diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-09-29 13:00:10 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-09-29 13:00:27 +0000 |
commit | 003d8b5eac3aa173a7061b82d84ffaf28e8024f6 (patch) | |
tree | b87970a41714669fd6b40b84db245bcaeebad3dd /lib/gitlab | |
parent | 95328dd30a55cb66da05352131e7a981b44e1348 (diff) | |
download | gitlab-ce-003d8b5eac3aa173a7061b82d84ffaf28e8024f6.tar.gz |
Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee
Diffstat (limited to 'lib/gitlab')
-rw-r--r-- | lib/gitlab/auth/auth_finders.rb | 4 | ||||
-rw-r--r-- | lib/gitlab/auth/request_authenticator.rb | 24 |
2 files changed, 25 insertions, 3 deletions
diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb index f6ee08defcf..9c33a5fc872 100644 --- a/lib/gitlab/auth/auth_finders.rb +++ b/lib/gitlab/auth/auth_finders.rb @@ -342,6 +342,10 @@ module Gitlab Gitlab::PathRegex.repository_git_lfs_route_regex.match?(current_request.path) end + def git_or_lfs_request? + git_request? || git_lfs_request? + end + def archive_request? current_request.path.include?('/-/archive/') end diff --git a/lib/gitlab/auth/request_authenticator.rb b/lib/gitlab/auth/request_authenticator.rb index dfc682e8a5c..08214bbd449 100644 --- a/lib/gitlab/auth/request_authenticator.rb +++ b/lib/gitlab/auth/request_authenticator.rb @@ -35,13 +35,31 @@ module Gitlab find_user_from_static_object_token(request_format) || find_user_from_basic_auth_job || find_user_from_job_token || - find_user_from_lfs_token || - find_user_from_personal_access_token || - find_user_from_basic_auth_password + find_user_from_personal_access_token_for_api_or_git || + find_user_for_git_or_lfs_request rescue Gitlab::Auth::AuthenticationError nil end + # To prevent Rack Attack from incorrectly rate limiting + # authenticated Git activity, we need to authenticate the user + # from other means (e.g. HTTP Basic Authentication) only if the + # request originated from a Git or Git LFS + # request. Repositories::GitHttpClientController or + # Repositories::LfsApiController normally does the authentication, + # but Rack Attack runs before those controllers. + def find_user_for_git_or_lfs_request + return unless git_or_lfs_request? + + find_user_from_lfs_token || find_user_from_basic_auth_password + end + + def find_user_from_personal_access_token_for_api_or_git + return unless api_request? || git_or_lfs_request? + + find_user_from_personal_access_token + end + def valid_access_token?(scopes: []) validate_access_token!(scopes: scopes) |