auto banning: whitelist POST requests for in-browser handshake, on staging only ban for 10 seconds

2015-10-06 11:00:35 +02:00 · 2015-10-06 11:00:35 +02:00 · 0249140dc8
commit 0249140dc8
parent 1bec0c1332
1 changed files with 17 additions and 3 deletions
--- a/lib/travis/api/attack.rb
+++ b/lib/travis/api/attack.rb
@ -17,6 +17,20 @@ class Rack::Attack
    end
  end

+  def self.bantime(value)
+    case Travis.env
+    when "production" then value
+    when "staging"    then 10 # ban for 10 seconds on staging
+    else 1
+    end
+  end
+
+  POST_WHITELISTED = [
+    "/auth/handshake",
+    "/auth/post_message",
+    "/auth/post_message/iframe"
+  ]
+
  ####
  # Ban based on: IP address
  # Ban time:     indefinite
@ -30,7 +44,7 @@ class Rack::Attack
  # Ban time:     5 hours
  # Ban after:    10 POST requests within five minutes to /auth/github
  blacklist('hammering /auth/github') do |request|
-     Rack::Attack::Allow2Ban.filter(request.identifier, maxretry: 10, findtime: 5.minutes, bantime: 5.hours) do
+     Rack::Attack::Allow2Ban.filter(request.identifier, maxretry: 10, findtime: 5.minutes, bantime: bantime(5.hours)) do
       request.post? and request.path == '/auth/github'
     end
  end
@ -40,8 +54,8 @@ class Rack::Attack
  # Ban time:     1 hour
  # Ban after:    10 POST requests within 30 seconds
  blacklist('spamming with POST requests') do |request|
-     Rack::Attack::Allow2Ban.filter(request.identifier, maxretry: 10, findtime: 30.seconds, bantime: 1.hour) do
-       request.post?
+     Rack::Attack::Allow2Ban.filter(request.identifier, maxretry: 10, findtime: 30.seconds, bantime: bantime(1.hour)) do
+       request.post? and not POST_WHITELISTED.include? '/auth/github'
     end
  end