suzanne.soy/travis-api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #289 from travis-ci/igor-safelist-github-ips

Browse Source 
safelist github IP range in Rack::Attack
This commit is contained in:
Igor 2016-07-05 13:11:19 +02:00 committed by GitHub
commit 237f270708
4 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Gemfile
View File

@ -32,6 +32,7 @@ gem 'micro_migrations'
gem 'simplecov' gem 'simplecov'
gem 'skylight', '~> 0.6.0.beta.1' gem 'skylight', '~> 0.6.0.beta.1'
gem 'stackprof' gem 'stackprof'
gem 'netaddr'
gem 'jemalloc' gem 'jemalloc'
gem 'customerio' gem 'customerio'

2
Gemfile.lock
View File

@ -252,6 +252,7 @@ GEM
multipart-post (2.0.0) multipart-post (2.0.0)
net-http-persistent (2.9.4) net-http-persistent (2.9.4)
net-http-pipeline (1.0.1) net-http-pipeline (1.0.1)
netaddr (1.5.1)
os (0.9.6) os (0.9.6)
pg (0.18.4) pg (0.18.4)
proxies (0.2.1) proxies (0.2.1)
@ -389,6 +390,7 @@ DEPENDENCIES
micro_migrations micro_migrations
mocha (~> 0.12) mocha (~> 0.12)
mustermann! mustermann!
netaddr
pry pry
rack-attack rack-attack
rack-cache! rack-cache!

8
lib/travis/api/attack.rb
View File

@ -1,4 +1,5 @@
require 'rack/attack' require 'rack/attack'
require 'netaddr'
class Rack::Attack class Rack::Attack
class Request class Request
@ -31,10 +32,17 @@ class Rack::Attack
"/auth/post_message/iframe" "/auth/post_message/iframe"
] ]
GITHUB_CIDR = NetAddr::CIDR.create('192.30.252.0/22')
whitelist('safelist build status images') do |request| whitelist('safelist build status images') do |request|
/\.(png|svg)$/.match(request.path) /\.(png|svg)$/.match(request.path)
end end
# https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
whitelist('safelist anything coming from github') do |request|
request.ip && GITHUB_CIDR.contains?(request.ip)
end
#### ####
# Whitelisted IP addresses # Whitelisted IP addresses
whitelist('whitelist client requesting from redis') do |request| whitelist('whitelist client requesting from redis') do |request|

15
spec/unit/attack_spec.rb
View File

@ -10,7 +10,20 @@ describe Rack::Attack do
end end
end end
describe 'non-image API request' do describe 'request from GitHub ip' do
let(:request) {
env = Rack::MockRequest.env_for("https://api-test.travis-ci.org/repos/rails/rails/branches", {
'REMOTE_ADDR' => '192.30.252.42',
})
Rack::Attack::Request.new(env)
}
it 'should be safelisted' do
expect(Rack::Attack.whitelisted?(request)).to be_truthy
end
end
describe 'non-safelisted request' do
let(:request) { let(:request) {
env = Rack::MockRequest.env_for("https://api-test.travis-ci.org/repos/rails/rails/branches") env = Rack::MockRequest.env_for("https://api-test.travis-ci.org/repos/rails/rails/branches")
Rack::Attack::Request.new(env) Rack::Attack::Request.new(env)