Feature Request: Block everything your routes.rb doesn't specify!

[dougc84]

I'm a long-time user of rack-attack, but I realized that there could be a better way of handling things here, instead of chasing bad requests and malicious IPs trying to attack PHP endpoints and such.

Rails has moved from allowing all parameters to allowing only those specified with Strong Params. Why shouldn't Rack::Attack be the same?

Is there a possibility of leveraging Rails' routes files to generate a whitelist of acceptable routes as a starting point? Even if that's a rake task that runs in the Rails environment that outputs a set of code that can be copy/pasted into an initializer, it would be really great to say "here are my routes, I don't want to allow anything else." Or, even better, a task that spits out a file in /lib that contains the configuration that you could require from your initializer. It could even be an optimized task on rake assets:precompile so it's always up-to-date.

You could then add any overrides to your initializer manually, like specifying asset paths, static files, or engines mounted inside the app that should also be allowed.

Just thought I'd throw that out there.

[goulvench]

I'd like that a lot! And it would solve a lot of issues where people want to block based on 404 responses.

I'm currently using a hardcoded list in a bare-bones middleware instead of Rack::Attack because unrecognised routes don't even reach Rack::Attack, and thus continue to fill up my monitoring logs.

[arnoFleming]

I made this possible in a way, using Rack:Attack

It does not honour HTTP verbs as I'd like, but any request to an URL that the router doesn't know about can be added to a block list.

Note that the code below is not a verbatim copy of something that runs in production, so please don't blindly copy-past.

# config/initializer/rack_attack.rb

Rack::Attack.blocklist('fail2ban/pentesters') do |request|
  Rack::Attack::Fail2Ban.filter(req.ip, maxretry: 4, findtime: 10.minutes.to_i, bantime: 10.minutes.to_i) do
    request.non_routing_uri?
  end
end

class Rack::Attack::Request < ::Rack::Request
  def non_routing_uri?
    regex_routes.none?{|regex_route| regex_route.match?(path)}
  end

  def regex_routes
    @regex_routes ||= Rails.application.routes.named_routes.map{|r| r[1].path.source}.freeze
  end
end