1 files changed, 17 insertions, 0 deletions

diff --git a/lib/api/project_export.rb b/lib/api/project_export.rb
index e34ed0bdb44..ef6a8f1a396 100644
--- a/lib/api/project_export.rb
+++ b/lib/api/project_export.rb
@@ -2,6 +2,15 @@
 
 module API
   class ProjectExport < Grape::API
+    helpers do
+      def throttled?(action)
+        rate_limiter.throttled?(action, scope: [current_user, action, user_project])
+      end
+
+      def rate_limiter
+        ::Gitlab::ApplicationRateLimiter
+      end
+    end
     before do
       not_found! unless Gitlab::CurrentSettings.project_export_enabled?
       authorize_admin_project
@@ -23,6 +32,10 @@ module API
         detail 'This feature was introduced in GitLab 10.6.'
       end
       get ':id/export/download' do
+        if throttled?(:project_download_export)
+          render_api_error!({ error: 'This endpoint has been requested too many times. Try again later.' }, 429)
+        end
+
         if user_project.export_file_exists?
           present_carrierwave_file!(user_project.export_file)
         else
@@ -41,6 +54,10 @@ module API
         end
       end
       post ':id/export' do
+        if throttled?(:project_export)
+          render_api_error!({ error: 'This endpoint has been requested too many times. Try again later.' }, 429)
+        end
+
         project_export_params = declared_params(include_missing: false)
         after_export_params = project_export_params.delete(:upload) || {}