diff options
Diffstat (limited to 'lib/gitlab/rack_attack.rb')
-rw-r--r-- | lib/gitlab/rack_attack.rb | 94 |
1 files changed, 51 insertions, 43 deletions
diff --git a/lib/gitlab/rack_attack.rb b/lib/gitlab/rack_attack.rb index 829b305d1ee..2182f5b56e4 100644 --- a/lib/gitlab/rack_attack.rb +++ b/lib/gitlab/rack_attack.rb @@ -81,6 +81,55 @@ module Gitlab user_allowlist end + ThrottleDefinition = Struct.new(:options, :request_identifier) + def self.throttle_definitions + { + 'throttle_unauthenticated_web' => ThrottleDefinition.new( + Gitlab::Throttle.unauthenticated_web_options, + ->(req) { req.ip if req.throttle_unauthenticated_web? } + ), + # Product analytics feature is in experimental stage. + # At this point we want to limit amount of events registered + # per application (aid stands for application id). + 'throttle_product_analytics_collector' => ThrottleDefinition.new( + { limit: 100, period: 60 }, + ->(req) { req.params['aid'] if req.product_analytics_collector_request? } + ), + 'throttle_authenticated_web' => ThrottleDefinition.new( + Gitlab::Throttle.authenticated_web_options, + ->(req) { req.throttled_identifer([:api, :rss, :ics]) if req.throttle_authenticated_web? } + ), + 'throttle_unauthenticated_protected_paths' => ThrottleDefinition.new( + Gitlab::Throttle.protected_paths_options, + ->(req) { req.ip if req.throttle_unauthenticated_protected_paths? } + ), + 'throttle_authenticated_protected_paths_api' => ThrottleDefinition.new( + Gitlab::Throttle.protected_paths_options, + ->(req) { req.throttled_identifer([:api]) if req.throttle_authenticated_protected_paths_api? } + ), + 'throttle_authenticated_protected_paths_web' => ThrottleDefinition.new( + Gitlab::Throttle.protected_paths_options, + ->(req) { req.throttled_identifer([:api, :rss, :ics]) if req.throttle_authenticated_protected_paths_web? } + ), + 'throttle_unauthenticated_get_protected_paths' => ThrottleDefinition.new( + Gitlab::Throttle.protected_paths_options, + ->(req) { req.ip if req.throttle_unauthenticated_get_protected_paths? } + ), + 'throttle_authenticated_get_protected_paths_api' => ThrottleDefinition.new( + Gitlab::Throttle.protected_paths_options, + ->(req) { req.throttled_identifer([:api]) if req.throttle_authenticated_get_protected_paths_api? } + ), + 'throttle_authenticated_get_protected_paths_web' => ThrottleDefinition.new( + Gitlab::Throttle.protected_paths_options, + ->(req) { req.throttled_identifer([:api, :rss, :ics]) if req.throttle_authenticated_get_protected_paths_web? } + ), + 'throttle_authenticated_git_lfs' => ThrottleDefinition.new( + Gitlab::Throttle.throttle_authenticated_git_lfs_options, + ->(req) { req.throttled_identifer([:api]) if req.throttle_authenticated_git_lfs? } + ) + } + end + def self.configure_throttles(rack_attack) # Each of these settings follows the same pattern of specifying separate # authenticated and unauthenticated rates via settings @@ -100,49 +149,8 @@ module Gitlab end end - throttle_or_track(rack_attack, 'throttle_unauthenticated_web', Gitlab::Throttle.unauthenticated_web_options) do |req| - if req.throttle_unauthenticated_web? - req.ip - end - end - - # Product analytics feature is in experimental stage. - # At this point we want to limit amount of events registered - # per application (aid stands for application id). - throttle_or_track(rack_attack, 'throttle_product_analytics_collector', limit: 100, period: 60) do |req| - if req.product_analytics_collector_request? - req.params['aid'] - end - end - - throttle_or_track(rack_attack, 'throttle_authenticated_web', Gitlab::Throttle.authenticated_web_options) do |req| - if req.throttle_authenticated_web? - req.throttled_identifer([:api, :rss, :ics]) - end - end - - throttle_or_track(rack_attack, 'throttle_unauthenticated_protected_paths', Gitlab::Throttle.protected_paths_options) do |req| - if req.throttle_unauthenticated_protected_paths? - req.ip - end - end - - throttle_or_track(rack_attack, 'throttle_authenticated_protected_paths_api', Gitlab::Throttle.protected_paths_options) do |req| - if req.throttle_authenticated_protected_paths_api? - req.throttled_identifer([:api]) - end - end - - throttle_or_track(rack_attack, 'throttle_authenticated_protected_paths_web', Gitlab::Throttle.protected_paths_options) do |req| - if req.throttle_authenticated_protected_paths_web? - req.throttled_identifer([:api, :rss, :ics]) - end - end - - throttle_or_track(rack_attack, 'throttle_authenticated_git_lfs', Gitlab::Throttle.throttle_authenticated_git_lfs_options) do |req| - if req.throttle_authenticated_git_lfs? - req.throttled_identifer([:api]) - end + throttle_definitions.each do |name, definition| + throttle_or_track(rack_attack, name, definition.options, &definition.request_identifier) end rack_attack.safelist('throttle_bypass_header') do |req| |