Module: Gitlab::RackAttack::Request

Includes:
Utils::StrongMemoize
Defined in:
lib/gitlab/rack_attack/request.rb

Constant Summary collapse

API_PATH_REGEX = 
%r{^/api/|/oauth/}
FILES_PATH_REGEX = 
%r{^/api/v\d+/projects/[^/]+/repository/files/.+}
GROUP_PATH_REGEX = 
%r{^/api/v\d+/groups/[^/]+/?$}
RUNNER_JOBS_PATH_REGEX = 
%r{^/api/v\d+/jobs/}

Instance Method Summary collapse

Instance Method Details

#api_internal_request?Boolean

Returns:

  • (Boolean) 


48
49
50
 
# File 'lib/gitlab/rack_attack/request.rb', line 48

def api_internal_request?
  matches?(%r{^/api/v\d+/internal/})
end

#api_request?Boolean

Returns:

  • (Boolean) 


36
37
38
 
# File 'lib/gitlab/rack_attack/request.rb', line 36

def api_request?
  matches?(API_PATH_REGEX)
end

#authenticated_runner_idObject 



32
33
34
 
# File 'lib/gitlab/rack_attack/request.rb', line 32

def authenticated_runner_id
  request_authenticator.runner&.id
end

#container_registry_event?Boolean

Returns:

  • (Boolean) 


56
57
58
 
# File 'lib/gitlab/rack_attack/request.rb', line 56

def container_registry_event?
  matches?(%r{^/api/v\d+/container_registry_event/})
end

#get_request_protected_path?Boolean

Returns:

  • (Boolean) 


76
77
78
 
# File 'lib/gitlab/rack_attack/request.rb', line 76

def get_request_protected_path?
  matches?(protected_paths_for_get_request_regex)
end

#health_check_request?Boolean

Returns:

  • (Boolean) 


52
53
54
 
# File 'lib/gitlab/rack_attack/request.rb', line 52

def health_check_request?
  matches?(%r{^/-/(health|liveness|readiness|metrics)})
end

#logical_pathObject 



40
41
42
 
# File 'lib/gitlab/rack_attack/request.rb', line 40

def logical_path
  @logical_path ||= path.delete_prefix(Gitlab.config.gitlab.relative_url_root)
end

#matches?(regex) ⇒ Boolean

Returns:

  • (Boolean) 


44
45
46
 
# File 'lib/gitlab/rack_attack/request.rb', line 44

def matches?(regex)
  logical_path.match?(regex)
end

#product_analytics_collector_request?Boolean

Returns:

  • (Boolean) 


60
61
62
 
# File 'lib/gitlab/rack_attack/request.rb', line 60

def product_analytics_collector_request?
  logical_path.start_with?('/-/collector/i')
end

#protected_path?Boolean

Returns:

  • (Boolean) 


72
73
74
 
# File 'lib/gitlab/rack_attack/request.rb', line 72

def protected_path?
  matches?(protected_paths_regex)
end

#should_be_skipped?Boolean

Returns:

  • (Boolean) 


64
65
66
 
# File 'lib/gitlab/rack_attack/request.rb', line 64

def should_be_skipped?
  api_internal_request? || health_check_request? || container_registry_event?
end

#throttle?(throttle, authenticated:) ⇒ Boolean

Returns:

  • (Boolean) 


80
81
82
83
84
 
# File 'lib/gitlab/rack_attack/request.rb', line 80

def throttle?(throttle, authenticated:)
  fragment = Gitlab::Throttle.throttle_fragment!(throttle, authenticated: authenticated)

  __send__("#{fragment}?") # rubocop:disable GitlabSecurity/PublicSend
end

#throttle_authenticated_api?Boolean

Returns:

  • (Boolean) 


106
107
108
109
110
111
112
113
114
 
# File 'lib/gitlab/rack_attack/request.rb', line 106

def throttle_authenticated_api?
  api_request? &&
    !frontend_request? &&
    !runner_jobs_request? &&
    !throttle_authenticated_packages_api? &&
    !throttle_authenticated_files_api? &&
    !throttle_authenticated_deprecated_api? &&
    Gitlab::Throttle.settings.throttle_authenticated_api_enabled
end

#throttle_authenticated_deprecated_api?Boolean

Returns:

  • (Boolean) 


210
211
212
213
 
# File 'lib/gitlab/rack_attack/request.rb', line 210

def throttle_authenticated_deprecated_api?
  deprecated_api_request? &&
    Gitlab::Throttle.settings.throttle_authenticated_deprecated_api_enabled
end

#throttle_authenticated_files_api?Boolean

Returns:

  • (Boolean) 


199
200
201
202
 
# File 'lib/gitlab/rack_attack/request.rb', line 199

def throttle_authenticated_files_api?
  files_api_path? &&
    Gitlab::Throttle.settings.throttle_authenticated_files_api_enabled
end

#throttle_authenticated_get_protected_paths_api?Boolean

Returns:

  • (Boolean) 


152
153
154
155
156
157
 
# File 'lib/gitlab/rack_attack/request.rb', line 152

def throttle_authenticated_get_protected_paths_api?
  get? &&
    api_request? &&
    get_request_protected_path? &&
    Gitlab::Throttle.protected_paths_enabled?
end

#throttle_authenticated_get_protected_paths_web?Boolean

Returns:

  • (Boolean) 


159
160
161
162
163
164
 
# File 'lib/gitlab/rack_attack/request.rb', line 159

def throttle_authenticated_get_protected_paths_web?
  get? &&
    web_request? &&
    get_request_protected_path? &&
    Gitlab::Throttle.protected_paths_enabled?
end

#throttle_authenticated_git_http?Boolean

Returns:

  • (Boolean) 


183
184
185
186
 
# File 'lib/gitlab/rack_attack/request.rb', line 183

def throttle_authenticated_git_http?
  git_path? &&
    Gitlab::Throttle.settings.throttle_authenticated_git_http_enabled
end

#throttle_authenticated_git_lfs?Boolean

Returns:

  • (Boolean) 


188
189
190
191
 
# File 'lib/gitlab/rack_attack/request.rb', line 188

def throttle_authenticated_git_lfs?
  git_lfs_path? &&
    Gitlab::Throttle.settings.throttle_authenticated_git_lfs_enabled
end

#throttle_authenticated_packages_api?Boolean

Returns:

  • (Boolean) 


172
173
174
175
 
# File 'lib/gitlab/rack_attack/request.rb', line 172

def throttle_authenticated_packages_api?
  packages_api_path? &&
    Gitlab::Throttle.settings.throttle_authenticated_packages_api_enabled
end

#throttle_authenticated_protected_paths_api?Boolean

Returns:

  • (Boolean) 


130
131
132
133
134
135
 
# File 'lib/gitlab/rack_attack/request.rb', line 130

def throttle_authenticated_protected_paths_api?
  post? &&
    api_request? &&
    protected_path? &&
    Gitlab::Throttle.protected_paths_enabled?
end

#throttle_authenticated_protected_paths_web?Boolean

Returns:

  • (Boolean) 


137
138
139
140
141
142
 
# File 'lib/gitlab/rack_attack/request.rb', line 137

def throttle_authenticated_protected_paths_web?
  post? &&
    web_request? &&
    protected_path? &&
    Gitlab::Throttle.protected_paths_enabled?
end

#throttle_authenticated_web?Boolean

Returns:

  • (Boolean) 


116
117
118
119
120
 
# File 'lib/gitlab/rack_attack/request.rb', line 116

def throttle_authenticated_web?
  (web_request? || frontend_request?) &&
    !throttle_authenticated_git_lfs? &&
    Gitlab::Throttle.settings.throttle_authenticated_web_enabled
end

#throttle_unauthenticated_api?Boolean

Returns:

  • (Boolean) 


86
87
88
89
90
91
92
93
94
95
 
# File 'lib/gitlab/rack_attack/request.rb', line 86

def throttle_unauthenticated_api?
  api_request? &&
    !should_be_skipped? &&
    !frontend_request? &&
    !throttle_unauthenticated_packages_api? &&
    !throttle_unauthenticated_files_api? &&
    !throttle_unauthenticated_deprecated_api? &&
    Gitlab::Throttle.settings.throttle_unauthenticated_api_enabled &&
    unauthenticated?
end

#throttle_unauthenticated_deprecated_api?Boolean

Returns:

  • (Boolean) 


204
205
206
207
208
 
# File 'lib/gitlab/rack_attack/request.rb', line 204

def throttle_unauthenticated_deprecated_api?
  deprecated_api_request? &&
    Gitlab::Throttle.settings.throttle_unauthenticated_deprecated_api_enabled &&
    unauthenticated?
end

#throttle_unauthenticated_files_api?Boolean

Returns:

  • (Boolean) 


193
194
195
196
197
 
# File 'lib/gitlab/rack_attack/request.rb', line 193

def throttle_unauthenticated_files_api?
  files_api_path? &&
    Gitlab::Throttle.settings.throttle_unauthenticated_files_api_enabled &&
    unauthenticated?
end

#throttle_unauthenticated_get_protected_paths?Boolean

Returns:

  • (Boolean) 


144
145
146
147
148
149
150
 
# File 'lib/gitlab/rack_attack/request.rb', line 144

def throttle_unauthenticated_get_protected_paths?
  get? &&
    !should_be_skipped? &&
    get_request_protected_path? &&
    Gitlab::Throttle.protected_paths_enabled? &&
    unauthenticated?
end

#throttle_unauthenticated_git_http?Boolean

Returns:

  • (Boolean) 


177
178
179
180
181
 
# File 'lib/gitlab/rack_attack/request.rb', line 177

def throttle_unauthenticated_git_http?
  git_path? &&
    Gitlab::Throttle.settings.throttle_unauthenticated_git_http_enabled &&
    unauthenticated?
end

#throttle_unauthenticated_packages_api?Boolean

Returns:

  • (Boolean) 


166
167
168
169
170
 
# File 'lib/gitlab/rack_attack/request.rb', line 166

def throttle_unauthenticated_packages_api?
  packages_api_path? &&
    Gitlab::Throttle.settings.throttle_unauthenticated_packages_api_enabled &&
    unauthenticated?
end

#throttle_unauthenticated_protected_paths?Boolean

Returns:

  • (Boolean) 


122
123
124
125
126
127
128
 
# File 'lib/gitlab/rack_attack/request.rb', line 122

def throttle_unauthenticated_protected_paths?
  post? &&
    !should_be_skipped? &&
    protected_path? &&
    Gitlab::Throttle.protected_paths_enabled? &&
    unauthenticated?
end

#throttle_unauthenticated_web?Boolean

Returns:

  • (Boolean) 


97
98
99
100
101
102
103
104
 
# File 'lib/gitlab/rack_attack/request.rb', line 97

def throttle_unauthenticated_web?
  (web_request? || frontend_request?) &&
    !should_be_skipped? &&
    !git_path? &&
    # TODO: Column will be renamed in https://gitlab.com/gitlab-org/gitlab/-/issues/340031
    Gitlab::Throttle.settings.throttle_unauthenticated_enabled &&
    unauthenticated?
end

#throttled_identifer(request_formats) ⇒ Object 



17
18
19
20
21
22
23
24
25
26
27
28
29
30
 
# File 'lib/gitlab/rack_attack/request.rb', line 17

def throttled_identifer(request_formats)
  identifier = authenticated_identifier(request_formats)
  return unless identifier

  identifier_type = identifier[:identifier_type]
  identifier_id = identifier[:identifier_id]

  if identifier_type == :user && Gitlab::RackAttack.user_allowlist.include?(identifier_id)
    Gitlab::Instrumentation::Throttle.safelist = 'throttle_user_allowlist'
    return
  end

  "#{identifier_type}:#{identifier_id}"
end

#unauthenticated?Boolean

Returns:

  • (Boolean) 


13
14
15
 
# File 'lib/gitlab/rack_attack/request.rb', line 13

def unauthenticated?
  !(authenticated_identifier([:api, :rss, :ics]) || authenticated_runner_id)
end

#web_request?Boolean

Returns:

  • (Boolean) 


68
69
70
 
# File 'lib/gitlab/rack_attack/request.rb', line 68

def web_request?
  !api_request? && !health_check_request?
end