Skip to content

Update spamcheck to version 1.2.0

Ian Anderson requested to merge update-spamcheck into master

What does this MR do and why?

This MR updates the spamcheck gem to version 1.2.0. This update includes features that are needed to eventually aggregate per-user spam scores to allow for automated anti-abuse actions.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

In addition to the changes in the spec files proper functionality of spamcheck can be validated locally.

  1. Run the spamcheck service locally 
    docker run --rm -p 8001:8001 registry.gitlab.com/gitlab-org/gl-security/security-engineering/security-automation/spam/spamcheck:1.6.1
  2. Enable spamcheck in your local GDK instance by navigating to admin/application_settings/reporting.
    • Enable spamcheck
    • Set the URL of the external Spam Check endpoint to grpc://localhost:8001 image
  3. As a regular user, create an issue in a public project (i.e. gitlab-org/gitlab-test). It is important that the user is not a member of the project.
  4. You should see logs from the spamcheck service that the issue was checked for spam.
  5. Since spamcheck defaults to ALLOW if any errors occur, create a "spammy" issue and verify that it is blocked.
curl -i --request POST --header "PRIVATE-TOKEN: <TOKEN>" "http://gdk.test:3000/api/v4/projects/2/issues?title=live%20stream&description=Check%20the%20latest%20streaming%20sports%20here"
HTTP/1.1 409 Conflict
Cache-Control: no-cache
Content-Security-Policy: default-src 'none'
Content-Type: application/json
Vary: Origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Request-Id: 01GX6FYXTXFYVH0JNCWZYNM5BY
X-Runtime: 7.282446
Date: Tue, 04 Apr 2023 16:00:30 GMT
Content-Length: 235

{"needs_captcha_response":true,"spam_log_id":234,"captcha_site_key":"6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI","message":{"error":"Your issue has been recognized as spam. Please, change the content or solve the reCAPTCHA to proceed."}}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Ian Anderson

Merge request reports