rack attack

Author: gildesmarais

.gitignore

@@ -42,3 +42,4 @@
 /frontend/node_modules/
 /frontend/package-lock.json
 /public/frontend
+.yardoc

Gemfile

@@ -14,6 +14,7 @@ gem 'html2rss-configs', github: 'html2rss/html2rss-configs'
 
 gem 'base64'
 gem 'parallel'
+gem 'rack-attack'
 gem 'rack-cache'
 gem 'rack-timeout'
 gem 'rack-unreloader'

Gemfile.lock

@@ -132,6 +132,8 @@ GEM
       websocket-driver (>= 0.6.0)
     racc (1.8.1)
     rack (3.2.0)
+    rack-attack (6.7.0)
+      rack (>= 1.0, < 4)
     rack-cache (1.17.0)
       rack (>= 0.4)
     rack-test (2.2.0)
@@ -241,6 +243,7 @@ DEPENDENCIES
   html2rss-configs!
   parallel
   puma
+  rack-attack
   rack-cache
   rack-test
   rack-timeout
@@ -312,6 +315,7 @@ CHECKSUMS
   puppeteer-ruby (0.45.6) sha256=cb86f7b4f6f8658a709ae1a305e820bdb009548e6beff6675489926f9ceb5995
   racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f
   rack (3.2.0) sha256=79cd21514d696c59d61fae02e62900f087aac2d053fdc77d45f4e91b94fb3612
+  rack-attack (6.7.0) sha256=3ca47e8f66cd33b2c96af53ea4754525cd928ed3fa8da10ee6dad0277791d77c
   rack-cache (1.17.0) sha256=49592f3ef2173b0f5524df98bb801fb411e839869e7ce84ac428dc492bf0eb90
   rack-test (2.2.0) sha256=005a36692c306ac0b4a9350355ee080fd09ddef1148a5f8b2ac636c720f5c463
   rack-timeout (0.7.0) sha256=757337e9793cca999bb73a61fe2a7d4280aa9eefbaf787ce3b98d860749c87d9

app/auth.rb

@@ -9,6 +9,8 @@
 require_relative 'local_config'
 
 module Html2rss
+  ##
+  # Web application modules for html2rss
   module Web
     ##
     # Unified authentication system for html2rss-web
@@ -20,8 +22,8 @@ module Auth
 
       ##
       # Authenticate a request and return account data if valid
-      # @param request [Roda::Request] the request object
-      # @return [Hash, nil] account data if authenticated, nil otherwise
+      # @param request [Roda::Request] request object
+      # @return [Hash, nil] account data if authenticated
       def authenticate(request)
         token = extract_token(request)
         return nil unless token
@@ -31,12 +33,19 @@ def authenticate(request)
 
       ##
       # Get account data by token
-      # @param token [String] the authentication token
-      # @return [Hash, nil] account data if found, nil otherwise
+      # @param token [String] authentication token
+      # @return [Hash, nil] account data if found
       def get_account(token)
         return nil unless token
 
-        accounts.find { |account| account[:token] == token }
+        token_index[token]
+      end
+
+      ##
+      # Get token index for O(1) lookups
+      # @return [Hash] token to account mapping
+      def token_index
+        @token_index ||= accounts.each_with_object({}) { |account, hash| hash[account[:token]] = account } # rubocop:disable ThreadSafety/ClassInstanceVariable
       end
 
       ##
@@ -74,6 +83,7 @@ def generate_feed_id(username, url, token)
       def generate_feed_token(username, url, expires_in: DEFAULT_TOKEN_EXPIRY)
         secret_key = self.secret_key
         return nil unless secret_key
+        return nil unless valid_username?(username) && valid_url?(url)
 
         payload = create_token_payload(username, url, expires_in)
         signature = create_hmac_signature(secret_key, payload)
@@ -96,9 +106,9 @@ def create_hmac_signature(secret_key, payload)
 
       ##
       # Validate a feed token and return account data if valid
-      # @param feed_token [String] the feed token to validate
-      # @param url [String] the URL being accessed
-      # @return [Hash, nil] account data if valid, nil otherwise
+      # @param feed_token [String] feed token to validate
+      # @param url [String] URL being accessed
+      # @return [Hash, nil] account data if valid
       def validate_feed_token(feed_token, url)
         return nil unless feed_token && url
 
@@ -122,7 +132,21 @@ def verify_token_signature(token_data)
         return false unless secret_key
 
         expected_signature = OpenSSL::HMAC.hexdigest('SHA256', secret_key, token_data[:payload].to_json)
-        token_data[:signature] == expected_signature
+        secure_compare(token_data[:signature], expected_signature)
+      end
+
+      ##
+      # Constant-time string comparison to prevent timing attacks
+      # @param first_string [String] first string
+      # @param second_string [String] second string
+      # @return [Boolean] true if strings are equal
+      def secure_compare(first_string, second_string)
+        return false unless first_string && second_string
+        return false unless first_string.bytesize == second_string.bytesize
+
+        result = 0
+        first_string.bytes.zip(second_string.bytes) { |x, y| result |= x ^ y }
+        result.zero?
       end
 
       def token_valid?(token_data, url)
@@ -135,8 +159,8 @@ def token_valid?(token_data, url)
 
       ##
       # Extract feed token from URL query parameters
-      # @param url [String] the full URL with query parameters
-      # @return [String, nil] feed token if found, nil otherwise
+      # @param url [String] full URL with query parameters
+      # @return [String, nil] feed token if found
       def extract_feed_token_from_url(url)
         URI.parse(url).then { |uri| URI.decode_www_form(uri.query || '').to_h['token'] }
       rescue StandardError
@@ -145,8 +169,8 @@ def extract_feed_token_from_url(url)
 
       ##
       # Check if a feed URL is allowed for the given feed token
-      # @param feed_token [String] the feed token
-      # @param url [String] the URL to check
+      # @param feed_token [String] feed token
+      # @param url [String] URL to check
       # @return [Boolean] true if URL is allowed
       def feed_url_allowed?(feed_token, url)
         account = validate_feed_token(feed_token, url)
@@ -157,13 +181,16 @@ def feed_url_allowed?(feed_token, url)
 
       ##
       # Extract token from request (Authorization header only)
-      # @param request [Roda::Request] the request object
-      # @return [String, nil] token if found, nil otherwise
+      # @param request [Roda::Request] request object
+      # @return [String, nil] token if found
       def extract_token(request)
         auth_header = request.env['HTTP_AUTHORIZATION']
         return unless auth_header&.start_with?('Bearer ')
 
-        auth_header.delete_prefix('Bearer ')
+        token = auth_header.delete_prefix('Bearer ')
+        return nil if token.empty? || token.length > 1024
+
+        token
       end
 
       ##
@@ -173,16 +200,10 @@ def accounts
         load_accounts
       end
 
-      ##
-      # Reload accounts from config (useful for development)
-      def reload_accounts!
-        accounts
-      end
-
       ##
       # Get account by username
-      # @param username [String] the username to find
-      # @return [Hash, nil] account data if found, nil otherwise
+      # @param username [String] username to find
+      # @return [Hash, nil] account data if found
       def get_account_by_username(username)
         return nil unless username
 
@@ -207,7 +228,7 @@ def load_accounts
 
       ##
       # Get the secret key for HMAC signing
-      # @return [String, nil] secret key if configured, nil otherwise
+      # @return [String, nil] secret key if configured
       def secret_key
         ENV.fetch('HTML2RSS_SECRET_KEY')
       end
@@ -251,14 +272,47 @@ def sanitize_xml(text)
       ##
       # Validate URL format and scheme using Html2rss::Url.for_channel
       # @param url [String] URL to validate
-      # @return [Boolean] true if URL is valid and allowed, false otherwise
+      # @return [Boolean] true if URL is valid and allowed
       def valid_url?(url)
-        return false unless url.is_a?(String) && !url.empty? && url.length <= 2048
+        return false unless basic_url_valid?(url)
 
-        !Html2rss::Url.for_channel(url).nil?
+        validate_url_with_html2rss(url)
       rescue StandardError
         false
       end
+
+      ##
+      # Basic URL format validation
+      # @param url [String] URL to validate
+      # @return [Boolean] true if basic format is valid
+      def basic_url_valid?(url)
+        url.is_a?(String) && !url.empty? && url.length <= 2048 && url.match?(%r{\Ahttps?://.+})
+      end
+
+      ##
+      # Validate URL using Html2rss if available, otherwise basic validation
+      # @param url [String] URL to validate
+      # @return [Boolean] true if URL is valid
+      def validate_url_with_html2rss(url)
+        if defined?(Html2rss::Url) && Html2rss::Url.respond_to?(:for_channel)
+          !Html2rss::Url.for_channel(url).nil?
+        else
+          # Fallback to basic URL validation for tests
+          URI.parse(url).is_a?(URI::HTTP) || URI.parse(url).is_a?(URI::HTTPS)
+        end
+      end
+
+      ##
+      # Validate username format and length
+      # @param username [String] username to validate
+      # @return [Boolean] true if username is valid
+      def valid_username?(username)
+        return false unless username.is_a?(String)
+        return false if username.empty? || username.length > 100
+        return false unless username.match?(/\A[a-zA-Z0-9_-]+\z/)
+
+        true
+      end
     end
   end
 end

config.ru

@@ -11,23 +11,17 @@ if ENV.key?('SENTRY_DSN')
   Sentry.init do |config|
     config.dsn = ENV.fetch('SENTRY_DSN')
 
-    # Set traces_sample_rate to 1.0 to capture 100%
-    # of transactions for tracing.
-    # We recommend adjusting this value in production.
     config.traces_sample_rate = 1.0
-    # or
-    # config.traces_sampler = lambda do |_context|
-    #   true
-    # end
-    # Set profiles_sample_rate to profile 100%
-    # of sampled transactions.
-    # We recommend adjusting this value in production.
     config.profiles_sample_rate = 1.0
   end
 
   use Sentry::Rack::CaptureExceptions
 end
 
+require 'rack/attack'
+require_relative 'config/rack_attack'
+use Rack::Attack
+
 dev = ENV.fetch('RACK_ENV', nil) == 'development'
 requires = Dir['app/**/*.rb']
 

config/rack_attack.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require 'rack/attack'
+
+# In-memory store (resets on restart)
+# Note: In production, consider using Redis for persistent rate limiting
+Rack::Attack.cache.store = {}
+
+# Whitelist health checks and internal IPs
+Rack::Attack.safelist('health-check') do |req|
+  req.path.start_with?('/health', '/status')
+end
+
+# Whitelist localhost in development
+Rack::Attack.safelist('localhost') do |req|
+  %w[127.0.0.1 ::1].include?(req.ip) if ENV['RACK_ENV'] == 'development'
+end
+
+# Rate limiting by IP
+Rack::Attack.throttle('requests per IP', limit: 100, period: 60, &:ip)
+
+# Rate limiting for API endpoints
+Rack::Attack.throttle('api requests per IP', limit: 200, period: 60) do |req|
+  req.ip if req.path.start_with?('/api/')
+end
+
+# Rate limiting for feed generation (more restrictive)
+Rack::Attack.throttle('feed generation per IP', limit: 10, period: 60) do |req|
+  req.ip if req.path.include?('/feeds/')
+end
+
+# Block suspicious patterns
+Rack::Attack.blocklist('block bad user agents') do |req|
+  req.user_agent&.match?(/bot|crawler|spider/i) && !req.user_agent&.match?(/googlebot|bingbot/i)
+end
+
+# Custom responses with proper headers
+Rack::Attack.throttled_response = lambda do |_env|
+  retry_after = 60
+  [
+    429,
+    {
+      'Content-Type' => 'application/xml',
+      'Retry-After' => retry_after.to_s,
+      'X-RateLimit-Limit' => '100',
+      'X-RateLimit-Remaining' => '0',
+      'X-RateLimit-Reset' => (Time.now + retry_after).to_i.to_s
+    },
+    ['<rss><channel><title>Rate Limited</title><description>Too many requests. ' \
+     'Please try again later.</description></channel></rss>']
+  ]
+end
+
+# Track blocked requests for monitoring
+Rack::Attack.blocklisted_response = lambda do |_env|
+  [
+    403,
+    { 'Content-Type' => 'application/xml' },
+    ['<rss><channel><title>Access Denied</title><description>Request blocked by ' \
+     'security policy.</description></channel></rss>']
+  ]
+end