Path traversal middleware: log the execution time in ms
In Rack middleware for path traversal checks (!123477 - merged), we introduced a rack middleware with this idea of checking the request path, if a path traversal is detected, reject the request. See #413766+ for more details.
Since middlewares are executed for all requests, we are not starting with the "reject the request" part. Instead, we simply log the path traversal attempt and additionally we measure the execution time of that check. This is the simulation phase.
In this phase, one of the goals is to measure the impact (execution time) on requests. We certainly don't want to add 1sec of execution time on all requests 
The middleware is gated behind feature flags so that we can quickly disable it.
We started playing with it on staging and while trying to get the numbers for the execution time, we got only a collection of 0.
What happens is that we compute the execution time in seconds. However, the middleware logic is quite fast. When the duration_s gets into Kibana, there has to be some rounding or truncation and our result gets rounded to 0.
This MR attempts to fix that.
- Compute the path traversal middleware execution time in
msinstead ofs. - Log the value into
duration_msinstead ofduration_s. - Update the related specs.
Changelog is not needed here as the middleware is behind a feature flag .
None
- In a rails console, enable the middleware and enable the execution time logging:
Feature.enable(:check_path_traversal_middleware)
Feature.enable(:log_execution_time_path_traversal_middleware)- Start the server.
- Access
http://gdk.test:8000/foo%2F../bar - Check
log/application_json.logand see:
{"severity":"WARN","time":"2023-10-05T16:57:41.195Z","correlation_id":"01HC0CC327PRP91T226C3J9HMJ","fullpath":"/foo%2F../bar","message":"Potential path traversal attempt detected","duration_ms":0.713,"class_name":"Gitlab::Middleware::PathTraversalCheck"}Notice the duration_ms field that will report the execution time in ms.
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Merge request reports
Activity
changed milestone to %16.5
added backend package:active security typemaintenance workflowin review labels
assigned to @10io
1 Message 
CHANGELOG missing: If this merge request needs a changelog entry, add the
Changelogtrailer to the commit message you want to add to the changelog.If this merge request doesn't need a CHANGELOG entry, feel free to ignore this message.
Reviewer roulette
Changes that require review have been detected!
Please refer to the table below for assigning reviewers and maintainers suggested by Danger in the specified category:
Category Reviewer Maintainer backend Ravi Kumar (
@rkumar555) (UTC+2, same timezone as@10io)Douglas Barbosa Alexandre (
@dbalexandre) (UTC+0, 2 hours behind@10io)Please check reviewer's status!
-
Reviewer is available!
-
Reviewer is unavailable!
Feel free to override these selections if you think someone else would be better-suited or use the GitLab Review Workload Dashboard to find other available reviewers.
To read more on how to use the reviewer roulette, please take a look at the Engineering workflow and code review guidelines. Please consider assigning a reviewer or maintainer who is a domain expert in the area of the merge request.
Once you've decided who will review this merge request, assign them as a reviewer! Danger does not automatically notify them for you.
If needed, you can retry the
danger-reviewjob that generated this comment.Generated by
Edited by Ghost User-
Allure report
allure-report-publishergenerated test report!e2e-test-on-gdk:
expand test summary
+-----------------------------------------------------------------------+ | suites summary | +------------------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +------------------+--------+--------+---------+-------+-------+--------+ | Data Stores | 18 | 0 | 4 | 0 | 22 | ✅ | | Create | 45 | 0 | 2 | 0 | 47 | ✅ | | Govern | 35 | 0 | 0 | 0 | 35 | ✅ | | Plan | 55 | 0 | 0 | 0 | 55 | ✅ | | Verify | 8 | 0 | 0 | 0 | 8 | ✅ | | Package | 0 | 0 | 1 | 0 | 1 | ➖ | | Manage | 13 | 0 | 1 | 0 | 14 | ✅ | | Monitor | 4 | 0 | 0 | 0 | 4 | ✅ | | Framework sanity | 0 | 0 | 1 | 0 | 1 | ➖ | +------------------+--------+--------+---------+-------+-------+--------+ | Total | 178 | 0 | 9 | 0 | 187 | ✅ | +------------------+--------+--------+---------+-------+-------+--------+Edited by Ghost User- Resolved by Douglas Barbosa Alexandre
- Last reply by Ravi Kumar
requested review from @rkumar555
requested review from @dbalexandre and removed review request for @rkumar555
@rkumar555, thanks for approving this merge request.This is the first time the merge request has been approved. To ensure full test coverage, a new pipeline will be started shortly.
For more info, please refer to the following links:
added pipeline:mr-approved label
Thanks, @10io! This LGTM
mentioned in commit de1c4a28
added workflowstaging-canary label and removed workflowin review label
added workflowcanary label and removed workflowstaging-canary label
added workflowstaging label and removed workflowcanary label
added workflowproduction label and removed workflowstaging label
added workflowpost-deploy-db-staging label and removed workflowproduction label
added workflowpost-deploy-db-production label and removed workflowpost-deploy-db-staging label
mentioned in issue gitlab-com/www-gitlab-com#34443 (closed)
added releasedcandidate label
added releasedpublished label and removed releasedcandidate label
mentioned in merge request !152784 (merged)
