From 0156671fc8d444c9ae5c368cbe499d63a21b7c83 Mon Sep 17 00:00:00 2001
From: Igor Wiedler <igor@travis-ci.org>
Date: Tue, 28 Jun 2016 19:19:01 +0200
Subject: [PATCH] safelist build status image requests coming from github

Currently almost all calls against API are being rate limited, including
build status images. This leads to common requesters such as GitHub's
camo proxy to get rate limited and receive a 429 response code.

This patch attempts to allow those requests.
---
 lib/travis/api/attack.rb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/travis/api/attack.rb b/lib/travis/api/attack.rb
index 5b945eca..411980bf 100644
--- a/lib/travis/api/attack.rb
+++ b/lib/travis/api/attack.rb
@@ -31,12 +31,18 @@ class Rack::Attack
     "/auth/post_message/iframe"
   ]
 
+  IMAGE_PATTERN = /^\/([a-z0-9_-]+)\/([a-z0-9_-]+)\.(png|svg)$/
+
   ####
   # Whitelisted IP addresses
   whitelist('whitelist client requesting from redis') do |request|
     Travis.redis.sismember(:api_whitelisted_ips, request.ip)
   end
 
+  whitelist('safelist build status images when requested by github') do |request|
+    request.user_agent and request.user_agent.start_with?('github-camo') and IMAGE_PATTERN.match(request.path)
+  end
+
   ####
   # Ban based on: IP address
   # Ban time:     indefinite