Make rate limiting of /users/:id configurable
Resolves #350481 (closed)
In order to better discriminate between short bursts of legitimate requests and sustained misuse such as user enumeration attacks, we increase both the rate limit and the interval to 300 per 10 minutes (instead of 10 per minute).
Additionally, the limit is now configurable in ApplicationSetting
, so it can be set per-instance. This is important also in order to avoid hitting the limit on staging when running tests.
Database review
gitlab:configurable-rate-limit-get-users-by-id$ bundle exec rails db:rollback ~/gitlab/gitlab-development-kit/gitlab
== 20220117083129 AddUsersGetByIdLimitToApplicationSetting: reverting =========
-- remove_column(:application_settings, :users_get_by_id_limit, :integer, {:null=>false, :default=>300})
-> 0.0121s
== 20220117083129 AddUsersGetByIdLimitToApplicationSetting: reverted (0.0159s)
gitlab:configurable-rate-limit-get-users-by-id+$ bundle exec rails db:migrate ~/gitlab/gitlab-development-kit/gitlab
== 20220117083129 AddUsersGetByIdLimitToApplicationSetting: migrating =========
-- add_column(:application_settings, :users_get_by_id_limit, :integer, {:null=>false, :default=>300})
-> 0.0065s
== 20220117083129 AddUsersGetByIdLimitToApplicationSetting: migrated (0.0066s)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Magdalena Frankiewicz