From 1f56dcc645ebfb7e45804deb18d0d4af11126781 Mon Sep 17 00:00:00 2001
From: Igor Wiedler <igor@travis-ci.org>
Date: Tue, 28 Jun 2016 19:01:29 +0200
Subject: [PATCH 1/2] replace WHITELIST terminology with SAFELIST

---
 lib/travis/api/attack.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/travis/api/attack.rb b/lib/travis/api/attack.rb
index d210b633..5b945eca 100644
--- a/lib/travis/api/attack.rb
+++ b/lib/travis/api/attack.rb
@@ -25,7 +25,7 @@ class Rack::Attack
     end
   end
 
-  POST_WHITELISTED = [
+  POST_SAFELIST = [
     "/auth/handshake",
     "/auth/post_message",
     "/auth/post_message/iframe"
@@ -61,7 +61,7 @@ class Rack::Attack
   # Ban after:    10 POST requests within 30 seconds
   blacklist('spamming with POST requests') do |request|
     Rack::Attack::Allow2Ban.filter(request.identifier, maxretry: 10, findtime: 30.seconds, bantime: bantime(1.hour)) do
-      request.post? and not POST_WHITELISTED.include? request.path
+      request.post? and not POST_SAFELIST.include? request.path
     end
   end
 

From 0156671fc8d444c9ae5c368cbe499d63a21b7c83 Mon Sep 17 00:00:00 2001
From: Igor Wiedler <igor@travis-ci.org>
Date: Tue, 28 Jun 2016 19:19:01 +0200
Subject: [PATCH 2/2] safelist build status image requests coming from github

Currently almost all calls against API are being rate limited, including
build status images. This leads to common requesters such as GitHub's
camo proxy to get rate limited and receive a 429 response code.

This patch attempts to allow those requests.
---
 lib/travis/api/attack.rb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/travis/api/attack.rb b/lib/travis/api/attack.rb
index 5b945eca..411980bf 100644
--- a/lib/travis/api/attack.rb
+++ b/lib/travis/api/attack.rb
@@ -31,12 +31,18 @@ class Rack::Attack
     "/auth/post_message/iframe"
   ]
 
+  IMAGE_PATTERN = /^\/([a-z0-9_-]+)\/([a-z0-9_-]+)\.(png|svg)$/
+
   ####
   # Whitelisted IP addresses
   whitelist('whitelist client requesting from redis') do |request|
     Travis.redis.sismember(:api_whitelisted_ips, request.ip)
   end
 
+  whitelist('safelist build status images when requested by github') do |request|
+    request.user_agent and request.user_agent.start_with?('github-camo') and IMAGE_PATTERN.match(request.path)
+  end
+
   ####
   # Ban based on: IP address
   # Ban time:     indefinite