Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #342481
Closed
Open
Issue created Oct 06, 2021 by David Fernandez@10io🔴Maintainer

Improper rack-attack discriminator for `authenticated_packages_api` with a deploy token

🔥 Problem

We currently have several rack-attack throttles configured. One of them is throttle_authenticated_packages_api. When this throttle is triggered, the discriminator is the user_id.

That user_id comes from https://gitlab.com/gitlab-org/gitlab/-/blob/542ca3dcfd56e9e5581af62ff16b939c895ae097/lib/gitlab/rack_attack/request.rb#L14 which in turn will use https://gitlab.com/gitlab-org/gitlab/-/blob/542ca3dcfd56e9e5581af62ff16b939c895ae097/lib/gitlab/auth/request_authenticator.rb#L32.

The problem is that this function doesn't read deploy token objects.

The discriminator will thus be nil = the throttle evluation will be aborted = all packages api with deploy token will not be throttled.

The same problem was discovered for the dependency proxy routes in !71532 (merged)

🚒 Solution

The straightforward solution would be to update #find_sessionless_user so that it returns deploy tokens. Unfortunately, that function is used in rack-attack throttles and here: https://gitlab.com/gitlab-org/gitlab/-/blob/542ca3dcfd56e9e5581af62ff16b939c895ae097/app/controllers/concerns/sessionless_authentication.rb. That concern is used in several rails controller.

Given that impacting several rails controller at once is not a great idea, we will need an alternative.

Introduce #find_sessionless_user_or_deploy_token which uses #find_sessionless_user and upgrade it with finders for deploy tokens. Once we have that, the discriminator could be the object type + id. For example: user.23 or deploy_token.23. Using only the id will not work as we can have clashes between user ids and deploy token ids.

Edited Oct 07, 2021 by David Fernandez
Assignee
Assign to
Time tracking