going to be removed in a future version. Replace the event name with /rack_attack/ to
  continue to be subscribed to all events, or "throttle.rack_attack" e.g. for specific type of events only.

Removed

• Removed support for ruby 2.2.
• Removed support for obsolete memcache-client as a cache store.
• Removed deprecated methods #blacklist and #whitelist (use #blocklist and #safelist instead).

- Ruby
Published by grzuy almost 7 years ago

https://github.com/rack/rack-attack - v5.4.2

Fixed

• Fix unexpected error when using redis 3 and any store which is not proxied

Changed

• Provide better information in MisconfiguredStoreError exception message to aid end-user debugging

- Ruby
Published by grzuy over 7 years ago

https://github.com/rack/rack-attack - v5.4.1

Fixed

• Make ActiveSupport::Cache::MemCacheStore also work as excepted when initialized with pool options (e.g. pool_size). Thank you @jdelStrother.

- Ruby
Published by grzuy over 7 years ago

https://github.com/rack/rack-attack - v5.4.0

Added

• Support "plain" Redis as a cache store backend (#280). Thanks @bfad and @ryandv.
• When overwriting Rack::Attack.throttled_response you can now access the exact epoch integer that was used for caching
  so your custom code is less prone to race conditions (#282). Thanks @doliveirakn.

Dependency changes

• Explictly declare ancient rack 0.x series as incompatible in gemspec

- Ruby
Published by grzuy over 7 years ago

https://github.com/rack/rack-attack - v5.3.2

Fixed

• Don't raise exception The Redis cache store requires the redis gem when using ActiveSupport::Cache::MemoryStore as a cache store backend

- Ruby
Published by grzuy over 7 years ago

https://github.com/rack/rack-attack - v5.3.1

Fixed

• Make ActiveSupport::Cache::RedisCacheStore also work as excepted when initialized with pool options (e.g. pool_size)

- Ruby
Published by grzuy over 7 years ago

https://github.com/rack/rack-attack - v5.3.0

Added

• Add support for ActiveSupport::Cache::RedisCacheStore as a store backend (#340 and #350)

- Ruby
Published by grzuy over 7 years ago

https://github.com/rack/rack-attack - v5.2.0

Added

• Shorthand for blocking an IP address Rack::Attack.blocklist_ip("1.2.3.4") (#320)
• Shorthand for blocking an IP subnet Rack::Attack.blocklist_ip("1.2.0.0/16") (#320)
• Shorthand for safelisting an IP address Rack::Attack.safelist_ip("5.6.7.8") (#320)
• Shorthand for safelisting an IP subnet Rack::Attack.safelist_ip("5.6.0.0/16") (#320)
• Throw helpful error message when using allow2ban but cache store is misconfigured (#315)
• Throw helpful error message when using fail2ban but cache store is misconfigured (#315)

- Ruby
Published by grzuy almost 8 years ago

https://github.com/rack/rack-attack - v5.1.0

• Fixes edge case bug when using ruby 2.5 and redis https://github.com/kickstarter/rack-attack/issues/253 (https://github.com/kickstarter/rack-attack/pull/271)
• Throws errors with better semantics when missing or misconfigured store caches to aid in developers debugging their configs (https://github.com/kickstarter/rack-attack/pull/274)
• Removed legacy code that was originally intended for Rails 3 apps (https://github.com/kickstarter/rack-attack/pull/264)

- Ruby
Published by grzuy almost 8 years ago

https://github.com/rack/rack-attack - v5.0.1

• Fixes arguments passed to deprecated internal methods. (#198)

- Ruby
Published by ktheory over 9 years ago

https://github.com/rack/rack-attack - v5.0.0

• Deprecate whitelist/blacklist in favor of safelist/blocklist. (#181,
  thanks @renee-travisci). To upgrade and fix deprecations, find and replace instances of whitelist and blacklist with safelist and blocklist. If you reference rack.attack.match_type, note that it will have values like :safelist/:blocklist.
• Remove test coverage for unsupported ruby dependencies: ruby 2.0, activesupport 3.2/4.0, and dalli 1.
• Document example for setting X-RateLimit-* response headers (#193)

- Ruby
Published by ktheory over 9 years ago

https://github.com/rack/rack-attack -

• Deprecate whitelist/blacklist in favor of safelist/blocklist. (#181,
  thanks @renee-travisci). To upgrade and fix deprecations, find and replace instances of whitelist and blacklist with safelist and blocklist. If you reference rack.attack.match_type, note that it will have values like :safelist/:blocklist.
• Remove test coverage for unsupported ruby dependencies: ruby 2.0, activesupport 3.2/4.0, and dalli 1.

- Ruby
Published by ktheory over 9 years ago

https://github.com/rack/rack-attack - v4.4.1

• Fix a bug affecting apps using Redis::Store and ActiveSupport that could generate an error saying dalli was a required dependency. I learned all about ActiveSupport autoloading. See #165. Thx @tirdadc for repoting in #163,

- Ruby
Published by ktheory about 10 years ago

https://github.com/rack/rack-attack - v4.4.0

• New: support for MemCacheStore (#153). Thanks @elhu.
• Some documentation and test harness improvements.

- Ruby
Published by ktheory about 10 years ago

https://github.com/rack/rack-attack - v4.3.1: Security release

There is a security vulnerability with how requests are normalized when using Rails' ActionDispatch.

Versions Affected: < 4.3.0
Not affected: rack apps not using Rails
Fixed Versions: 4.3.1

Impact

When using rack-attack with a rails app, developers expect the request
path to be normalized. In particular, trailing slashes are stripped so
a request path "/login/" becomes "/login" by the time you're in
ActionController.

Since Rack::Attack runs before ActionDispatch, the request path is not
yet normalized. This can cause throttles and blacklists to not work as
expected.

E.g., a throttle:

throttle('logins', ...) {|req| req.path == "/login" }

would not match a request to '/login/', though Rails would route
'/login/' to the same '/login' action.

Releases

Install rack-attack 4.3.1 from rubygems.org.

# In Gemfile using bundler
gem 'rack-attack', '~> 4.3.1'

Workarounds

If you prefer not to upgrade, you may work around this issue by making sure your throttles, blacklists, etc handle an optional trailing slash in req.path.

For example:

# Unsafe:
throttle(...) { |req| req.path == '/login' }

# Safe:
throttle(...) { |req| req.path == '/login' || req.path == '/login/' }

Credit

This vulnerability was reported by Andres Riancho from Include Security (@includesecurity on GitHub and Twitter). Thank you, Andres & Include Security.

Other changes in v4.3.1

• Remove support for ruby 1.9.x
• Add Code of Conduct
• Several documentation and testing improvements

Changes: https://github.com/kickstarter/rack-attack/compare/v4.3.0...v4.3.1

- Ruby
Published by ktheory about 10 years ago