diff --git a/Gemfile b/Gemfile index ab1dc3bf..9b5f3f56 100644 --- a/Gemfile +++ b/Gemfile @@ -32,6 +32,7 @@ gem 'micro_migrations' gem 'simplecov' gem 'skylight', '~> 0.6.0.beta.1' gem 'stackprof' +gem 'netaddr' gem 'jemalloc' gem 'customerio' diff --git a/Gemfile.lock b/Gemfile.lock index 0dda637b..ff22e0be 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -252,6 +252,7 @@ GEM multipart-post (2.0.0) net-http-persistent (2.9.4) net-http-pipeline (1.0.1) + netaddr (1.5.1) os (0.9.6) pg (0.18.4) proxies (0.2.1) @@ -389,6 +390,7 @@ DEPENDENCIES micro_migrations mocha (~> 0.12) mustermann! + netaddr pry rack-attack rack-cache! diff --git a/lib/travis/api/attack.rb b/lib/travis/api/attack.rb index 4bf4fd5d..dfb9d7e0 100644 --- a/lib/travis/api/attack.rb +++ b/lib/travis/api/attack.rb @@ -1,4 +1,5 @@ require 'rack/attack' +require 'cidr' class Rack::Attack class Request @@ -35,6 +36,11 @@ class Rack::Attack /\.(png|svg)$/.match(request.path) end + # https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/ + whitelist('safelist anything coming from github') do |request| + NetAddr::CIDR.create('192.30.252.0/22').contains?(request.ip) + end + #### # Whitelisted IP addresses whitelist('whitelist client requesting from redis') do |request| diff --git a/spec/unit/attack_spec.rb b/spec/unit/attack_spec.rb index 7bae3546..c1b0ea9f 100644 --- a/spec/unit/attack_spec.rb +++ b/spec/unit/attack_spec.rb @@ -10,7 +10,20 @@ describe Rack::Attack do end end - describe 'non-image API request' do + describe 'request from GitHub ip' do + let(:request) { + env = Rack::MockRequest.env_for("https://api-test.travis-ci.org/repos/rails/rails/branches", { + 'REMOTE_ADDR' => '192.30.252.42' + }) + Rack::Attack::Request.new(env) + } + + it 'should not be safelisted' do + expect(Rack::Attack.whitelisted?(request)).to be_falsy + end + end + + describe 'non-safelisted request' do let(:request) { env = Rack::MockRequest.env_for("https://api-test.travis-ci.org/repos/rails/rails/branches") Rack::Attack::Request.new(env)