diff options
author | Jacob Vosmaer <jacob@gitlab.com> | 2014-08-22 12:00:12 +0400 |
---|---|---|
committer | Jacob Vosmaer <jacob@gitlab.com> | 2014-08-22 12:00:12 +0400 |
commit | abda2dab43cab774ced331093ec7649157a2b5a5 (patch) | |
tree | 91679e2491107f76e4d3598c8e73e192bf8663b2 | |
parent | e328668f2950636fe21e69b49d10d6ea1ae12da4 (diff) | |
parent | b70606287bda9b52be2288513f612505fa3d86b2 (diff) |
Merge branch 'rack_attack/unsubscribes' into 'master'
Protect unsubscribe path
See merge request !1033
-rw-r--r-- | config/initializers/rack_attack.rb.example | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/config/initializers/rack_attack.rb.example b/config/initializers/rack_attack.rb.example index bc3234bf0b6..332865d2881 100644 --- a/config/initializers/rack_attack.rb.example +++ b/config/initializers/rack_attack.rb.example @@ -8,11 +8,19 @@ paths_to_be_protected = [ "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json", "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session", "#{Rails.application.config.relative_url_root}/users", - "#{Rails.application.config.relative_url_root}/users/confirmation" + "#{Rails.application.config.relative_url_root}/users/confirmation", + "#{Rails.application.config.relative_url_root}/unsubscribes/" + ] +# Create one big regular expression that matches strings starting with any of +# the paths_to_be_protected. +paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ }) + unless Rails.env.test? Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req| - req.ip if paths_to_be_protected.include?(req.path) && req.post? + if req.post? && req.path =~ paths_regex + req.ip + end end end |