Apply throttling settings to Files API

Merged Vasilii Iakliushin requested to merge 335075_rate_limiting_for_files_api into master

What does this MR do?

Contributes to #335075


  1. Database migration MR: !68559 (merged)
  2. Throttling configuration form in Admin Area MR: !68560 (merged)
  3. Rack attack configuration MR <== This MR
  4. Documentation update: !68645 (merged)


We want to have an option to rate limit Files API requests.

Current MR

  • Configures Rack Attack to use application settings for Files API throttling

Screenshots or Screencasts (strongly suggested)

How to setup and validate locally (strongly suggested)

  1. Enable feature flag: Feature.enable(:files_api_throttling)
  2. Go to Admin Area -> Network: http://<gdk_url>/admin/application_settings/network
  3. Enable a restrictive rate-limit for Files API and save changes. For example, 2 authorized requests per 15 seconds Screenshot_2021-09-06_at_16.07.26
  4. Restart GDK to apply the rate-limit (gdk restart rails-web)
  5. Make consecutive requests to Files API (for example, http://<gdk_url>/api/v4/projects/4/repository/files/README?ref=master)
  6. Verify that API returns 429 page when rate-limit reached Screenshot_2021-09-06_at_16.11.13

Does this MR meet the acceptance criteria?


Availability and Testing


Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Vasilii Iakliushin