Merge pull request #290 from travis-ci/igor-update-rack-attack

Update rack-attack to 5.0.0.beta1
2016-07-05 13:11:59 +02:00 · 2016-07-05 13:11:59 +02:00 · ff7d1dbfdd
commit ff7d1dbfdd
parent 237f270708 50b78a1458
9 changed files with 26 additions and 24 deletions
--- a/2
+++ b/2
@ -21,7 +21,7 @@ gem 'sentry-raven'
 gem 'yard-sinatra',    github: 'rkh/yard-sinatra'
 gem 'rack-contrib'
 gem 'rack-cache',      github: 'rtomayko/rack-cache'
-gem 'rack-attack'
+gem 'rack-attack', '5.0.0.beta1'
 gem 'gh'
 gem 'bunny',           '~> 0.8.0'
 gem 'dalli'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -266,7 +266,7 @@ GEM
      pusher-signature (~> 0.1.8)
    pusher-signature (0.1.8)
    rack (1.4.7)
-    rack-attack (4.4.1)
+    rack-attack (5.0.0.beta1)
      rack
    rack-contrib (1.4.0)
      git-version-bump (~> 0.15)
@ -392,7 +392,7 @@ DEPENDENCIES
  mustermann!
  netaddr
  pry
-  rack-attack
+  rack-attack (= 5.0.0.beta1)
  rack-cache!
  rack-contrib
  rake (~> 0.9.2)
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@ -114,7 +114,7 @@ class Travis::Api::App
      # access token and user payload to the parent window via postMessage.
      #
      # However, the endpoint to send the payload to has to be explicitely
-      # whitelisted in production, as this is endpoint is only meant to be used
+      # safelisted in production, as this is endpoint is only meant to be used
      # with the official Travis CI client at the moment.
      #
      # Example usage:
@ -408,7 +408,7 @@ __END__

@@ invalid_target
 <script>
-console.log('refusing to send a token to <%= target_origin.inspect %>, not whitelisted!');
+console.log('refusing to send a token to <%= target_origin.inspect %>, not safelisted!');
 </script>

@@ common
--- a/lib/travis/api/attack.rb
+++ b/lib/travis/api/attack.rb
@ -34,34 +34,36 @@ class Rack::Attack

  GITHUB_CIDR = NetAddr::CIDR.create('192.30.252.0/22')

-  whitelist('safelist build status images') do |request|
+  safelist('safelist build status images') do |request|
    /\.(png|svg)$/.match(request.path)
  end

-  # https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
-  whitelist('safelist anything coming from github') do |request|
+  # https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-safelist/
+  safelist('safelist anything coming from github') do |request|
    request.ip && GITHUB_CIDR.contains?(request.ip)
  end

  ####
  # Whitelisted IP addresses
-  whitelist('whitelist client requesting from redis') do |request|
-    Travis.redis.sismember(:api_whitelisted_ips, request.ip)
+  safelist('safelist client requesting from redis') do |request|
+    # TODO: deprecate :api_whitelisted_ips in favour of api_safelisted_ips
+    Travis.redis.sismember(:api_whitelisted_ips, request.ip) || Travis.redis.sismember(:api_safelisted_ips, request.ip)
  end

  ####
  # Ban based on: IP address
  # Ban time:     indefinite
  # Ban after:    manually banned
-  blacklist('block client requesting from redis') do |request|
-    Travis.redis.sismember(:api_blacklisted_ips, request.ip)
+  blocklist('block client requesting from redis') do |request|
+    # TODO: deprecate :api_blacklisted_ips in favour of api_blocklisted_ips
+    Travis.redis.sismember(:api_blacklisted_ips, request.ip) || Travis.redis.sismember(:api_blocklisted_ips, request.ip)
  end

  ####
  # Ban based on: IP address or access token
  # Ban time:     5 hours
  # Ban after:    10 POST requests within five minutes to /auth/github
-  blacklist('hammering /auth/github') do |request|
+  blocklist('hammering /auth/github') do |request|
    Rack::Attack::Allow2Ban.filter(request.identifier, maxretry: 2, findtime: 5.minutes, bantime: bantime(5.hours)) do
      request.post? and request.path == '/auth/github'
    end
@ -71,7 +73,7 @@ class Rack::Attack
  # Ban based on: IP address or access token
  # Ban time:     1 hour
  # Ban after:    10 POST requests within 30 seconds
-  blacklist('spamming with POST requests') do |request|
+  blocklist('spamming with POST requests') do |request|
    Rack::Attack::Allow2Ban.filter(request.identifier, maxretry: 10, findtime: 30.seconds, bantime: bantime(1.hour)) do
      request.post? and not POST_SAFELIST.include? request.path
    end
--- a/lib/travis/api/v3/router.rb
+++ b/lib/travis/api/v3/router.rb
@ -29,7 +29,7 @@ module Travis::API::V3
      result   = service.run
      metrics.tick(:service)

-      env_params.each_key { |key| result.ignored_param(key, reason: "not whitelisted".freeze) unless filtered.include?(key) }
+      env_params.each_key { |key| result.ignored_param(key, reason: "not safelisted".freeze) unless filtered.include?(key) }
      response = render(result, env_params, env)

      metrics.tick(:renderer)
--- a/spec/unit/attack_spec.rb
+++ b/spec/unit/attack_spec.rb
@ -6,7 +6,7 @@ describe Rack::Attack do
    }

    it 'should be safelisted' do
-      expect(Rack::Attack.whitelisted?(request)).to be_truthy
+      expect(Rack::Attack.safelisted?(request)).to be_truthy
    end
  end

@ -19,7 +19,7 @@ describe Rack::Attack do
    }

    it 'should be safelisted' do
-      expect(Rack::Attack.whitelisted?(request)).to be_truthy
+      expect(Rack::Attack.safelisted?(request)).to be_truthy
    end
  end

@ -30,7 +30,7 @@ describe Rack::Attack do
    }

    it 'should not be safelisted' do
-      expect(Rack::Attack.whitelisted?(request)).to be_falsy
+      expect(Rack::Attack.safelisted?(request)).to be_falsy
    end
  end
 end
--- a/spec/v3/services/owner/find_spec.rb
+++ b/spec/v3/services/owner/find_spec.rb
@ -167,7 +167,7 @@ describe Travis::API::V3::Services::Owner::Find, set_app: true do
        "avatar_url"     => nil,
        "@warnings"      => [{
          "@type"        => "warning",
-          "message"      => "query parameter organization.id not whitelisted, ignored",
+          "message"      => "query parameter organization.id not safelisted, ignored",
          "warning_type" => "ignored_parameter",
          "parameter"    => "organization.id"}]
      }}
@ -254,7 +254,7 @@ describe Travis::API::V3::Services::Owner::Find, set_app: true do
        "synced_at"        => nil,
        "@warnings"        => [{
          "@type"          => "warning",
-          "message"        => "query parameter user.id not whitelisted, ignored",
+          "message"        => "query parameter user.id not safelisted, ignored",
          "warning_type"   => "ignored_parameter",
          "parameter"      => "user.id"}]
      }}
--- a/spec_core/model/job_spec.rb
+++ b/spec_core/model/job_spec.rb
@ -129,7 +129,7 @@ describe Job do
      }
    end

-    it 'removes addons items which are not whitelisted' do
+    it 'removes addons items which are not safelisted' do
      job = Job.new(repository: repo)
      config = { rvm: '1.8.7',
                 addons: { sauce_connect: true, firefox: '22.0' },
@ -328,7 +328,7 @@ describe Job do
        }
      end

-      it 'removes addons items which are not whitelisted' do
+      it 'removes addons items which are not safelisted' do
        config = { rvm: '1.8.7',
                   addons: {
                     sauce_connect: {
--- a/vendor/travis-core/lib/travis/model/job.rb
+++ b/vendor/travis-core/lib/travis/model/job.rb
@ -14,7 +14,7 @@ class Job < Travis::Model
  require 'travis/model/job/test'
  require 'travis/model/env_helpers'

-  WHITELISTED_ADDONS = %w(
+  SAFELISTED_ADDONS = %w(
    apt
    apt_packages
    apt_sources
@ -167,7 +167,7 @@ class Job < Travis::Model

    def delete_addons(config)
      if config[:addons].is_a?(Hash)
-        config[:addons].keep_if { |key, _| WHITELISTED_ADDONS.include? key.to_s }
+        config[:addons].keep_if { |key, _| SAFELISTED_ADDONS.include? key.to_s }
      else
        config.delete(:addons)
      end