From 3cefc5d7df09dbc21cd9c892bc6c62b5b583ca6a Mon Sep 17 00:00:00 2001
From: Mayra Cabrera <mcabrera@gitlab.com>
Date: Wed, 24 Jul 2019 19:49:31 +0000
Subject: Add RateLimiter to RawController

* Limits raw requests to 300 per minute and per raw path.
* Add a new attribute to ApplicationSettings so user can change this
value on their instance.
* Uses Gitlab::ActionRateLimiter to limit the raw requests.
* Add a new method into ActionRateLimiter to log the event into auth.log

Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/48717
---
 spec/controllers/projects/raw_controller_spec.rb   |  95 +++++++++++++++++++
 spec/lib/gitlab/action_rate_limiter_spec.rb        | 101 ++++++++++++++++++---
 .../application_settings/update_service_spec.rb    |  16 ++++
 3 files changed, 201 insertions(+), 11 deletions(-)

(limited to 'spec')

diff --git a/spec/controllers/projects/raw_controller_spec.rb b/spec/controllers/projects/raw_controller_spec.rb
index 97acd47b4da..8ee3168273f 100644
--- a/spec/controllers/projects/raw_controller_spec.rb
+++ b/spec/controllers/projects/raw_controller_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 describe Projects::RawController do
+  include RepoHelpers
+
   let(:project) { create(:project, :public, :repository) }
 
   describe 'GET #show' do
@@ -46,5 +48,98 @@ describe Projects::RawController do
       let(:filename) { 'lfs_object.iso' }
       let(:filepath) { "be93687/files/lfs/#{filename}" }
     end
+
+    context 'when the endpoint receives requests above the limit', :clean_gitlab_redis_cache do
+      let(:file_path) { 'master/README.md' }
+
+      before do
+        stub_application_setting(raw_blob_request_limit: 5)
+      end
+
+      it 'prevents from accessing the raw file' do
+        execute_raw_requests(requests: 6, project: project, file_path: file_path)
+
+        expect(flash[:alert]).to eq('You cannot access the raw file. Please wait a minute.')
+        expect(response).to redirect_to(project_blob_path(project, file_path))
+      end
+
+      it 'logs the event on auth.log' do
+        attributes = {
+          message: 'Action_Rate_Limiter_Request',
+          env: :raw_blob_request_limit,
+          ip: '0.0.0.0',
+          request_method: 'GET',
+          fullpath: "/#{project.full_path}/raw/#{file_path}"
+        }
+
+        expect(Gitlab::AuthLogger).to receive(:error).with(attributes).once
+
+        execute_raw_requests(requests: 6, project: project, file_path: file_path)
+      end
+
+      context 'when the request uses a different version of a commit' do
+        it 'prevents from accessing the raw file' do
+          # 3 times with the normal sha
+          commit_sha = project.repository.commit.sha
+          file_path = "#{commit_sha}/README.md"
+
+          execute_raw_requests(requests: 3, project: project, file_path: file_path)
+
+          # 3 times with the modified version
+          modified_sha = commit_sha.gsub(commit_sha[0..5], commit_sha[0..5].upcase)
+          modified_path = "#{modified_sha}/README.md"
+
+          execute_raw_requests(requests: 3, project: project, file_path: modified_path)
+
+          expect(flash[:alert]).to eq('You cannot access the raw file. Please wait a minute.')
+          expect(response).to redirect_to(project_blob_path(project, modified_path))
+        end
+      end
+
+      context 'when the throttling has been disabled' do
+        before do
+          stub_application_setting(raw_blob_request_limit: 0)
+        end
+
+        it 'does not prevent from accessing the raw file' do
+          execute_raw_requests(requests: 10, project: project, file_path: file_path)
+
+          expect(response).to have_gitlab_http_status(200)
+        end
+      end
+
+      context 'with case-sensitive files' do
+        it 'prevents from accessing the specific file' do
+          create_file_in_repo(project, 'master', 'master', 'readme.md', 'Add readme.md')
+          create_file_in_repo(project, 'master', 'master', 'README.md', 'Add README.md')
+
+          commit_sha = project.repository.commit.sha
+          file_path = "#{commit_sha}/readme.md"
+
+          # Accessing downcase version of readme
+          execute_raw_requests(requests: 6, project: project, file_path: file_path)
+
+          expect(flash[:alert]).to eq('You cannot access the raw file. Please wait a minute.')
+          expect(response).to redirect_to(project_blob_path(project, file_path))
+
+          # Accessing upcase version of readme
+          file_path = "#{commit_sha}/README.md"
+
+          execute_raw_requests(requests: 1, project: project, file_path: file_path)
+
+          expect(response).to have_gitlab_http_status(200)
+        end
+      end
+    end
+  end
+
+  def execute_raw_requests(requests:, project:, file_path:)
+    requests.times do
+      get :show, params: {
+        namespace_id: project.namespace,
+        project_id: project,
+        id: file_path
+      }
+    end
   end
 end
diff --git a/spec/lib/gitlab/action_rate_limiter_spec.rb b/spec/lib/gitlab/action_rate_limiter_spec.rb
index 542fc03e555..cf266a25819 100644
--- a/spec/lib/gitlab/action_rate_limiter_spec.rb
+++ b/spec/lib/gitlab/action_rate_limiter_spec.rb
@@ -1,11 +1,9 @@
 require 'spec_helper'
 
-describe Gitlab::ActionRateLimiter do
+describe Gitlab::ActionRateLimiter, :clean_gitlab_redis_cache do
   let(:redis) { double('redis') }
   let(:user) { create(:user) }
   let(:project) { create(:project) }
-  let(:key) { [user, project] }
-  let(:cache_key) { "action_rate_limiter:test_action:user:#{user.id}:project:#{project.id}" }
 
   subject { described_class.new(action: :test_action, expiry_time: 100) }
 
@@ -13,17 +11,98 @@ describe Gitlab::ActionRateLimiter do
     allow(Gitlab::Redis::Cache).to receive(:with).and_yield(redis)
   end
 
-  it 'increases the throttle count and sets the expire time' do
-    expect(redis).to receive(:incr).with(cache_key).and_return(1)
-    expect(redis).to receive(:expire).with(cache_key, 100)
+  shared_examples 'action rate limiter' do
+    it 'increases the throttle count and sets the expiration time' do
+      expect(redis).to receive(:incr).with(cache_key).and_return(1)
+      expect(redis).to receive(:expire).with(cache_key, 100)
 
-    expect(subject.throttled?(key, 1)).to be false
+      expect(subject.throttled?(key, 1)).to be_falsy
+    end
+
+    it 'returns true if the key is throttled' do
+      expect(redis).to receive(:incr).with(cache_key).and_return(2)
+      expect(redis).not_to receive(:expire)
+
+      expect(subject.throttled?(key, 1)).to be_truthy
+    end
+
+    context 'when throttling is disabled' do
+      it 'returns false and does not set expiration time' do
+        expect(redis).not_to receive(:incr)
+        expect(redis).not_to receive(:expire)
+
+        expect(subject.throttled?(key, 0)).to be_falsy
+      end
+    end
+  end
+
+  context 'when the key is an array of only ActiveRecord models' do
+    let(:key) { [user, project] }
+
+    let(:cache_key) do
+      "action_rate_limiter:test_action:user:#{user.id}:project:#{project.id}"
+    end
+
+    it_behaves_like 'action rate limiter'
+  end
+
+  context 'when they key a combination of ActiveRecord models and strings' do
+    let(:project) { create(:project, :public, :repository) }
+    let(:commit) { project.repository.commit }
+    let(:path) { 'app/controllers/groups_controller.rb' }
+    let(:key) { [project, commit, path] }
+
+    let(:cache_key) do
+      "action_rate_limiter:test_action:project:#{project.id}:commit:#{commit.sha}:#{path}"
+    end
+
+    it_behaves_like 'action rate limiter'
   end
 
-  it 'returns true if the key is throttled' do
-    expect(redis).to receive(:incr).with(cache_key).and_return(2)
-    expect(redis).not_to receive(:expire)
+  describe '#log_request' do
+    let(:file_path) { 'master/README.md' }
+    let(:type) { :raw_blob_request_limit }
+    let(:fullpath) { "/#{project.full_path}/raw/#{file_path}" }
+
+    let(:request) do
+      double('request', ip: '127.0.0.1', request_method: 'GET', fullpath: fullpath)
+    end
+
+    let(:base_attributes) do
+      {
+        message: 'Action_Rate_Limiter_Request',
+        env: type,
+        ip: '127.0.0.1',
+        request_method: 'GET',
+        fullpath: fullpath
+      }
+    end
+
+    context 'without a current user' do
+      let(:current_user) { nil }
+
+      it 'logs information to auth.log' do
+        expect(Gitlab::AuthLogger).to receive(:error).with(base_attributes).once
+
+        subject.log_request(request, type, current_user)
+      end
+    end
+
+    context 'with a current_user' do
+      let(:current_user) { create(:user) }
+
+      let(:attributes) do
+        base_attributes.merge({
+          user_id: current_user.id,
+          username: current_user.username
+        })
+      end
+
+      it 'logs information to auth.log' do
+        expect(Gitlab::AuthLogger).to receive(:error).with(attributes).once
 
-    expect(subject.throttled?(key, 1)).to be true
+        subject.log_request(request, type, current_user)
+      end
+    end
   end
 end
diff --git a/spec/services/application_settings/update_service_spec.rb b/spec/services/application_settings/update_service_spec.rb
index a641828faa5..33cd1f37ff6 100644
--- a/spec/services/application_settings/update_service_spec.rb
+++ b/spec/services/application_settings/update_service_spec.rb
@@ -180,4 +180,20 @@ describe ApplicationSettings::UpdateService do
       described_class.new(application_settings, admin, { home_page_url: 'http://foo.bar' }).execute
     end
   end
+
+  context 'when raw_blob_request_limit is passsed' do
+    let(:params) do
+      {
+        raw_blob_request_limit: 600
+      }
+    end
+
+    it 'updates raw_blob_request_limit value' do
+      subject.execute
+
+      application_settings.reload
+
+      expect(application_settings.raw_blob_request_limit).to eq(600)
+    end
+  end
 end
-- 
cgit v1.2.1