diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2019-09-27 00:06:29 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2019-09-27 00:06:29 +0300 |
commit | 430999251558db3c64b4adfc6e2b4fb771f6cd48 (patch) | |
tree | dd8bb7eab17ab8072179b9636bde34ec67ea17f5 /config | |
parent | e66d6781ef36e39d15b1b9bc84cc30e87969edad (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'config')
-rw-r--r-- | config/initializers/rack_attack_logging.rb | 10 | ||||
-rw-r--r-- | config/initializers/rack_attack_new.rb (renamed from config/initializers/rack_attack_global.rb) | 56 |
2 files changed, 65 insertions, 1 deletions
diff --git a/config/initializers/rack_attack_logging.rb b/config/initializers/rack_attack_logging.rb index b43fff24bb0..be7c2175cb2 100644 --- a/config/initializers/rack_attack_logging.rb +++ b/config/initializers/rack_attack_logging.rb @@ -12,10 +12,18 @@ ActiveSupport::Notifications.subscribe('rack.attack') do |name, start, finish, r path: req.fullpath } - if %w(throttle_authenticated_api throttle_authenticated_web).include? req.env['rack.attack.matched'] + throttles_with_user_information = [ + :throttle_authenticated_api, + :throttle_authenticated_web, + :throttle_authenticated_protected_paths_api, + :throttle_authenticated_protected_paths_web + ] + + if throttles_with_user_information.include? req.env['rack.attack.matched'].to_sym user_id = req.env['rack.attack.match_discriminator'] user = User.find_by(id: user_id) + rack_attack_info[:throttle_type] = req.env['rack.attack.matched'] rack_attack_info[:user_id] = user_id rack_attack_info[:username] = user.username unless user.nil? end diff --git a/config/initializers/rack_attack_global.rb b/config/initializers/rack_attack_new.rb index 7f0439ef9bf..2812ceb3fd5 100644 --- a/config/initializers/rack_attack_global.rb +++ b/config/initializers/rack_attack_new.rb @@ -3,6 +3,15 @@ module Gitlab::Throttle Gitlab::CurrentSettings.current_application_settings end + def self.protected_paths_enabled? + !self.omnibus_protected_paths_present? && + self.settings.throttle_protected_paths_enabled? + end + + def self.omnibus_protected_paths_present? + Rack::Attack.throttles.key?('protected paths') + end + def self.unauthenticated_options limit_proc = proc { |req| settings.throttle_unauthenticated_requests_per_period } period_proc = proc { |req| settings.throttle_unauthenticated_period_in_seconds.seconds } @@ -20,6 +29,13 @@ module Gitlab::Throttle period_proc = proc { |req| settings.throttle_authenticated_web_period_in_seconds.seconds } { limit: limit_proc, period: period_proc } end + + def self.protected_paths_options + limit_proc = proc { |req| settings.throttle_protected_paths_requests_per_period } + period_proc = proc { |req| settings.throttle_protected_paths_period_in_seconds.seconds } + + { limit: limit_proc, period: period_proc } + end end class Rack::Attack @@ -42,6 +58,28 @@ class Rack::Attack req.authenticated_user_id([:api, :rss, :ics]) end + throttle('throttle_unauthenticated_protected_paths', Gitlab::Throttle.protected_paths_options) do |req| + Gitlab::Throttle.protected_paths_enabled? && + req.unauthenticated? && + !req.should_be_skipped? && + req.protected_path? && + req.ip + end + + throttle('throttle_authenticated_protected_paths_api', Gitlab::Throttle.protected_paths_options) do |req| + Gitlab::Throttle.protected_paths_enabled? && + req.api_request? && + req.protected_path? && + req.authenticated_user_id([:api]) + end + + throttle('throttle_authenticated_protected_paths_web', Gitlab::Throttle.protected_paths_options) do |req| + Gitlab::Throttle.protected_paths_enabled? && + req.web_request? && + req.protected_path? && + req.authenticated_user_id([:api, :rss, :ics]) + end + class Request def unauthenticated? !authenticated_user_id([:api, :rss, :ics]) @@ -66,6 +104,24 @@ class Rack::Attack def web_request? !api_request? end + + def protected_path? + !protected_path_regex.nil? + end + + def protected_path_regex + path =~ protected_paths_regex + end + + private + + def protected_paths + Gitlab::CurrentSettings.current_application_settings.protected_paths + end + + def protected_paths_regex + Regexp.union(protected_paths.map { |path| /\A#{Regexp.escape(path)}/ }) + end end end |