Make rate limiting of /users/:id configurable (!78364) · Merge requests · GitLab.org / GitLab

Magdalena Frankiewicz requested to merge configurable-rate-limit-get-users-by-id into master Jan 17, 2022

In order to better discriminate between short bursts of legitimate requests and sustained misuse such as user enumeration attacks, we increase both the rate limit and the interval to 300 per 10 minutes (instead of 10 per minute).

Additionally, the limit is now configurable in ApplicationSetting, so it can be set per-instance. This is important also in order to avoid hitting the limit on staging when running tests.

Database review

gitlab:configurable-rate-limit-get-users-by-id$ bundle exec rails db:rollback                                          ~/gitlab/gitlab-development-kit/gitlab
== 20220117083129 AddUsersGetByIdLimitToApplicationSetting: reverting =========
-- remove_column(:application_settings, :users_get_by_id_limit, :integer, {:null=>false, :default=>300})
   -> 0.0121s
== 20220117083129 AddUsersGetByIdLimitToApplicationSetting: reverted (0.0159s)

gitlab:configurable-rate-limit-get-users-by-id+$ bundle exec rails db:migrate                                          ~/gitlab/gitlab-development-kit/gitlab
== 20220117083129 AddUsersGetByIdLimitToApplicationSetting: migrating =========
-- add_column(:application_settings, :users_get_by_id_limit, :integer, {:null=>false, :default=>300})
   -> 0.0065s
== 20220117083129 AddUsersGetByIdLimitToApplicationSetting: migrated (0.0066s)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jan 18, 2022 by Magdalena Frankiewicz

Make rate limiting of /users/:id configurable

Database review

MR acceptance checklist

Merge request reports