Merge pull request #289 from travis-ci/igor-safelist-github-ips

safelist github IP range in Rack::Attack

Gemfile

@@ -32,6 +32,7 @@ gem 'micro_migrations'
 gem 'simplecov'
 gem 'skylight', '~> 0.6.0.beta.1'
 gem 'stackprof'
+gem 'netaddr'
 
 gem 'jemalloc'
 gem 'customerio'

Gemfile.lock

@@ -252,6 +252,7 @@ GEM
     multipart-post (2.0.0)
     net-http-persistent (2.9.4)
     net-http-pipeline (1.0.1)
+    netaddr (1.5.1)
     os (0.9.6)
     pg (0.18.4)
     proxies (0.2.1)
@@ -389,6 +390,7 @@ DEPENDENCIES
   micro_migrations
   mocha (~> 0.12)
   mustermann!
+  netaddr
   pry
   rack-attack
   rack-cache!

lib/travis/api/attack.rb

@@ -1,4 +1,5 @@
 require 'rack/attack'
+require 'netaddr'
 
 class Rack::Attack
   class Request
@@ -31,10 +32,17 @@ class Rack::Attack
     "/auth/post_message/iframe"
   ]
 
+  GITHUB_CIDR = NetAddr::CIDR.create('192.30.252.0/22')
+
   whitelist('safelist build status images') do |request|
     /\.(png|svg)$/.match(request.path)
   end
 
+  # https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
+  whitelist('safelist anything coming from github') do |request|
+    request.ip && GITHUB_CIDR.contains?(request.ip)
+  end
+
   ####
   # Whitelisted IP addresses
   whitelist('whitelist client requesting from redis') do |request|

spec/unit/attack_spec.rb

@@ -10,7 +10,20 @@ describe Rack::Attack do
     end
   end
 
-  describe 'non-image API request' do
+  describe 'request from GitHub ip' do
+    let(:request) {
+      env = Rack::MockRequest.env_for("https://api-test.travis-ci.org/repos/rails/rails/branches", {
+        'REMOTE_ADDR' => '192.30.252.42',
+      })
+      Rack::Attack::Request.new(env)
+    }
+
+    it 'should be safelisted' do
+      expect(Rack::Attack.whitelisted?(request)).to be_truthy
+    end
+  end
+
+  describe 'non-safelisted request' do
     let(:request) {
       env = Rack::MockRequest.env_for("https://api-test.travis-ci.org/repos/rails/rails/branches")
       Rack::Attack::Request.new(env)