Skip to content

Add allowlisted users to git anti-abuse service

Hinam Mehra requested to merge anti-abuse/44-add-allowlisted-users-to-git-abuse-service into master

What does this MR do and why?

  1. Adds users that admins have allowlisted to the git anti-abuse service (Abuse::ExcessiveProjectsDownloadBanService) so they don't get banned when they exceed git rate limits.
  2. Resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/45
  3. Why are we implementing an allowlist - see https://gitlab.com/groups/gitlab-org/modelops/anti-abuse/-/epics/1

Screenshots or screen recordings

1. When the user is not added to the allowlist, they get banned if they exceed git anti-abuse rate limits

2. When the user is added to the allowlist, they can bypass git anti-abuse rate limits

How to set up and validate locally

  1. Enable the feature flag git_abuse_rate_limit_feature_flag and auto_ban_user_on_excessive_projects_download 
bundle exec rails c
> Feature.enable(:git_abuse_rate_limit_feature_flag)
> Feature.enable(:auto_ban_user_on_excessive_projects_download)
  1. Configure git abuse rate limits

This will tell the application that a user is only allowed to clone/fetch 1 git repo in 5 minutes. So if a user were to fetch a 2nd repo in a 5 minute period, they will be banned.

> Gitlab::CurrentSettings.current_application_settings.update(max_number_of_repository_downloads: 1, max_number_of_repository_downloads_within_time_period: 300)
  1. Try cloning 2 git repos as a user. You can use either SSH or HTTP to clone the repos.
> cd anti-abuse-test
> git clone http://127.0.0.1:3000/gituser/git-user-test-project.git 
.. cloning is successful

> git clone http://127.0.0.1:3000/gituser/git-user-test-project-2.git
.. remote: You are not allowed to download code from this project.
   fatal: unable to access 'http://127.0.0.1:3000/gituser/git-user-test-project-2.git/': The requested URL returned error: 403
  1. Unban your user and add them to the allowlist
bundle exec rails c
> User.find_by(username: <YOUR_USERNAME>).unban!
> Gitlab::CurrentSettings.current_application_settings.update(git_rate_limit_users_allowlist: [<YOUR_USERNAME>])
  1. Now try step 3 again and the user won't get banned since they are now part of the allowlist.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Hinam Mehra

Merge request reports