Block requests from Tor to Marketplace.

caravel/controllers/listings.py

@@ -7,7 +7,7 @@
 
 from werkzeug.routing import BaseConverter
 
-from caravel import app, model
+from caravel import app, model, utils
 from caravel.controllers import forms
 
 from google.appengine.api import users
@@ -16,6 +16,8 @@
 import datetime
 import math
 
+TOR_DETECTOR = utils.TorDetector()
+
 # Allow Listings in route URLs.
 class ListingConverter(BaseConverter):
     def to_python(self, value):
@@ -55,6 +57,10 @@ def login_url():
 def logout_url():
     return users.create_logout_url(request.url.encode("utf-8"))
 
+@app.template_global()
+def is_from_tor():
+    return TOR_DETECTOR.is_tor_exit_node(request.remote_addr)
+
 @app.context_processor
 def inject_globals():
     """Adds the categories and user info into the view."""
@@ -137,6 +143,9 @@ def show_listing(listing):
 
     form = forms.InquiryForm()
     if form.validate_on_submit():
+        if is_from_tor():
+            abort(403)
+
         inquiry = model.UnapprovedInquiry(listing=listing.key)
         form.populate_obj(inquiry)
         inquiry.put()
@@ -151,6 +160,9 @@ def edit_listing(listing):
     Edits a listing.
     """
 
+    if is_from_tor():
+        abort(403)
+
     form = forms.EditListingForm(obj=listing)
 
     if form.validate_on_submit():
@@ -167,6 +179,9 @@ def new_listing():
     Creates or removes a listing.
     """
 
+    if is_from_tor():
+        abort(403)
+
     form = forms.NewListingForm()
 
     if form.validate_on_submit():

caravel/templates/header.html

@@ -46,8 +46,10 @@ <h1 class="branding">
       </div>
     </form>
     <div class="user-button-container">
+      {% if not is_from_tor() %}
       <a href="{{ url_for('new_listing') }}" class="btn btn-default btn-user">
         New Listing</a>
+      {% endif %}
       <div class="btn-group btn-user">
         <a href="{{ url_for('search_listings', q=request.args.q,
                       v='th') }}"

caravel/templates/listings/fullpage.html

@@ -34,6 +34,7 @@ <h2>{{ listing.title }}</h2>
       </p>
       <p style="white-space:pre-wrap">{{ listing.body }}</p>
     </div>
+    {% if not is_from_tor() %}
     <div class="col-md-3">
     {% if current_user and listing.principal.email == current_user.email() %}
       <div class="panel panel-default">
@@ -85,5 +86,6 @@ <h3 class="panel-title">Contact Seller</h3>
         </div>
       </div>
     {% endif %}
+    {% endif %}
   </div>
 </div>

caravel/utils/__init__.py

@@ -1,2 +1,3 @@
 from caravel.utils.principals import Principal, Device
-from caravel.utils.emails import send_mail
+from caravel.utils.emails import send_mail
+from caravel.utils.tor import TorDetector

caravel/utils/tor.py

@@ -0,0 +1,37 @@
+import threading
+import time
+import urllib
+import re
+
+EXIT_NODES_URL = "https://check.torproject.org/exit-addresses"
+
+class TorDetector(object):
+    def __init__(self):
+        """
+        Initializes this Tor detector object.
+        """
+
+        self.lock = threading.Lock()
+        self.exit_nodes = []
+        self.last_update = None
+
+    def _update(self):
+        """
+        Updates the list of Tor exit nodes from the Tor project.
+        """
+
+        if not self.last_update or (time.time() - self.last_update) > 3600:
+            data = urllib.urlopen(EXIT_NODES_URL).read()
+            matches = re.finditer(r'ExitAddress ([^ ]+)', data)
+
+            self.exit_nodes = set([x.group(1) for x in matches])
+            self.last_update = time.time()
+
+    def is_tor_exit_node(self, ip_address):
+        """
+        Returns True if the given IP address is a Tor exit node.
+        """
+
+        with self.lock:
+            self._update()
+            return ip_address in self.exit_nodes

index.yaml

@@ -15,4 +15,3 @@ indexes:
   - name: keywords
   - name: posted_at
     direction: desc
-