Merge branch '247454-check-csrf-token-in-usagedata-api' into 'master'

Check CSRF token in UsageData API - RUN AS-IF-FOSS Closes #247454 See merge request gitlab-org/gitlab!41984

Merge branch '247454-check-csrf-token-in-usagedata-api' into 'master'
Check CSRF token in UsageData API - RUN AS-IF-FOSS Closes #247454 See merge request gitlab-org/gitlab!41984
7f675ac2 · Sean McGivern · c39a67de · c3cc20b6 · 7f675ac2 · 7f675ac2
Commit 7f675ac2 authored Sep 11, 2020 by Sean McGivern
Showing with 20 additions and 2 deletions

doc/development/telemetry/usage_ping.md doc/development/telemetry/usage_ping.md +7 -2

lib/api/usage_data.rb lib/api/usage_data.rb +1 -0

spec/requests/api/usage_data_spec.rb spec/requests/api/usage_data_spec.rb +12 -0

No files found.
--- a/doc/development/telemetry/usage_ping.md
+++ b/doc/development/telemetry/usage_ping.md
@@ -316,6 +316,10 @@ Implemented using Redis methods [PFADD](https://redis.io/commands/pfadd) and [PF

   Increment unique users count using Redis HLL, for given event name.

+   Tracking events using the `UsageData` API requires the `usage_data_api` feature flag to be enabled, which is disabled by default.
+
+   API requests are protected by checking of a valid CSRF token.
+
   In order to be able to increment the values the related feature `usage_data<event_name>` should be enabled.

   ```plaintext
@@ -330,9 +334,10 @@ Implemented using Redis methods [PFADD](https://redis.io/commands/pfadd) and [PF

   Return 200 if tracking failed for any reason.

-   - `401 Unauthorized` if user is not authenticated
-   - `400 Bad request` if event parameter is missing
   - `200` if event was tracked or any errors
+   - `400 Bad request` if event parameter is missing
+   - `401 Unauthorized` if user is not authenticated
+   - `403 Forbidden` for invalid CSRF token provided

 1. Track event using base module `Gitlab::UsageDataCounters::HLLRedisCounter.track_event(entity_id, event_name)`.


--- a/lib/api/usage_data.rb
+++ b/lib/api/usage_data.rb
@@ -7,6 +7,7 @@ module API
    namespace 'usage_data' do
      before do
        not_found! unless Feature.enabled?(:usage_data_api)
+        forbidden!('Invalid CSRF token is provided') unless verified_request?
      end

      desc 'Track usage data events' do

--- a/spec/requests/api/usage_data_spec.rb
+++ b/spec/requests/api/usage_data_spec.rb
@@ -10,6 +10,17 @@ RSpec.describe API::UsageData do
    let(:known_event) { 'g_compliance_dashboard' }
    let(:unknown_event) { 'unknown' }

+    context 'without CSRF token' do
+      it 'returns forbidden' do
+        stub_feature_flags(usage_data_api: true)
+        allow(Gitlab::RequestForgeryProtection).to receive(:verified?).and_return(false)
+
+        post api(endpoint, user), params: { event: known_event }
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
+
    context 'usage_data_api feature not enabled' do
      it 'returns not_found' do
        stub_feature_flags(usage_data_api: false)
@@ -33,6 +44,7 @@ RSpec.describe API::UsageData do
        stub_feature_flags(usage_data_api: true)
        stub_feature_flags("usage_data_#{known_event}" => true)
        stub_application_setting(usage_ping_enabled: true)
+        allow(Gitlab::RequestForgeryProtection).to receive(:verified?).and_return(true)
      end

      context 'when event is missing from params' do