Enforce rate limit per IP on /users/:username/exists

This is to mitigate abuse, such as mass attempts to discover usernames Changelog: security

Enforce rate limit per IP on /users/:username/exists
5e9c4d18 · Magdalena Frankiewicz · aa527966 · 5e9c4d18 · 5e9c4d18 · 5e9c4d18
Verified Commit 5e9c4d18 authored 3 years ago by Magdalena Frankiewicz
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -23,6 +23,7 @@ class UsersController < ApplicationController
  before_action :user, except: [:exists]
  before_action :authorize_read_user_profile!,
                only: [:calendar, :calendar_activities, :groups, :projects, :contributed, :starred, :snippets, :followers, :following]
+  before_action -> { check_rate_limit!(:username_exists, scope: request.ip) }, only: [:exists]

  feature_category :users


--- a/lib/gitlab/application_rate_limiter.rb
+++ b/lib/gitlab/application_rate_limiter.rb
@@ -50,6 +50,7 @@ def rate_limits
          profile_add_new_email:        { threshold: 5, interval: 1.minute },
          web_hook_calls:               { interval: 1.minute },
          users_get_by_id:              { threshold: 10, interval: 1.minute },
+          username_exists:              { threshold: 20, interval: 1.minute },
          profile_resend_email_confirmation:  { threshold: 5, interval: 1.minute },
          update_environment_canary_ingress:  { threshold: 1, interval: 1.minute },
          auto_rollback_deployment:           { threshold: 1, interval: 3.minutes },

--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -636,6 +636,8 @@ def create_note_event
  describe 'GET #exists' do
    before do
      sign_in(user)
+
+      allow(::Gitlab::ApplicationRateLimiter).to receive(:throttled?).and_return(false)
    end

    context 'when user exists' do
@@ -677,6 +679,17 @@ def create_note_event
        end
      end
    end
+
+    context 'when the rate limit has been reached' do
+      it 'returns JSON indicating the user exists', :aggregate_failures do
+        ip = '1.2.3.4'
+        expect(::Gitlab::ApplicationRateLimiter).to receive(:throttled?).with(:username_exists, scope: ip).and_return(true)
+
+        get user_exists_url(user.username), env: { 'REMOTE_ADDR': ip }
+
+        expect(response).to have_gitlab_http_status(:too_many_requests)
+      end
+    end
  end

  describe '#ensure_canonical_path' do