Commit 497239d4 authored by Heinrich Lee Yu's avatar Heinrich Lee Yu Committed by Stan Hu

Upgrade Rack Attack to 6.0.0

This adds support for Rails' builtin redis store
parent 5d2d1d79
...@@ -259,9 +259,6 @@ gem 'loofah', '~> 2.2' ...@@ -259,9 +259,6 @@ gem 'loofah', '~> 2.2'
# Working with license # Working with license
gem 'licensee', '~> 8.9' gem 'licensee', '~> 8.9'
# Protect against bruteforcing
gem 'rack-attack', '~> 4.4.1'
# Ace editor # Ace editor
gem 'ace-rails-ap', '~> 4.1.0' gem 'ace-rails-ap', '~> 4.1.0'
...@@ -293,6 +290,9 @@ gem 'base32', '~> 0.3.0' ...@@ -293,6 +290,9 @@ gem 'base32', '~> 0.3.0'
gem "gitlab-license", "~> 1.0" gem "gitlab-license", "~> 1.0"
# Protect against bruteforcing
gem 'rack-attack', '~> 6.2.0'
# Sentry integration # Sentry integration
gem 'sentry-raven', '~> 2.9' gem 'sentry-raven', '~> 2.9'
......
...@@ -734,8 +734,8 @@ GEM ...@@ -734,8 +734,8 @@ GEM
rack (2.0.7) rack (2.0.7)
rack-accept (0.4.5) rack-accept (0.4.5)
rack (>= 0.4) rack (>= 0.4)
rack-attack (4.4.1) rack-attack (6.2.0)
rack rack (>= 1.0, < 3)
rack-cors (1.0.2) rack-cors (1.0.2)
rack-oauth2 (1.9.3) rack-oauth2 (1.9.3)
activesupport activesupport
...@@ -1256,7 +1256,7 @@ DEPENDENCIES ...@@ -1256,7 +1256,7 @@ DEPENDENCIES
puma (~> 3.12) puma (~> 3.12)
puma_worker_killer puma_worker_killer
rack (~> 2.0.7) rack (~> 2.0.7)
rack-attack (~> 4.4.1) rack-attack (~> 6.2.0)
rack-cors (~> 1.0.0) rack-cors (~> 1.0.0)
rack-oauth2 (~> 1.9.3) rack-oauth2 (~> 1.9.3)
rack-proxy (~> 0.6.0) rack-proxy (~> 0.6.0)
......
rack_attack_enabled = Gitlab.config.rack_attack.git_basic_auth['enabled'] # Tell the Rack::Attack Rack middleware to maintain an IP blacklist.
# We update the blacklist in Gitlab::Auth::IpRateLimiter.
Rack::Attack.blocklist('Git HTTP Basic Auth') do |req|
next false unless Gitlab.config.rack_attack.git_basic_auth.enabled
unless Rails.env.test? || !rack_attack_enabled Rack::Attack::Allow2Ban.filter(req.ip, Gitlab.config.rack_attack.git_basic_auth) do
# Tell the Rack::Attack Rack middleware to maintain an IP blacklist. We will # This block only gets run if the IP was not already banned.
# update the blacklist from Grack::Auth#authenticate_user. # Return false, meaning that we do not see anything wrong with the
Rack::Attack.blacklist('Git HTTP Basic Auth') do |req| # request at this time
Rack::Attack::Allow2Ban.filter(req.ip, Gitlab.config.rack_attack.git_basic_auth) do false
# This block only gets run if the IP was not already banned.
# Return false, meaning that we do not see anything wrong with the
# request at this time
false
end
end end
end end
...@@ -2,8 +2,10 @@ ...@@ -2,8 +2,10 @@
# #
# Adds logging for all Rack Attack blocks and throttling events. # Adds logging for all Rack Attack blocks and throttling events.
ActiveSupport::Notifications.subscribe('rack.attack') do |name, start, finish, request_id, req| ActiveSupport::Notifications.subscribe(/rack_attack/) do |name, start, finish, request_id, payload|
if [:throttle, :blacklist].include? req.env['rack.attack.match_type'] req = payload[:request]
if [:throttle, :blocklist].include? req.env['rack.attack.match_type']
rack_attack_info = { rack_attack_info = {
message: 'Rack_Attack', message: 'Rack_Attack',
env: req.env['rack.attack.match_type'], env: req.env['rack.attack.match_type'],
......
...@@ -450,16 +450,22 @@ describe 'Git HTTP requests' do ...@@ -450,16 +450,22 @@ describe 'Git HTTP requests' do
context "when authentication fails" do context "when authentication fails" do
context "when the user is IP banned" do context "when the user is IP banned" do
before do before do
Gitlab.config.rack_attack.git_basic_auth['enabled'] = true stub_rack_attack_setting(enabled: true)
end end
it "responds with status 401" do it "responds with status 403" do
expect(Rack::Attack::Allow2Ban).to receive(:filter).and_return(true) expect(Rack::Attack::Allow2Ban).to receive(:filter).and_return(true)
allow_any_instance_of(ActionDispatch::Request).to receive(:ip).and_return('1.2.3.4') expect(Gitlab::AuthLogger).to receive(:error).with({
message: 'Rack_Attack',
env: :blocklist,
remote_ip: '127.0.0.1',
request_method: 'GET',
path: "/#{path}/info/refs?service=git-upload-pack"
})
clone_get(path, env) clone_get(path, env)
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:forbidden)
end end
end end
end end
...@@ -493,7 +499,7 @@ describe 'Git HTTP requests' do ...@@ -493,7 +499,7 @@ describe 'Git HTTP requests' do
context "when the user isn't blocked" do context "when the user isn't blocked" do
before do before do
Gitlab.config.rack_attack.git_basic_auth['enabled'] = true stub_rack_attack_setting(enabled: true, bantime: 1.minute, findtime: 5.minutes, maxretry: 2, ip_whitelist: [])
end end
it "resets the IP in Rack Attack on download" do it "resets the IP in Rack Attack on download" do
...@@ -652,9 +658,11 @@ describe 'Git HTTP requests' do ...@@ -652,9 +658,11 @@ describe 'Git HTTP requests' do
response.status response.status
end end
include_context 'rack attack cache store'
it "repeated attempts followed by successful attempt" do it "repeated attempts followed by successful attempt" do
options = Gitlab.config.rack_attack.git_basic_auth options = Gitlab.config.rack_attack.git_basic_auth
maxretry = options[:maxretry] - 1 maxretry = options[:maxretry]
ip = '1.2.3.4' ip = '1.2.3.4'
allow_any_instance_of(ActionDispatch::Request).to receive(:ip).and_return(ip) allow_any_instance_of(ActionDispatch::Request).to receive(:ip).and_return(ip)
...@@ -666,12 +674,6 @@ describe 'Git HTTP requests' do ...@@ -666,12 +674,6 @@ describe 'Git HTTP requests' do
expect(attempt_login(true)).to eq(200) expect(attempt_login(true)).to eq(200)
expect(Rack::Attack::Allow2Ban.banned?(ip)).to be_falsey expect(Rack::Attack::Allow2Ban.banned?(ip)).to be_falsey
maxretry.times.each do
expect(attempt_login(false)).to eq(401)
end
Rack::Attack::Allow2Ban.reset(ip, options)
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment