Merge branch '55241-rate-limit-issue-creation-api' into 'master'

Introduce rate limit for creating issues via API

See merge request gitlab-org/gitlab!28130

changelogs/unreleased/55241-rate-limit-issue-creation-api.yml

+---
+title: Introduce rate limit for creating issues via API
+merge_request: 28130
+author:
+type: performance

doc/api/issues.md

@@ -740,6 +740,14 @@ the `weight` parameter:
 
 **Note**: The `closed_by` attribute was [introduced in GitLab 10.6](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/17042). This value will only be present for issues which were closed after GitLab 10.6 and when the user account that closed the issue still exists.
 
+## Rate limits
+
+To help avoid abuse, users are limited to:
+
+| Request Type     | Limit                       |
+| ---------------- | --------------------------- |
+| Create           | 300 issues per minute       |
+
 ## Edit issue
 
 Updates an existing project issue. This call is also used to mark an issue as

lib/api/helpers/rate_limiter.rb

+# frozen_string_literal: true
+
+module API
+  module Helpers
+    module RateLimiter
+      def check_rate_limit!(key, scope)
+        if rate_limiter.throttled?(key, scope: scope)
+          log_request(key)
+          render_exceeded_limit_error!
+        end
+      end
+
+      private
+
+      def rate_limiter
+        ::Gitlab::ApplicationRateLimiter
+      end
+
+      def render_exceeded_limit_error!
+        render_api_error!({ error: _('This endpoint has been requested too many times. Try again later.') }, 429)
+      end
+
+      def log_request(key)
+        rate_limiter.log_request(request, "#{key}_request_limit".to_sym, current_user)
+      end
+    end
+  end
+end

lib/api/issues.rb

@@ -4,6 +4,7 @@ module API
   class Issues < Grape::API
     include PaginationParams
     helpers Helpers::IssuesHelpers
+    helpers Helpers::RateLimiter
     helpers ::Gitlab::IssuableMetadata
 
     before { authenticate_non_get! }
@@ -211,6 +212,8 @@ module API
       post ':id/issues' do
         Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab-foss/issues/42320')
 
+        check_rate_limit! :issues_create, [current_user, :issues_create]
+
         authorize! :create_issue, user_project
 
         params.delete(:created_at) unless current_user.can?(:set_issue_created_at, user_project)

lib/api/project_export.rb

@@ -2,15 +2,8 @@
 
 module API
   class ProjectExport < Grape::API
-    helpers do
-      def throttled?(action)
-        rate_limiter.throttled?(action, scope: [current_user, action, user_project])
-      end
+    helpers Helpers::RateLimiter
 
-      def rate_limiter
-        ::Gitlab::ApplicationRateLimiter
-      end
-    end
     before do
       not_found! unless Gitlab::CurrentSettings.project_export_enabled?
       authorize_admin_project
@@ -32,9 +25,7 @@ module API
         detail 'This feature was introduced in GitLab 10.6.'
       end
       get ':id/export/download' do
-        if throttled?(:project_download_export)
-          render_api_error!({ error: 'This endpoint has been requested too many times. Try again later.' }, 429)
-        end
+        check_rate_limit! :project_download_export, [current_user, :project_download_export, user_project]
 
         if user_project.export_file_exists?
           present_carrierwave_file!(user_project.export_file)
@@ -54,9 +45,7 @@ module API
         end
       end
       post ':id/export' do
-        if throttled?(:project_export)
-          render_api_error!({ error: 'This endpoint has been requested too many times. Try again later.' }, 429)
-        end
+        check_rate_limit! :project_export, [current_user, :project_export, user_project]
 
         project_export_params = declared_params(include_missing: false)
         after_export_params = project_export_params.delete(:upload) || {}

lib/api/project_import.rb

@@ -8,19 +8,12 @@ module API
 
     helpers Helpers::ProjectsHelpers
     helpers Helpers::FileUploadHelpers
+    helpers Helpers::RateLimiter
 
     helpers do
       def import_params
         declared_params(include_missing: false)
       end
-
-      def throttled?(key, scope)
-        rate_limiter.throttled?(key, scope: scope)
-      end
-
-      def rate_limiter
-        ::Gitlab::ApplicationRateLimiter
-      end
     end
 
     before do
@@ -69,13 +62,7 @@ module API
       post 'import' do
         require_gitlab_workhorse!
 
-        key = "project_import".to_sym
-
-        if throttled?(key, [current_user, key])
-          rate_limiter.log_request(request, "#{key}_request_limit".to_sym, current_user)
-
-          render_api_error!({ error: _('This endpoint has been requested too many times. Try again later.') }, 429)
-        end
+        check_rate_limit! :project_import, [current_user, :project_import]
 
         Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab-foss/issues/42437')
 

spec/requests/api/issues/post_projects_issues_spec.rb

@@ -381,6 +381,20 @@ describe API::Issues do
         end.not_to change { project.labels.count }
       end
     end
+
+    context 'when request exceeds the rate limit' do
+      before do
+        allow(::Gitlab::ApplicationRateLimiter).to receive(:throttled?).and_return(true)
+      end
+
+      it 'prevents users from creating more issues' do
+        post api("/projects/#{project.id}/issues", user),
+        params: { title: 'new issue', labels: 'label, label2', weight: 3, assignee_ids: [user2.id] }
+
+        expect(response).to have_gitlab_http_status(:too_many_requests)
+        expect(json_response['message']['error']).to eq('This endpoint has been requested too many times. Try again later.')
+      end
+    end
   end
 
   describe 'POST /projects/:id/issues with spam filtering' do