diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-01-20 21:14:18 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-01-20 21:14:18 +0300 |
| commit | 39cb2fdf01699eb5ac000c918f469c58dc75f7e8 (patch) | |
| tree | 5de21a06dfe8b97c793f892032be45949aa482db /lib/gitlab/rack_attack | |
| parent | c17eb7c97062d25cdf1b44573e4c0241f52aa2fe (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib/gitlab/rack_attack')
| -rw-r--r-- | lib/gitlab/rack_attack/request.rb | 35 |
1 files changed, 25 insertions, 10 deletions
diff --git a/lib/gitlab/rack_attack/request.rb b/lib/gitlab/rack_attack/request.rb index 94ae29af3d0..d4a65227a20 100644 --- a/lib/gitlab/rack_attack/request.rb +++ b/lib/gitlab/rack_attack/request.rb @@ -3,6 +3,8 @@ module Gitlab module RackAttack module Request + include ::Gitlab::Utils::StrongMemoize + FILES_PATH_REGEX = %r{^/api/v\d+/projects/[^/]+/repository/files/.+}.freeze GROUP_PATH_REGEX = %r{^/api/v\d+/groups/[^/]+/?$}.freeze @@ -30,15 +32,15 @@ module Gitlab end def api_internal_request? - path =~ %r{^/api/v\d+/internal/} + path.match?(%r{^/api/v\d+/internal/}) end def health_check_request? - path =~ %r{^/-/(health|liveness|readiness|metrics)} + path.match?(%r{^/-/(health|liveness|readiness|metrics)}) end def container_registry_event? - path =~ %r{^/api/v\d+/container_registry_event/} + path.match?(%r{^/api/v\d+/container_registry_event/}) end def product_analytics_collector_request? @@ -58,7 +60,7 @@ module Gitlab end def protected_path_regex - path =~ protected_paths_regex + path.match?(protected_paths_regex) end def throttle?(throttle, authenticated:) @@ -70,6 +72,7 @@ module Gitlab def throttle_unauthenticated_api? api_request? && !should_be_skipped? && + !frontend_request? && !throttle_unauthenticated_packages_api? && !throttle_unauthenticated_files_api? && !throttle_unauthenticated_deprecated_api? && @@ -78,7 +81,7 @@ module Gitlab end def throttle_unauthenticated_web? - web_request? && + (web_request? || frontend_request?) && !should_be_skipped? && # TODO: Column will be renamed in https://gitlab.com/gitlab-org/gitlab/-/issues/340031 Gitlab::Throttle.settings.throttle_unauthenticated_enabled && @@ -87,6 +90,7 @@ module Gitlab def throttle_authenticated_api? api_request? && + !frontend_request? && !throttle_authenticated_packages_api? && !throttle_authenticated_files_api? && !throttle_authenticated_deprecated_api? && @@ -94,7 +98,7 @@ module Gitlab end def throttle_authenticated_web? - web_request? && + (web_request? || frontend_request?) && !throttle_authenticated_git_lfs? && Gitlab::Throttle.settings.throttle_authenticated_web_enabled end @@ -178,15 +182,26 @@ module Gitlab end def packages_api_path? - path =~ ::Gitlab::Regex::Packages::API_PATH_REGEX + path.match?(::Gitlab::Regex::Packages::API_PATH_REGEX) end def git_lfs_path? - path =~ Gitlab::PathRegex.repository_git_lfs_route_regex + path.match?(Gitlab::PathRegex.repository_git_lfs_route_regex) end def files_api_path? - path =~ FILES_PATH_REGEX + path.match?(FILES_PATH_REGEX) + end + + def frontend_request? + return false unless Feature.enabled?(:rate_limit_frontend_requests, default_enabled: :yaml) + + strong_memoize(:frontend_request) do + next false unless env.include?('HTTP_X_CSRF_TOKEN') && session.include?(:_csrf_token) + + # CSRF tokens are not verified for GET/HEAD requests, so we pretend that we always have a POST request. + Gitlab::RequestForgeryProtection.verified?(env.merge('REQUEST_METHOD' => 'POST')) + end end def deprecated_api_request? @@ -195,7 +210,7 @@ module Gitlab with_projects = params['with_projects'] with_projects = true if with_projects.blank? - path =~ GROUP_PATH_REGEX && Gitlab::Utils.to_boolean(with_projects) + path.match?(GROUP_PATH_REGEX) && Gitlab::Utils.to_boolean(with_projects) end end end |