Module: Gitlab::RackAttack::Request

Includes:
Utils::StrongMemoize
Defined in:
lib/gitlab/rack_attack/request.rb

Constant Summary collapse

FILES_PATH_REGEX = 
%r{^/api/v\d+/projects/[^/]+/repository/files/.+}
GROUP_PATH_REGEX = 
%r{^/api/v\d+/groups/[^/]+/?$}

Instance Method Summary collapse

Instance Method Details

#api_internal_request?Boolean

Returns:

  • (Boolean) 


46
47
48
 
# File 'lib/gitlab/rack_attack/request.rb', line 46

def api_internal_request?
  matches?(%r{^/api/v\d+/internal/})
end

#api_request?Boolean

Returns:

  • (Boolean) 


34
35
36
 
# File 'lib/gitlab/rack_attack/request.rb', line 34

def api_request?
  logical_path.start_with?('/api')
end

#authenticated_runner_idObject 



30
31
32
 
# File 'lib/gitlab/rack_attack/request.rb', line 30

def authenticated_runner_id
  request_authenticator.runner&.id
end

#container_registry_event?Boolean

Returns:

  • (Boolean) 


54
55
56
 
# File 'lib/gitlab/rack_attack/request.rb', line 54

def container_registry_event?
  matches?(%r{^/api/v\d+/container_registry_event/})
end

#get_request_protected_path?Boolean

Returns:

  • (Boolean) 


74
75
76
 
# File 'lib/gitlab/rack_attack/request.rb', line 74

def get_request_protected_path?
  matches?(protected_paths_for_get_request_regex)
end

#health_check_request?Boolean

Returns:

  • (Boolean) 


50
51
52
 
# File 'lib/gitlab/rack_attack/request.rb', line 50

def health_check_request?
  matches?(%r{^/-/(health|liveness|readiness|metrics)})
end

#logical_pathObject 



38
39
40
 
# File 'lib/gitlab/rack_attack/request.rb', line 38

def logical_path
  @logical_path ||= path.delete_prefix(Gitlab.config.gitlab.relative_url_root)
end

#matches?(regex) ⇒ Boolean

Returns:

  • (Boolean) 


42
43
44
 
# File 'lib/gitlab/rack_attack/request.rb', line 42

def matches?(regex)
  logical_path.match?(regex)
end

#product_analytics_collector_request?Boolean

Returns:

  • (Boolean) 


58
59
60
 
# File 'lib/gitlab/rack_attack/request.rb', line 58

def product_analytics_collector_request?
  logical_path.start_with?('/-/collector/i')
end

#protected_path?Boolean

Returns:

  • (Boolean) 


70
71
72
 
# File 'lib/gitlab/rack_attack/request.rb', line 70

def protected_path?
  matches?(protected_paths_regex)
end

#should_be_skipped?Boolean

Returns:

  • (Boolean) 


62
63
64
 
# File 'lib/gitlab/rack_attack/request.rb', line 62

def should_be_skipped?
  api_internal_request? || health_check_request? || container_registry_event?
end

#throttle?(throttle, authenticated:) ⇒ Boolean

Returns:

  • (Boolean) 


78
79
80
81
82
 
# File 'lib/gitlab/rack_attack/request.rb', line 78

def throttle?(throttle, authenticated:)
  fragment = Gitlab::Throttle.throttle_fragment!(throttle, authenticated: authenticated)

  __send__("#{fragment}?") # rubocop:disable GitlabSecurity/PublicSend
end

#throttle_authenticated_api?Boolean

Returns:

  • (Boolean) 


103
104
105
106
107
108
109
110
 
# File 'lib/gitlab/rack_attack/request.rb', line 103

def throttle_authenticated_api?
  api_request? &&
    !frontend_request? &&
    !throttle_authenticated_packages_api? &&
    !throttle_authenticated_files_api? &&
    !throttle_authenticated_deprecated_api? &&
    Gitlab::Throttle.settings.throttle_authenticated_api_enabled
end

#throttle_authenticated_deprecated_api?Boolean

Returns:

  • (Boolean) 


195
196
197
198
 
# File 'lib/gitlab/rack_attack/request.rb', line 195

def throttle_authenticated_deprecated_api?
  deprecated_api_request? &&
    Gitlab::Throttle.settings.throttle_authenticated_deprecated_api_enabled
end

#throttle_authenticated_files_api?Boolean

Returns:

  • (Boolean) 


184
185
186
187
 
# File 'lib/gitlab/rack_attack/request.rb', line 184

def throttle_authenticated_files_api?
  files_api_path? &&
    Gitlab::Throttle.settings.throttle_authenticated_files_api_enabled
end

#throttle_authenticated_get_protected_paths_api?Boolean

Returns:

  • (Boolean) 


148
149
150
151
152
153
 
# File 'lib/gitlab/rack_attack/request.rb', line 148

def throttle_authenticated_get_protected_paths_api?
  get? &&
    api_request? &&
    get_request_protected_path? &&
    Gitlab::Throttle.protected_paths_enabled?
end

#throttle_authenticated_get_protected_paths_web?Boolean

Returns:

  • (Boolean) 


155
156
157
158
159
160
 
# File 'lib/gitlab/rack_attack/request.rb', line 155

def throttle_authenticated_get_protected_paths_web?
  get? &&
    web_request? &&
    get_request_protected_path? &&
    Gitlab::Throttle.protected_paths_enabled?
end

#throttle_authenticated_git_lfs?Boolean

Returns:

  • (Boolean) 


173
174
175
176
 
# File 'lib/gitlab/rack_attack/request.rb', line 173

def throttle_authenticated_git_lfs?
  git_lfs_path? &&
    Gitlab::Throttle.settings.throttle_authenticated_git_lfs_enabled
end

#throttle_authenticated_packages_api?Boolean

Returns:

  • (Boolean) 


168
169
170
171
 
# File 'lib/gitlab/rack_attack/request.rb', line 168

def throttle_authenticated_packages_api?
  packages_api_path? &&
    Gitlab::Throttle.settings.throttle_authenticated_packages_api_enabled
end

#throttle_authenticated_protected_paths_api?Boolean

Returns:

  • (Boolean) 


126
127
128
129
130
131
 
# File 'lib/gitlab/rack_attack/request.rb', line 126

def throttle_authenticated_protected_paths_api?
  post? &&
    api_request? &&
    protected_path? &&
    Gitlab::Throttle.protected_paths_enabled?
end

#throttle_authenticated_protected_paths_web?Boolean

Returns:

  • (Boolean) 


133
134
135
136
137
138
 
# File 'lib/gitlab/rack_attack/request.rb', line 133

def throttle_authenticated_protected_paths_web?
  post? &&
    web_request? &&
    protected_path? &&
    Gitlab::Throttle.protected_paths_enabled?
end

#throttle_authenticated_web?Boolean

Returns:

  • (Boolean) 


112
113
114
115
116
 
# File 'lib/gitlab/rack_attack/request.rb', line 112

def throttle_authenticated_web?
  (web_request? || frontend_request?) &&
    !throttle_authenticated_git_lfs? &&
    Gitlab::Throttle.settings.throttle_authenticated_web_enabled
end

#throttle_unauthenticated_api?Boolean

Returns:

  • (Boolean) 


84
85
86
87
88
89
90
91
92
93
 
# File 'lib/gitlab/rack_attack/request.rb', line 84

def throttle_unauthenticated_api?
  api_request? &&
    !should_be_skipped? &&
    !frontend_request? &&
    !throttle_unauthenticated_packages_api? &&
    !throttle_unauthenticated_files_api? &&
    !throttle_unauthenticated_deprecated_api? &&
    Gitlab::Throttle.settings.throttle_unauthenticated_api_enabled &&
    unauthenticated?
end

#throttle_unauthenticated_deprecated_api?Boolean

Returns:

  • (Boolean) 


189
190
191
192
193
 
# File 'lib/gitlab/rack_attack/request.rb', line 189

def throttle_unauthenticated_deprecated_api?
  deprecated_api_request? &&
    Gitlab::Throttle.settings.throttle_unauthenticated_deprecated_api_enabled &&
    unauthenticated?
end

#throttle_unauthenticated_files_api?Boolean

Returns:

  • (Boolean) 


178
179
180
181
182
 
# File 'lib/gitlab/rack_attack/request.rb', line 178

def throttle_unauthenticated_files_api?
  files_api_path? &&
    Gitlab::Throttle.settings.throttle_unauthenticated_files_api_enabled &&
    unauthenticated?
end

#throttle_unauthenticated_get_protected_paths?Boolean

Returns:

  • (Boolean) 


140
141
142
143
144
145
146
 
# File 'lib/gitlab/rack_attack/request.rb', line 140

def throttle_unauthenticated_get_protected_paths?
  get? &&
    !should_be_skipped? &&
    get_request_protected_path? &&
    Gitlab::Throttle.protected_paths_enabled? &&
    unauthenticated?
end

#throttle_unauthenticated_packages_api?Boolean

Returns:

  • (Boolean) 


162
163
164
165
166
 
# File 'lib/gitlab/rack_attack/request.rb', line 162

def throttle_unauthenticated_packages_api?
  packages_api_path? &&
    Gitlab::Throttle.settings.throttle_unauthenticated_packages_api_enabled &&
    unauthenticated?
end

#throttle_unauthenticated_protected_paths?Boolean

Returns:

  • (Boolean) 


118
119
120
121
122
123
124
 
# File 'lib/gitlab/rack_attack/request.rb', line 118

def throttle_unauthenticated_protected_paths?
  post? &&
    !should_be_skipped? &&
    protected_path? &&
    Gitlab::Throttle.protected_paths_enabled? &&
    unauthenticated?
end

#throttle_unauthenticated_web?Boolean

Returns:

  • (Boolean) 


95
96
97
98
99
100
101
 
# File 'lib/gitlab/rack_attack/request.rb', line 95

def throttle_unauthenticated_web?
  (web_request? || frontend_request?) &&
    !should_be_skipped? &&
    # TODO: Column will be renamed in https://gitlab.com/gitlab-org/gitlab/-/issues/340031
    Gitlab::Throttle.settings.throttle_unauthenticated_enabled &&
    unauthenticated?
end

#throttled_identifer(request_formats) ⇒ Object 



15
16
17
18
19
20
21
22
23
24
25
26
27
28
 
# File 'lib/gitlab/rack_attack/request.rb', line 15

def throttled_identifer(request_formats)
  identifier = authenticated_identifier(request_formats)
  return unless identifier

  identifier_type = identifier[:identifier_type]
  identifier_id = identifier[:identifier_id]

  if identifier_type == :user && Gitlab::RackAttack.user_allowlist.include?(identifier_id)
    Gitlab::Instrumentation::Throttle.safelist = 'throttle_user_allowlist'
    return
  end

  "#{identifier_type}:#{identifier_id}"
end

#unauthenticated?Boolean

Returns:

  • (Boolean) 


11
12
13
 
# File 'lib/gitlab/rack_attack/request.rb', line 11

def unauthenticated?
  !(authenticated_identifier([:api, :rss, :ics]) || authenticated_runner_id)
end

#web_request?Boolean

Returns:

  • (Boolean) 


66
67
68
 
# File 'lib/gitlab/rack_attack/request.rb', line 66

def web_request?
  !api_request? && !health_check_request?
end