In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsrack-attack
is Rack middleware for throttling and blocking abusive requests.
Affected versions of rack-attack
do not normalize the request path. This can cause throttles and blacklists to not work as expected.
When using rack-attack
with a rails app, developers expect the request path to be normalized. In particular, trailing slashes are stripped so a request path /login/
becomes /login
by the time you're in ActionController
.
Since Rack::Attack
runs before ActionDispatch
, the request path is not yet normalized. This can cause throttles and blacklists to not work as expected.
E.g., a throttle:
throttle('logins', ...) {|req| req.path == "/login" }
would not match a request to /login/
, though Rails would route /login/
to the same /login
action.