diff options
Diffstat (limited to 'lib/gitlab/rack_attack')
-rw-r--r-- | lib/gitlab/rack_attack/instrumented_cache_store.rb | 9 | ||||
-rw-r--r-- | lib/gitlab/rack_attack/request.rb | 23 |
2 files changed, 28 insertions, 4 deletions
diff --git a/lib/gitlab/rack_attack/instrumented_cache_store.rb b/lib/gitlab/rack_attack/instrumented_cache_store.rb index 8cf9082384f..d8beb259fba 100644 --- a/lib/gitlab/rack_attack/instrumented_cache_store.rb +++ b/lib/gitlab/rack_attack/instrumented_cache_store.rb @@ -2,9 +2,10 @@ module Gitlab module RackAttack - # This class is a proxy for all Redis calls made by RackAttack. All the - # calls are instrumented, then redirected to ::Rails.cache. This class - # instruments the standard interfaces of ActiveRecord::Cache defined in + # This class is a proxy for all Redis calls made by RackAttack. All + # the calls are instrumented, then redirected to the underlying + # store (in `.store). This class instruments the standard interfaces + # of ActiveRecord::Cache defined in # https://github.com/rails/rails/blob/v6.0.3.1/activesupport/lib/active_support/cache.rb#L315 # # For more information, please see @@ -14,7 +15,7 @@ module Gitlab delegate :silence!, :mute, to: :@upstream_store - def initialize(upstream_store: ::Rails.cache, notifier: ActiveSupport::Notifications) + def initialize(upstream_store: ::Gitlab::Redis::RateLimiting.cache_store, notifier: ActiveSupport::Notifications) @upstream_store = upstream_store @notifier = notifier end diff --git a/lib/gitlab/rack_attack/request.rb b/lib/gitlab/rack_attack/request.rb index 099174842d0..dbc77c9f9d7 100644 --- a/lib/gitlab/rack_attack/request.rb +++ b/lib/gitlab/rack_attack/request.rb @@ -4,6 +4,7 @@ module Gitlab module RackAttack module Request FILES_PATH_REGEX = %r{^/api/v\d+/projects/[^/]+/repository/files/.+}.freeze + GROUP_PATH_REGEX = %r{^/api/v\d+/groups/[^/]+/?$}.freeze def unauthenticated? !(authenticated_user_id([:api, :rss, :ics]) || authenticated_runner_id) @@ -71,6 +72,7 @@ module Gitlab !should_be_skipped? && !throttle_unauthenticated_packages_api? && !throttle_unauthenticated_files_api? && + !throttle_unauthenticated_deprecated_api? && Gitlab::Throttle.settings.throttle_unauthenticated_api_enabled && unauthenticated? end @@ -87,6 +89,7 @@ module Gitlab api_request? && !throttle_authenticated_packages_api? && !throttle_authenticated_files_api? && + !throttle_authenticated_deprecated_api? && Gitlab::Throttle.settings.throttle_authenticated_api_enabled end @@ -147,6 +150,17 @@ module Gitlab Gitlab::Throttle.settings.throttle_authenticated_files_api_enabled end + def throttle_unauthenticated_deprecated_api? + deprecated_api_request? && + Gitlab::Throttle.settings.throttle_unauthenticated_deprecated_api_enabled && + unauthenticated? + end + + def throttle_authenticated_deprecated_api? + deprecated_api_request? && + Gitlab::Throttle.settings.throttle_authenticated_deprecated_api_enabled + end + private def authenticated_user_id(request_formats) @@ -176,6 +190,15 @@ module Gitlab def files_api_path? path =~ FILES_PATH_REGEX end + + def deprecated_api_request? + # The projects member of the groups endpoint is deprecated. If left + # unspecified, with_projects defaults to true + with_projects = params['with_projects'] + with_projects = true if with_projects.blank? + + path =~ GROUP_PATH_REGEX && Gitlab::Utils.to_boolean(with_projects) + end end end end |