diff options
| author | Francisco Javier López <fjlopez@gitlab.com> | 2018-02-15 16:54:36 +0000 |
|---|---|---|
| committer | Douwe Maan <douwe@gitlab.com> | 2018-02-15 16:54:36 +0000 |
| commit | 5ddd576c7e93da1c97b81af90f65e1f368266547 (patch) | |
| tree | e11e5af31745f2f053354715a0f48dba10a50e3d | |
| parent | e5df66e1af47ea9bbd526657f9af913618e6f3ee (diff) | |
| download | gitlab-ce-5ddd576c7e93da1c97b81af90f65e1f368266547.tar.gz | |
Remove internal api calls from the rack::attack throttling
| -rw-r--r-- | changelogs/unreleased/fj-42910-unauthenticated-limit-via-ssh.yml | 5 | ||||
| -rw-r--r-- | config/initializers/rack_attack_global.rb | 5 | ||||
| -rw-r--r-- | spec/requests/rack_attack_global_spec.rb | 10 |
3 files changed, 20 insertions, 0 deletions
diff --git a/changelogs/unreleased/fj-42910-unauthenticated-limit-via-ssh.yml b/changelogs/unreleased/fj-42910-unauthenticated-limit-via-ssh.yml new file mode 100644 index 00000000000..cef339ef787 --- /dev/null +++ b/changelogs/unreleased/fj-42910-unauthenticated-limit-via-ssh.yml @@ -0,0 +1,5 @@ +--- +title: Fixed bug with unauthenticated requests through git ssh +merge_request: 17149 +author: +type: fixed diff --git a/config/initializers/rack_attack_global.rb b/config/initializers/rack_attack_global.rb index 9453df2ec5a..a90516eee7d 100644 --- a/config/initializers/rack_attack_global.rb +++ b/config/initializers/rack_attack_global.rb @@ -26,6 +26,7 @@ class Rack::Attack throttle('throttle_unauthenticated', Gitlab::Throttle.unauthenticated_options) do |req| Gitlab::Throttle.settings.throttle_unauthenticated_enabled && req.unauthenticated? && + !req.api_internal_request? && req.ip end @@ -54,6 +55,10 @@ class Rack::Attack path.start_with?('/api') end + def api_internal_request? + path =~ %r{^/api/v\d+/internal/} + end + def web_request? !api_request? end diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb index 0fec14d0cce..b18e922b063 100644 --- a/spec/requests/rack_attack_global_spec.rb +++ b/spec/requests/rack_attack_global_spec.rb @@ -22,6 +22,7 @@ describe 'Rack Attack global throttles' do let(:url_that_does_not_require_authentication) { '/users/sign_in' } let(:url_that_requires_authentication) { '/dashboard/snippets' } + let(:url_api_internal) { '/api/v4/internal/check' } let(:api_partial_url) { '/todos' } around do |example| @@ -172,6 +173,15 @@ describe 'Rack Attack global throttles' do get url_that_does_not_require_authentication expect(response).to have_http_status 200 end + + context 'when the request is to the api internal endpoints' do + it 'allows requests over the rate limit' do + (1 + requests_per_period).times do + get url_api_internal, secret_token: Gitlab::Shell.secret_token + expect(response).to have_http_status 200 + end + end + end end context 'when the throttle is disabled' do |