Releases: rack/rack-attack
v5.0.0.beta1
- Deprecate
whitelist/blacklistin favor ofsafelist/blocklist. (#181,
thanks @renee-travisci). To upgrade and fix deprecations, find and replace instances ofwhitelistandblacklistwithsafelistandblocklist. If you referencerack.attack.match_type, note that it will have values like:safelist/:blocklist. - Remove test coverage for unsupported ruby dependencies: ruby 2.0, activesupport 3.2/4.0, and dalli 1.
v4.4.1
v4.4.0
v4.3.1: Security release
There is a security vulnerability with how requests are normalized when using Rails' ActionDispatch.
Versions Affected: < 4.3.0
Not affected: rack apps not using Rails
Fixed Versions: 4.3.1
Impact
When using rack-attack with a rails app, developers expect the request
path to be normalized. In particular, trailing slashes are stripped so
a request path "/login/" becomes "/login" by the time you're in
ActionController.
Since Rack::Attack runs before ActionDispatch, the request path is not
yet normalized. This can cause throttles and blacklists to not work as
expected.
E.g., a throttle:
throttle('logins', ...) {|req| req.path == "/login" }
would not match a request to '/login/', though Rails would route
'/login/' to the same '/login' action.
Releases
Install rack-attack 4.3.1 from rubygems.org.
# In Gemfile using bundler
gem 'rack-attack', '~> 4.3.1'
Workarounds
If you prefer not to upgrade, you may work around this issue by making sure your throttles, blacklists, etc handle an optional trailing slash in req.path.
For example:
# Unsafe:
throttle(...) { |req| req.path == '/login' }
# Safe:
throttle(...) { |req| req.path == '/login' || req.path == '/login/' }Credit
This vulnerability was reported by Andres Riancho from Include Security (@IncludeSecurity on GitHub and Twitter). Thank you, Andres & Include Security.
Other changes in v4.3.1
- Remove support for ruby 1.9.x
- Add Code of Conduct
- Several documentation and testing improvements
Changes: v4.3.0...v4.3.1