Add rate limit to issue creation

- Add check for rate limit in Project::IssuesController - Add issues_create_limit field to application settings - Add specs for issues controller and application settings Update PO files

Add rate limit to issue creation
- Add check for rate limit in Project::IssuesController - Add issues_create_limit field to application settings - Add specs for issues controller and application settings Update PO files
536e7108 · Eugenia Grieff · 4e95c330 · 536e7108 · 536e7108 · 536e7108
Commit 536e7108 authored Mar 25, 2020 by Eugenia Grieff
12 changed files
--- a/app/controllers/admin/application_settings_controller.rb
+++ b/app/controllers/admin/application_settings_controller.rb
@@ -219,6 +219,7 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
      :domain_blacklist_file,
      :raw_blob_request_limit,
      :namespace_storage_size_limit,
+      :issues_create_limit,
      disabled_oauth_sign_in_sources: [],
      import_sources: [],
      repository_storages: [],

--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@@ -42,6 +42,9 @@ class Projects::IssuesController < Projects::ApplicationController
  before_action :authorize_import_issues!, only: [:import_csv]
  before_action :authorize_download_code!, only: [:related_branches]
+  # Limit the amount of issues created per minute
+  before_action :create_rate_limit, only: [:create]
  before_action do
    push_frontend_feature_flag(:vue_issuable_sidebar, project.group)
    push_frontend_feature_flag(:save_issuable_health_status, project.group, default_enabled: true)
@@ -296,6 +299,22 @@ class Projects::IssuesController < Projects::ApplicationController
    # 3. https://gitlab.com/gitlab-org/gitlab-foss/issues/42426
    Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab-foss/issues/42422')
  end
+  private
+  def create_rate_limit
+    key = :issues_create
+    if rate_limiter.throttled?(key, scope: [@project, @current_user])
+      rate_limiter.log_request(request, "#{key}_request_limit".to_sym, current_user)
+      render plain: _('This endpoint has been requested too many times. Try again later.'), status: :too_many_requests
+    end
+  end
+  def rate_limiter
+    ::Gitlab::ApplicationRateLimiter
+  end
 end
 Projects::IssuesController.prepend_if_ee('EE::Projects::IssuesController')
--- a/app/models/application_setting_implementation.rb
+++ b/app/models/application_setting_implementation.rb
@@ -79,6 +79,7 @@ module ApplicationSettingImplementation
        housekeeping_gc_period: 200,
        housekeeping_incremental_repack_period: 10,
        import_sources: Settings.gitlab['import_sources'],
+        issues_create_limit: 300,
        local_markdown_version: 0,
        max_artifacts_size: Settings.artifacts['max_size'],
        max_attachment_size: Settings.gitlab['max_attachment_size'],

--- a/app/views/admin/application_settings/_issue_limits.html.haml
+++ b/app/views/admin/application_settings/_issue_limits.html.haml
+= form_for @application_setting, url: network_admin_application_settings_path(anchor: 'js-issue-limits-settings'), html: { class: 'fieldset-form' } do |f|
+  = form_errors(@application_setting)
+  %fieldset
+    .form-group
+      = f.label :issues_create_limit, 'Max requests per second per user', class: 'label-bold'
+      = f.number_field :issues_create_limit, class: 'form-control'
+  = f.submit 'Save changes', class: "btn btn-success", data: { qa_selector: 'save_changes_button' }
--- a/app/views/admin/application_settings/network.html.haml
+++ b/app/views/admin/application_settings/network.html.haml
@@ -46,4 +46,15 @@
  .settings-content
    = render 'protected_paths'
+%section.settings.as-issue-limits.no-animate#js-issue-limits-settings{ class: ('expanded' if expanded_by_default?) }
+  .settings-header
+    %h4
+      = _('Issues Rate Limits')
+    %button.btn.btn-default.js-settings-toggle{ type: 'button' }
+      = expanded_by_default? ? _('Collapse') : _('Expand')
+    %p
+      = _('Configure limit for issues created per minute by web and API requests.')
+  .settings-content
+    = render 'issue_limits'
 = render_if_exists 'admin/application_settings/ee_network_settings'
--- a/changelogs/unreleased/55241-rate-limit-issue-creation.yml
+++ b/changelogs/unreleased/55241-rate-limit-issue-creation.yml
+---
+title: Introduce rate limit for creating issues via web UI
+merge_request: 28129
+author:
+type: performance
--- a/db/migrate/20200325111432_add_issues_create_limit_to_application_settings.rb
+++ b/db/migrate/20200325111432_add_issues_create_limit_to_application_settings.rb
+# frozen_string_literal: true
+class AddIssuesCreateLimitToApplicationSettings < ActiveRecord::Migration[6.0]
+  DOWNTIME = false
+  def change
+    add_column :application_settings, :issues_create_limit, :integer, default: 300, null: false
+  end
+end
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -397,6 +397,7 @@ CREATE TABLE public.application_settings (
    email_restrictions text,
    npm_package_requests_forwarding boolean DEFAULT true NOT NULL,
    namespace_storage_size_limit bigint DEFAULT 0 NOT NULL,
+    issues_create_limit integer DEFAULT 300 NOT NULL,
    seat_link_enabled boolean DEFAULT true NOT NULL,
    container_expiration_policies_enable_historic_entries boolean DEFAULT false NOT NULL
 );
@@ -13064,6 +13065,7 @@ COPY "schema_migrations" (version) FROM STDIN;
 20200323134519
 20200324093258
 20200324115359
+20200325111432
 20200325152327
 20200325160952
 20200325183636

--- a/lib/gitlab/application_rate_limiter.rb
+++ b/lib/gitlab/application_rate_limiter.rb
@@ -19,8 +19,9 @@ module Gitlab
      # and only do that when it's needed.
      def rate_limits
        {
-          project_export:              { threshold: 1, interval: 5.minutes },
+          issues_create:                { threshold: -> { Gitlab::CurrentSettings.current_application_settings.issues_create_limit }, interval: 1.minute },
-          project_download_export:     { threshold: 10, interval: 10.minutes },
+          project_export:               { threshold: 1, interval: 5.minutes },
+          project_download_export:      { threshold: 10, interval: 10.minutes },
          project_repositories_archive: { threshold: 5, interval: 1.minute },
          project_generate_new_export: { threshold: 1, interval: 5.minutes },
          project_import:              { threshold: 30, interval: 5.minutes },

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -5331,6 +5331,9 @@ msgstr ""
 msgid "Configure existing installation"
 msgstr ""
+msgid "Configure limit for issues created per minute by web and API requests."
+msgstr ""
 msgid "Configure limits for web and API requests."
 msgstr ""
@@ -11382,6 +11385,9 @@ msgstr ""
 msgid "Issues Analytics"
 msgstr ""
+msgid "Issues Rate Limits"
+msgstr ""
 msgid "Issues can be bugs, tasks or ideas to be discussed. Also, issues are searchable and filterable."
 msgstr ""

--- a/spec/controllers/projects/issues_controller_spec.rb
+++ b/spec/controllers/projects/issues_controller_spec.rb
@@ -1085,6 +1085,48 @@ describe Projects::IssuesController do
        expect { subject }.to change(SentryIssue, :count)
      end
    end
+    context 'when the endpoint receives requests above the limit' do
+      before do
+        stub_application_setting(issues_create_limit: 5)
+      end
+      it 'prevents from creating more issues', :request_store do
+        5.times { post_new_issue }
+        expect { post_new_issue }
+          .to change { Gitlab::GitalyClient.get_request_count }.by(1) # creates 1 projects and 0 issues
+        post_new_issue
+        expect(response.body).to eq(_('This endpoint has been requested too many times. Try again later.'))
+        expect(response).to have_gitlab_http_status(:too_many_requests)
+      end
+      it 'logs the event on auth.log' do
+        attributes = {
+          message: 'Application_Rate_Limiter_Request',
+          env: :issues_create_request_limit,
+          remote_ip: '0.0.0.0',
+          request_method: 'POST',
+          path: "/#{project.full_path}/-/issues",
+          user_id: user.id,
+          username: user.username
+        }
+        expect(Gitlab::AuthLogger).to receive(:error).with(attributes).once
+        project.add_developer(user)
+        sign_in(user)
+        6.times do
+          post :create, params: {
+            namespace_id: project.namespace.to_param,
+            project_id: project,
+            issue: { title: 'Title', description: 'Description' }
+          }
+        end
+      end
+    end
  end
  describe 'POST #mark_as_spam' do

--- a/spec/services/application_settings/update_service_spec.rb
+++ b/spec/services/application_settings/update_service_spec.rb
@@ -334,4 +334,20 @@ describe ApplicationSettings::UpdateService do
      expect(application_settings.protected_paths).to eq(['/users/password', '/users/sign_in'])
    end
  end
+  context 'when issues_create_limit is passsed' do
+    let(:params) do
+      {
+        issues_create_limit: 600
+      }
+    end
+    it 'updates issues_create_limit value' do
+      subject.execute
+      application_settings.reload
+      expect(application_settings.issues_create_limit).to eq(600)
+    end
+  end
 end