diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-09-14 18:12:05 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-09-14 18:12:05 +0300 |
commit | b119503b7039d1e79b87300a145afdcd1145c2d6 (patch) | |
tree | 9977d51c4fd8177a20f1805c14f0cb6750baee1c /lib/gitlab | |
parent | d378fdaa60adb7217e3fc798580ad206127728d5 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib/gitlab')
-rw-r--r-- | lib/gitlab/middleware/sidekiq_web_static.rb | 24 | ||||
-rw-r--r-- | lib/gitlab/rack_attack.rb | 20 | ||||
-rw-r--r-- | lib/gitlab/rack_attack/request.rb | 11 | ||||
-rw-r--r-- | lib/gitlab/throttle.rb | 9 |
4 files changed, 59 insertions, 5 deletions
diff --git a/lib/gitlab/middleware/sidekiq_web_static.rb b/lib/gitlab/middleware/sidekiq_web_static.rb new file mode 100644 index 00000000000..61b5fb9e0c6 --- /dev/null +++ b/lib/gitlab/middleware/sidekiq_web_static.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +# This module removes the X-Sendfile-Type header for /admin/sidekiq +# assets since Workhorse isn't always guaranteed to have the assets +# present on disk, such as when using Cloud Native GitLab +# containers. These assets are also small and served infrequently so it +# should be fine to do this. +module Gitlab + module Middleware + class SidekiqWebStatic + SIDEKIQ_REGEX = %r{\A/admin/sidekiq/}.freeze + + def initialize(app) + @app = app + end + + def call(env) + env.delete('HTTP_X_SENDFILE_TYPE') if env['PATH_INFO'] =~ SIDEKIQ_REGEX + + @app.call(env) + end + end + end +end diff --git a/lib/gitlab/rack_attack.rb b/lib/gitlab/rack_attack.rb index 7db7da03925..64c2faf7d50 100644 --- a/lib/gitlab/rack_attack.rb +++ b/lib/gitlab/rack_attack.rb @@ -82,8 +82,14 @@ module Gitlab end def self.configure_throttles(rack_attack) - throttle_or_track(rack_attack, 'throttle_unauthenticated', Gitlab::Throttle.unauthenticated_options) do |req| - if req.throttle_unauthenticated? + throttle_or_track(rack_attack, 'throttle_unauthenticated_api', Gitlab::Throttle.unauthenticated_api_options) do |req| + if req.throttle_unauthenticated_api? + req.ip + end + end + + throttle_or_track(rack_attack, 'throttle_unauthenticated_web', Gitlab::Throttle.unauthenticated_web_options) do |req| + if req.throttle_unauthenticated_web? req.ip end end @@ -177,7 +183,15 @@ module Gitlab return false if dry_run_config.empty? return true if dry_run_config == '*' - dry_run_config.split(',').map(&:strip).include?(name) + dry_run_throttles = dry_run_config.split(',').map(&:strip) + + # `throttle_unauthenticated` was split into API and web, so to maintain backwards-compatibility + # this throttle name now controls both rate limits. + if dry_run_throttles.include?('throttle_unauthenticated') + dry_run_throttles += %w[throttle_unauthenticated_api throttle_unauthenticated_web] + end + + dry_run_throttles.include?(name) end def self.user_allowlist diff --git a/lib/gitlab/rack_attack/request.rb b/lib/gitlab/rack_attack/request.rb index 2f48e71a5cd..9deba0c7ca1 100644 --- a/lib/gitlab/rack_attack/request.rb +++ b/lib/gitlab/rack_attack/request.rb @@ -60,10 +60,19 @@ module Gitlab path =~ protected_paths_regex end - def throttle_unauthenticated? + def throttle_unauthenticated_api? + api_request? && !should_be_skipped? && !throttle_unauthenticated_packages_api? && !throttle_unauthenticated_files_api? && + Gitlab::Throttle.settings.throttle_unauthenticated_api_enabled && + unauthenticated? + end + + def throttle_unauthenticated_web? + web_request? && + !should_be_skipped? && + # TODO: Column will be renamed in https://gitlab.com/gitlab-org/gitlab/-/issues/340031 Gitlab::Throttle.settings.throttle_unauthenticated_enabled && unauthenticated? end diff --git a/lib/gitlab/throttle.rb b/lib/gitlab/throttle.rb index f1acea80eaf..f57ae67f6ae 100644 --- a/lib/gitlab/throttle.rb +++ b/lib/gitlab/throttle.rb @@ -24,7 +24,14 @@ module Gitlab "HTTP_#{env_value.upcase.tr('-', '_')}" end - def self.unauthenticated_options + def self.unauthenticated_api_options + limit_proc = proc { |req| settings.throttle_unauthenticated_api_requests_per_period } + period_proc = proc { |req| settings.throttle_unauthenticated_api_period_in_seconds.seconds } + { limit: limit_proc, period: period_proc } + end + + def self.unauthenticated_web_options + # TODO: Columns will be renamed in https://gitlab.com/gitlab-org/gitlab/-/issues/340031 limit_proc = proc { |req| settings.throttle_unauthenticated_requests_per_period } period_proc = proc { |req| settings.throttle_unauthenticated_period_in_seconds.seconds } { limit: limit_proc, period: period_proc } |