Skip to content

Fix Web Project Export Download rate limiting scope

George Koltsov requested to merge georgekoltsov/fix-project-export-web-rate-limit into master

What does this MR do?

This MR fixes a bug in Web (Controller) Project Export rate limiting, where incorrect scope was applied for export download.

From #323637 (closed)

project_scope = params[:action] == :download_export ? @project : nil return nil because params[:action] is a string and not a symbol.

   522:     prefixed_action = "project_#{params[:action]}".to_sym
   523:
   524:     project_scope = params[:action] == :download_export ? @project : nil
   525: 
   526:     require 'byebug'; byebug
   527: 
=> 528:     if rate_limiter.throttled?(prefixed_action, scope: [current_user, project_scope].compact)
   529:       rate_limiter.log_request(request, "#{prefixed_action}_request_limit".to_sym, current_user)
   530: 
   531:       render plain: _('This endpoint has been requested too many times. Try again later.'), status: :too_many_requests
   532:     end

=> params[:action]

"download_export"

Making it a string fixes this issue, as it does not have to be a symbol. Only the action itself is required to be one according to Gitlab::ApplicationRateLimiter.throttled? documentation.

Screenshots (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by George Koltsov

Merge request reports