Add user allowlist to bypass Global Search rate limit
What does this MR do and why?
Related to Respect GITLAB_THROTTLE_USER_ALLOWLIST for Glob... (#362106 - closed).
Fixed a bug in Global Search to allow users in users_allowlist
to bypass search rate limits when making authenticated requests to the UI or API.
Fixing this bug is going to help Security as discussed in this internal Slack thread.
Database review
$ bundle exec rails db:rollback:main
main: == [advisory_lock_connection] object_id: 266620, pg_backend_pid: 87280
main: == 20230829045459 AddSearchRateLimitAllowlistToApplicationSettings: reverting =
main: -- remove_column(:application_settings, :search_rate_limit_allowlist, :text, {:array=>true, :default=>[], :null=>false})
main: -> 0.0043s
main: == 20230829045459 AddSearchRateLimitAllowlistToApplicationSettings: reverted (0.0175s)
main: == [advisory_lock_connection] object_id: 266620, pg_backend_pid: 87280
$ bundle exec rails db:migrate:main
main: == [advisory_lock_connection] object_id: 226020, pg_backend_pid: 88070
main: == 20230829045459 AddSearchRateLimitAllowlistToApplicationSettings: migrating =
main: -- add_column(:application_settings, :search_rate_limit_allowlist, :text, {:array=>true, :default=>[], :null=>false})
main: -> 0.0059s
main: == 20230829045459 AddSearchRateLimitAllowlistToApplicationSettings: migrated (0.0134s)
main: == [advisory_lock_connection] object_id: 226020, pg_backend_pid: 88070
Screenshots or screen recordings
Screenshot taken locally from https://gdk.test:3443/admin/application_settings/network#js-search-limits-settings
How to set up and validate locally
- Run DB migration
- Login as admin user and go to the
Search rate limits
section on Network Settings page - Under
Users to exclude from the rate limit
, add the username of a user you would like to exclude from the Search rate limits. ClickSave Changes
- Now search in the API or the UI as the user who was excluded from the rate limit. You can perform searches without getting rate-limited.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Rohit Shambhuni