Commit 5bdba9cd authored by Stan Hu's avatar Stan Hu

Disable protected path throttling by default

In GitLab 11.0 (see
https://gitlab.com/gitlab-org/gitlab-foss/issues/40973 and
https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/2237), we
disabled Rack Attack by default in Omnibus.

We inadvertently enabled by default in GitLab 12.4 via
https://gitlab.com/gitlab-org/gitlab/merge_requests/16463. This commit
introduces a database migration to restore the default to off.

This this doesn't touch the existing settings, so admins will have to
know to switch it off if they upgraded to GitLab 12.4.

Closes https://gitlab.com/gitlab-org/gitlab/issues/34212
parent 9dafee7b
---
title: Disable protected path throttling by default
merge_request: 19185
author:
type: fixed
# frozen_string_literal: true
class ChangeDefaultValueOfThrottleProtectedPaths < ActiveRecord::Migration[5.2]
include Gitlab::Database::MigrationHelpers
# Set this constant to true if this migration requires downtime.
DOWNTIME = false
def change
change_column_default :application_settings, :throttle_protected_paths_enabled, from: true, to: false
end
end
...@@ -10,7 +10,7 @@ ...@@ -10,7 +10,7 @@
# #
# It's strongly recommended that you check this file into your version control system. # It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema.define(version: 2019_10_17_180026) do ActiveRecord::Schema.define(version: 2019_10_26_041447) do
# These are extensions that must be enabled in order to support this database # These are extensions that must be enabled in order to support this database
enable_extension "pg_trgm" enable_extension "pg_trgm"
...@@ -331,7 +331,7 @@ ActiveRecord::Schema.define(version: 2019_10_17_180026) do ...@@ -331,7 +331,7 @@ ActiveRecord::Schema.define(version: 2019_10_17_180026) do
t.string "encrypted_asset_proxy_secret_key_iv" t.string "encrypted_asset_proxy_secret_key_iv"
t.string "static_objects_external_storage_url", limit: 255 t.string "static_objects_external_storage_url", limit: 255
t.string "static_objects_external_storage_auth_token", limit: 255 t.string "static_objects_external_storage_auth_token", limit: 255
t.boolean "throttle_protected_paths_enabled", default: true, null: false t.boolean "throttle_protected_paths_enabled", default: false, null: false
t.integer "throttle_protected_paths_requests_per_period", default: 10, null: false t.integer "throttle_protected_paths_requests_per_period", default: 10, null: false
t.integer "throttle_protected_paths_period_in_seconds", default: 60, null: false t.integer "throttle_protected_paths_period_in_seconds", default: 60, null: false
t.string "protected_paths", limit: 255, default: ["/users/password", "/users/sign_in", "/api/v3/session.json", "/api/v3/session", "/api/v4/session.json", "/api/v4/session", "/users", "/users/confirmation", "/unsubscribes/", "/import/github/personal_access_token"], array: true t.string "protected_paths", limit: 255, default: ["/users/password", "/users/sign_in", "/api/v3/session.json", "/api/v3/session", "/api/v4/session.json", "/api/v4/session", "/users", "/users/confirmation", "/unsubscribes/", "/import/github/personal_access_token"], array: true
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment