Skip to content

Add user allowlist to bypass Global Search rate limit

Rohit Shambhuni requested to merge search-rate-limit-allowlist-362106 into master

What does this MR do and why?

Related to Respect GITLAB_THROTTLE_USER_ALLOWLIST for Glob... (#362106 - closed).

Fixed a bug in Global Search to allow users in users_allowlist to bypass search rate limits when making authenticated requests to the UI or API.

Fixing this bug is going to help Security as discussed in this internal Slack thread.

Database review

$ bundle exec rails db:rollback:main
main: == [advisory_lock_connection] object_id: 266620, pg_backend_pid: 87280
main: == 20230829045459 AddSearchRateLimitAllowlistToApplicationSettings: reverting =
main: -- remove_column(:application_settings, :search_rate_limit_allowlist, :text, {:array=>true, :default=>[], :null=>false})
main:    -> 0.0043s
main: == 20230829045459 AddSearchRateLimitAllowlistToApplicationSettings: reverted (0.0175s) 

main: == [advisory_lock_connection] object_id: 266620, pg_backend_pid: 87280

$ bundle exec rails db:migrate:main 
main: == [advisory_lock_connection] object_id: 226020, pg_backend_pid: 88070
main: == 20230829045459 AddSearchRateLimitAllowlistToApplicationSettings: migrating =
main: -- add_column(:application_settings, :search_rate_limit_allowlist, :text, {:array=>true, :default=>[], :null=>false})
main:    -> 0.0059s
main: == 20230829045459 AddSearchRateLimitAllowlistToApplicationSettings: migrated (0.0134s) 

main: == [advisory_lock_connection] object_id: 226020, pg_backend_pid: 88070

Screenshots or screen recordings

Screenshot taken locally from https://gdk.test:3443/admin/application_settings/network#js-search-limits-settings

Screenshot_2023-08-29_at_2.10.49_PM

How to set up and validate locally

  1. Run DB migration
  2. Login as admin user and go to the Search rate limits section on Network Settings page
  3. Under Users to exclude from the rate limit, add the username of a user you would like to exclude from the Search rate limits. Click Save Changes
  4. Now search in the API or the UI as the user who was excluded from the rate limit. You can perform searches without getting rate-limited.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Rohit Shambhuni

Merge request reports