Add latest changes from gitlab-org/gitlab@14-4-stable-eev14.4.0-rc42

2 files changed, 28 insertions, 4 deletions

diff --git a/lib/gitlab/rack_attack/instrumented_cache_store.rb b/lib/gitlab/rack_attack/instrumented_cache_store.rb
index 8cf9082384f..d8beb259fba 100644
--- a/lib/gitlab/rack_attack/instrumented_cache_store.rb
+++ b/lib/gitlab/rack_attack/instrumented_cache_store.rb
@@ -2,9 +2,10 @@
 
 module Gitlab
   module RackAttack
-    # This class is a proxy for all Redis calls made by RackAttack. All the
-    # calls are instrumented, then redirected to ::Rails.cache. This class
-    # instruments the standard interfaces of ActiveRecord::Cache defined in
+    # This class is a proxy for all Redis calls made by RackAttack. All
+    # the calls are instrumented, then redirected to the underlying
+    # store (in `.store). This class instruments the standard interfaces
+    # of ActiveRecord::Cache defined in
     # https://github.com/rails/rails/blob/v6.0.3.1/activesupport/lib/active_support/cache.rb#L315
     #
     # For more information, please see
@@ -14,7 +15,7 @@ module Gitlab
 
       delegate :silence!, :mute, to: :@upstream_store
 
-      def initialize(upstream_store: ::Rails.cache, notifier: ActiveSupport::Notifications)
+      def initialize(upstream_store: ::Gitlab::Redis::RateLimiting.cache_store, notifier: ActiveSupport::Notifications)
         @upstream_store = upstream_store
         @notifier = notifier
       end
diff --git a/lib/gitlab/rack_attack/request.rb b/lib/gitlab/rack_attack/request.rb
index 099174842d0..dbc77c9f9d7 100644
--- a/lib/gitlab/rack_attack/request.rb
+++ b/lib/gitlab/rack_attack/request.rb
@@ -4,6 +4,7 @@ module Gitlab
   module RackAttack
     module Request
       FILES_PATH_REGEX = %r{^/api/v\d+/projects/[^/]+/repository/files/.+}.freeze
+      GROUP_PATH_REGEX = %r{^/api/v\d+/groups/[^/]+/?$}.freeze
 
       def unauthenticated?
         !(authenticated_user_id([:api, :rss, :ics]) || authenticated_runner_id)
@@ -71,6 +72,7 @@ module Gitlab
         !should_be_skipped? &&
         !throttle_unauthenticated_packages_api? &&
         !throttle_unauthenticated_files_api? &&
+        !throttle_unauthenticated_deprecated_api? &&
         Gitlab::Throttle.settings.throttle_unauthenticated_api_enabled &&
         unauthenticated?
       end
@@ -87,6 +89,7 @@ module Gitlab
         api_request? &&
         !throttle_authenticated_packages_api? &&
         !throttle_authenticated_files_api? &&
+        !throttle_authenticated_deprecated_api? &&
         Gitlab::Throttle.settings.throttle_authenticated_api_enabled
       end
 
@@ -147,6 +150,17 @@ module Gitlab
         Gitlab::Throttle.settings.throttle_authenticated_files_api_enabled
       end
 
+      def throttle_unauthenticated_deprecated_api?
+        deprecated_api_request? &&
+        Gitlab::Throttle.settings.throttle_unauthenticated_deprecated_api_enabled &&
+        unauthenticated?
+      end
+
+      def throttle_authenticated_deprecated_api?
+        deprecated_api_request? &&
+        Gitlab::Throttle.settings.throttle_authenticated_deprecated_api_enabled
+      end
+
       private
 
       def authenticated_user_id(request_formats)
@@ -176,6 +190,15 @@ module Gitlab
       def files_api_path?
         path =~ FILES_PATH_REGEX
       end
+
+      def deprecated_api_request?
+        # The projects member of the groups endpoint is deprecated. If left
+        # unspecified, with_projects defaults to true
+        with_projects = params['with_projects']
+        with_projects = true if with_projects.blank?
+
+        path =~ GROUP_PATH_REGEX && Gitlab::Utils.to_boolean(with_projects)
+      end
     end
   end
 end