Commit 1350874c authored by Jan Provaznik's avatar Jan Provaznik

Merge branch 'rate-limit-username-exists-endpoint' into 'master'

Enforce rate limit per IP on /users/:username/exists

See merge request gitlab-org/gitlab!77119
parents 231328dd c9ba2110
...@@ -23,6 +23,9 @@ class UsersController < ApplicationController ...@@ -23,6 +23,9 @@ class UsersController < ApplicationController
before_action :user, except: [:exists] before_action :user, except: [:exists]
before_action :authorize_read_user_profile!, before_action :authorize_read_user_profile!,
only: [:calendar, :calendar_activities, :groups, :projects, :contributed, :starred, :snippets, :followers, :following] only: [:calendar, :calendar_activities, :groups, :projects, :contributed, :starred, :snippets, :followers, :following]
before_action only: [:exists] do
check_rate_limit!(:username_exists, scope: request.ip) if Feature.enabled?(:rate_limit_username_exists_endpoint, default_enabled: :yaml)
end
feature_category :users feature_category :users
......
---
name: rate_limit_username_exists_endpoint
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77119
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/348974
milestone: '14.7'
type: development
group: group::optimize
default_enabled: false
...@@ -50,6 +50,7 @@ module Gitlab ...@@ -50,6 +50,7 @@ module Gitlab
profile_add_new_email: { threshold: 5, interval: 1.minute }, profile_add_new_email: { threshold: 5, interval: 1.minute },
web_hook_calls: { interval: 1.minute }, web_hook_calls: { interval: 1.minute },
users_get_by_id: { threshold: 10, interval: 1.minute }, users_get_by_id: { threshold: 10, interval: 1.minute },
username_exists: { threshold: 20, interval: 1.minute },
profile_resend_email_confirmation: { threshold: 5, interval: 1.minute }, profile_resend_email_confirmation: { threshold: 5, interval: 1.minute },
profile_update_username: { threshold: 10, interval: 1.minute }, profile_update_username: { threshold: 10, interval: 1.minute },
update_environment_canary_ingress: { threshold: 1, interval: 1.minute }, update_environment_canary_ingress: { threshold: 1, interval: 1.minute },
......
...@@ -636,6 +636,8 @@ RSpec.describe UsersController do ...@@ -636,6 +636,8 @@ RSpec.describe UsersController do
describe 'GET #exists' do describe 'GET #exists' do
before do before do
sign_in(user) sign_in(user)
allow(::Gitlab::ApplicationRateLimiter).to receive(:throttled?).and_return(false)
end end
context 'when user exists' do context 'when user exists' do
...@@ -677,6 +679,17 @@ RSpec.describe UsersController do ...@@ -677,6 +679,17 @@ RSpec.describe UsersController do
end end
end end
end end
context 'when the rate limit has been reached' do
it 'returns status 429 Too Many Requests', :aggregate_failures do
ip = '1.2.3.4'
expect(::Gitlab::ApplicationRateLimiter).to receive(:throttled?).with(:username_exists, scope: ip).and_return(true)
get user_exists_url(user.username), env: { 'REMOTE_ADDR': ip }
expect(response).to have_gitlab_http_status(:too_many_requests)
end
end
end end
describe '#ensure_canonical_path' do describe '#ensure_canonical_path' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment