Add IP blocking against DNSBL at sign-up

2016-01-20 13:16:34 +01:00 · 2016-01-20 13:16:34 +01:00 · 8536e083f7
commit 8536e083f7
parent 481644ca7c
10 changed files with 242 additions and 1 deletions
--- a/1
+++ b/1
@ -71,6 +71,7 @@ v 8.4.0 (unreleased)
  - Expose button to CI Lint tool on project builds page
  - Fix: Creator should be added as a master of the project on creation
  - Added X-GitLab-... headers to emails from CI and Email On Push services (Anton Baklanov)
+  - Add IP check against DNSBLs at account sign-up

 v 8.3.4
  - Use gitlab-workhorse 0.5.4 (fixes API routing bug)
--- a/app/controllers/admin/application_settings_controller.rb
+++ b/app/controllers/admin/application_settings_controller.rb
@ -74,6 +74,8 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
      :metrics_timeout,
      :metrics_method_call_threshold,
      :metrics_sample_interval,
+      :ip_blocking_enabled,
+      :dnsbl_servers_list,
      :recaptcha_enabled,
      :recaptcha_site_key,
      :recaptcha_private_key,
--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@ -8,6 +8,11 @@ class RegistrationsController < Devise::RegistrationsController

  def create
    if !Gitlab::Recaptcha.load_configurations! || verify_recaptcha
+      if Gitlab::IpCheck.new(request.remote_ip).spam?
+        flash[:alert] = 'Could not create an account. This IP is listed for spam.'
+        return render action: 'new'
+      end
+
      super
    else
      flash[:alert] = "There was an error with the reCAPTCHA code below. Please re-enter the code."
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@ -41,6 +41,8 @@
 #  recaptcha_site_key                :string
 #  recaptcha_private_key             :string
 #  metrics_port                      :integer          default(8089)
+#  ip_blocking_enabled               :boolean          default(FALSE)
+#  dns_blacklist_threshold           :float            default(0.33)
 #

 class ApplicationSetting < ActiveRecord::Base
--- a/app/views/admin/application_settings/_form.html.haml
+++ b/app/views/admin/application_settings/_form.html.haml
@ -212,6 +212,22 @@

  %fieldset
    %legend Spam and Anti-bot Protection
+    .form-group
+      .col-sm-offset-2.col-sm-10
+        .checkbox
+          = f.label :ip_blocking_enabled do
+            = f.check_box :ip_blocking_enabled
+            Enable IP check against blacklist at sign-up
+          .help-block Helps preventing accounts creation from 'known spam sources'
+
+    .form-group
+      = f.label :dnsbl_servers_list, class: 'control-label col-sm-2' do
+        DNSBL servers list
+      .col-sm-10
+        = f.text_field :dnsbl_servers_list, class: 'form-control'
+        .help-block
+          Please enter DNSBL servers separated with comma
+
    .form-group
      .col-sm-offset-2.col-sm-10
        .checkbox
--- a/db/migrate/20160118232755_add_ip_blocking_settings_to_application_settings.rb
+++ b/db/migrate/20160118232755_add_ip_blocking_settings_to_application_settings.rb
@ -0,0 +1,6 @@
+class AddIpBlockingSettingsToApplicationSettings < ActiveRecord::Migration
+  def change
+    add_column :application_settings, :ip_blocking_enabled, :boolean, default: false
+    add_column :application_settings, :dnsbl_servers_list, :text
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 20160119145451) do
+ActiveRecord::Schema.define(version: 20160120130905) do

  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"
@ -62,6 +62,8 @@ ActiveRecord::Schema.define(version: 20160119145451) do
    t.string   "recaptcha_private_key"
    t.integer  "metrics_port",                      default: 8089
    t.integer  "metrics_sample_interval",           default: 15
+    t.boolean  "ip_blocking_enabled",               default: false
+    t.text     "dnsbl_servers_list"
  end

  create_table "audit_events", force: :cascade do |t|
--- a/lib/dnsxl_check.rb
+++ b/lib/dnsxl_check.rb
@ -0,0 +1,105 @@
+require 'resolv'
+
+class DNSXLCheck
+
+  class Resolver
+    def self.search(query)
+      begin
+        Resolv.getaddress(query)
+        true
+      rescue Resolv::ResolvError
+        false
+      end
+    end
+  end
+
+  IP_REGEXP = /\A(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\z/
+  DEFAULT_THRESHOLD = 0.33
+
+  def self.create_from_list(list)
+    dnsxl_check = DNSXLCheck.new
+
+    list.each do |entry|
+      dnsxl_check.add_list(entry.domain, entry.weight)
+    end
+
+    dnsxl_check
+  end
+
+  def test(ip)
+    if use_threshold?
+      test_with_threshold(ip)
+    else
+      test_strict(ip)
+    end
+  end
+
+  def test_with_threshold(ip)
+    return false if lists.empty?
+
+    search(ip)
+    final_score >= threshold
+  end
+
+  def test_strict(ip)
+    return false if lists.empty?
+
+    search(ip)
+    @score > 0
+  end
+
+  def use_threshold=(value)
+    @use_threshold = value == true
+  end
+
+  def use_threshold?
+    @use_threshold &&= true
+  end
+
+  def threshold=(threshold)
+    raise ArgumentError, "'threshold' value must be grather than 0 and less than or equal to 1" unless threshold > 0 && threshold <= 1
+    @threshold = threshold
+  end
+
+  def threshold
+    @threshold ||= DEFAULT_THRESHOLD
+  end
+
+  def add_list(domain, weight)
+    @lists ||= []
+    @lists << { domain: domain, weight: weight }
+  end
+
+  def lists
+    @lists ||= []
+  end
+
+  private
+
+  def search(ip)
+    raise ArgumentError, "'ip' value must be in #{IP_REGEXP} format" unless ip.match(IP_REGEXP)
+
+    @score = 0
+
+    reversed = reverse_ip(ip)
+    search_in_rbls(reversed)
+  end
+
+  def reverse_ip(ip)
+    ip.split('.').reverse.join('.')
+  end
+
+  def search_in_rbls(reversed_ip)
+    lists.each do |rbl|
+      query = "#{reversed_ip}.#{rbl[:domain]}"
+      @score += rbl[:weight] if Resolver.search(query)
+    end
+  end
+
+  def final_score
+    weights = lists.map{ |rbl| rbl[:weight] }.reduce(:+).to_i
+    return 0 if weights == 0
+
+    (@score.to_f / weights.to_f).round(2)
+  end
+end
--- a/lib/gitlab/ip_check.rb
+++ b/lib/gitlab/ip_check.rb
@ -0,0 +1,34 @@
+module Gitlab
+  class IpCheck
+
+    def initialize(ip)
+      @ip = ip
+
+      application_settings = ApplicationSetting.current
+      @ip_blocking_enabled =  application_settings.ip_blocking_enabled
+      @dnsbl_servers_list = application_settings.dnsbl_servers_list
+    end
+
+    def spam?
+      @ip_blocking_enabled && blacklisted?
+    end
+
+    private
+
+    def blacklisted?
+      on_dns_blacklist?
+    end
+
+    def on_dns_blacklist?
+      dnsbl_check = DNSXLCheck.new
+      prepare_dnsbl_list(dnsbl_check)
+      dnsbl_check.test(@ip)
+    end
+
+    def prepare_dnsbl_list(dnsbl_check)
+      @dnsbl_servers_list.split(',').map(&:strip).reject(&:empty?).each do |domain|
+        dnsbl_check.add_list(domain, 1)
+      end
+    end
+  end
+end
--- a/spec/lib/dnsxl_check_spec.rb
+++ b/spec/lib/dnsxl_check_spec.rb
@ -0,0 +1,68 @@
+require 'spec_helper'
+require 'ostruct'
+
+describe 'DNSXLCheck', lib: true, no_db: true do
+  let(:spam_ip)    { '127.0.0.2' }
+  let(:no_spam_ip) { '127.0.0.3' }
+  let(:invalid_ip) { 'a.b.c.d' }
+  let!(:dnsxl_check) { DNSXLCheck.create_from_list([OpenStruct.new({ domain: 'test', weight: 1 })]) }
+
+  before(:context) do
+    class DNSXLCheck::Resolver
+      class << self
+        alias_method :old_search, :search
+        def search(query)
+          return false if query.match(/always\.failing\.domain\z/)
+          return true  if query.match(/\A2\.0\.0\.127\./)
+          return false if query.match(/\A3\.0\.0\.127\./)
+        end
+      end
+    end
+  end
+
+  describe '#test' do
+    before do
+      dnsxl_check.threshold = 0.75
+      dnsxl_check.add_list('always.failing.domain', 1)
+    end
+
+    context 'when threshold is used' do
+      before { dnsxl_check.use_threshold= true }
+
+      it { expect(dnsxl_check.test(spam_ip)).to be_falsey }
+    end
+
+    context 'when threshold is not used' do
+      before { dnsxl_check.use_threshold= false }
+
+      it { expect(dnsxl_check.test(spam_ip)).to be_truthy }
+    end
+  end
+
+  describe '#test_with_threshold' do
+    it { expect{ dnsxl_check.test_with_threshold(invalid_ip) }.to raise_error(ArgumentError) }
+
+    it { expect(dnsxl_check.test_with_threshold(spam_ip)).to    be_truthy }
+    it { expect(dnsxl_check.test_with_threshold(no_spam_ip)).to be_falsey }
+  end
+
+  describe '#test_strict' do
+    before do
+      dnsxl_check.threshold = 1
+      dnsxl_check.add_list('always.failing.domain', 1)
+    end
+
+    it { expect{ dnsxl_check.test_strict(invalid_ip) }.to raise_error(ArgumentError) }
+
+    it { expect(dnsxl_check.test_with_threshold(spam_ip)).to    be_falsey }
+    it { expect(dnsxl_check.test_with_threshold(no_spam_ip)).to be_falsey }
+    it { expect(dnsxl_check.test_strict(spam_ip)).to    be_truthy }
+    it { expect(dnsxl_check.test_strict(no_spam_ip)).to be_falsey }
+  end
+
+  describe '#threshold=' do
+    it { expect{ dnsxl_check.threshold = 0   }.to     raise_error(ArgumentError) }
+    it { expect{ dnsxl_check.threshold = 1.1 }.to     raise_error(ArgumentError) }
+    it { expect{ dnsxl_check.threshold = 0.5 }.not_to raise_error }
+  end
+end