From 5ddd576c7e93da1c97b81af90f65e1f368266547 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Francisco=20Javier=20L=C3=B3pez?= Date: Thu, 15 Feb 2018 16:54:36 +0000 Subject: Remove internal api calls from the rack::attack throttling --- .../unreleased/fj-42910-unauthenticated-limit-via-ssh.yml | 5 +++++ config/initializers/rack_attack_global.rb | 5 +++++ spec/requests/rack_attack_global_spec.rb | 10 ++++++++++ 3 files changed, 20 insertions(+) create mode 100644 changelogs/unreleased/fj-42910-unauthenticated-limit-via-ssh.yml diff --git a/changelogs/unreleased/fj-42910-unauthenticated-limit-via-ssh.yml b/changelogs/unreleased/fj-42910-unauthenticated-limit-via-ssh.yml new file mode 100644 index 00000000000..cef339ef787 --- /dev/null +++ b/changelogs/unreleased/fj-42910-unauthenticated-limit-via-ssh.yml @@ -0,0 +1,5 @@ +--- +title: Fixed bug with unauthenticated requests through git ssh +merge_request: 17149 +author: +type: fixed diff --git a/config/initializers/rack_attack_global.rb b/config/initializers/rack_attack_global.rb index 9453df2ec5a..a90516eee7d 100644 --- a/config/initializers/rack_attack_global.rb +++ b/config/initializers/rack_attack_global.rb @@ -26,6 +26,7 @@ class Rack::Attack throttle('throttle_unauthenticated', Gitlab::Throttle.unauthenticated_options) do |req| Gitlab::Throttle.settings.throttle_unauthenticated_enabled && req.unauthenticated? && + !req.api_internal_request? && req.ip end @@ -54,6 +55,10 @@ class Rack::Attack path.start_with?('/api') end + def api_internal_request? + path =~ %r{^/api/v\d+/internal/} + end + def web_request? !api_request? end diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb index 0fec14d0cce..b18e922b063 100644 --- a/spec/requests/rack_attack_global_spec.rb +++ b/spec/requests/rack_attack_global_spec.rb @@ -22,6 +22,7 @@ describe 'Rack Attack global throttles' do let(:url_that_does_not_require_authentication) { '/users/sign_in' } let(:url_that_requires_authentication) { '/dashboard/snippets' } + let(:url_api_internal) { '/api/v4/internal/check' } let(:api_partial_url) { '/todos' } around do |example| @@ -172,6 +173,15 @@ describe 'Rack Attack global throttles' do get url_that_does_not_require_authentication expect(response).to have_http_status 200 end + + context 'when the request is to the api internal endpoints' do + it 'allows requests over the rate limit' do + (1 + requests_per_period).times do + get url_api_internal, secret_token: Gitlab::Shell.secret_token + expect(response).to have_http_status 200 + end + end + end end context 'when the throttle is disabled' do -- cgit v1.2.1