suzanne.soy/travis-api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

safelist github IP range in Rack::Attack

Browse Source
This commit is contained in:
Igor Wiedler 2016-07-05 12:30:10 +02:00
parent c1de919852
commit e6d7607916
4 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Gemfile
View File

@ -32,6 +32,7 @@ gem 'micro_migrations'
gem 'simplecov'
gem 'skylight', '~> 0.6.0.beta.1'
gem 'stackprof'
gem 'netaddr'
gem 'jemalloc'
gem 'customerio'

2
Gemfile.lock
View File

@ -252,6 +252,7 @@ GEM
multipart-post (2.0.0)
net-http-persistent (2.9.4)
net-http-pipeline (1.0.1)
netaddr (1.5.1)
os (0.9.6)
pg (0.18.4)
proxies (0.2.1)
@ -389,6 +390,7 @@ DEPENDENCIES
micro_migrations
mocha (~> 0.12)
mustermann!
netaddr
pry
rack-attack
rack-cache!

6
lib/travis/api/attack.rb
View File

@ -1,4 +1,5 @@
require 'rack/attack'
require 'cidr'
class Rack::Attack
class Request
@ -35,6 +36,11 @@ class Rack::Attack
/\.(png|svg)$/.match(request.path)
end
# https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
whitelist('safelist anything coming from github') do |request|
NetAddr::CIDR.create('192.30.252.0/22').contains?(request.ip)
end
####
# Whitelisted IP addresses
whitelist('whitelist client requesting from redis') do |request|

15
spec/unit/attack_spec.rb
View File

@ -10,7 +10,20 @@ describe Rack::Attack do
end
end
describe 'non-image API request' do
describe 'request from GitHub ip' do
let(:request) {
env = Rack::MockRequest.env_for("https://api-test.travis-ci.org/repos/rails/rails/branches", {
'REMOTE_ADDR' => '192.30.252.42'
})
Rack::Attack::Request.new(env)
}
it 'should not be safelisted' do
expect(Rack::Attack.whitelisted?(request)).to be_falsy
end
end
describe 'non-safelisted request' do
let(:request) {
env = Rack::MockRequest.env_for("https://api-test.travis-ci.org/repos/rails/rails/branches")
Rack::Attack::Request.new(env)