Commit 7f675ac2 authored by Sean McGivern's avatar Sean McGivern

Merge branch '247454-check-csrf-token-in-usagedata-api' into 'master'

Check CSRF token in UsageData API - RUN AS-IF-FOSS

Closes #247454

See merge request gitlab-org/gitlab!41984
parents c39a67de c3cc20b6
...@@ -316,6 +316,10 @@ Implemented using Redis methods [PFADD](https://redis.io/commands/pfadd) and [PF ...@@ -316,6 +316,10 @@ Implemented using Redis methods [PFADD](https://redis.io/commands/pfadd) and [PF
Increment unique users count using Redis HLL, for given event name. Increment unique users count using Redis HLL, for given event name.
Tracking events using the `UsageData` API requires the `usage_data_api` feature flag to be enabled, which is disabled by default.
API requests are protected by checking of a valid CSRF token.
In order to be able to increment the values the related feature `usage_data<event_name>` should be enabled. In order to be able to increment the values the related feature `usage_data<event_name>` should be enabled.
```plaintext ```plaintext
...@@ -330,9 +334,10 @@ Implemented using Redis methods [PFADD](https://redis.io/commands/pfadd) and [PF ...@@ -330,9 +334,10 @@ Implemented using Redis methods [PFADD](https://redis.io/commands/pfadd) and [PF
Return 200 if tracking failed for any reason. Return 200 if tracking failed for any reason.
- `401 Unauthorized` if user is not authenticated
- `400 Bad request` if event parameter is missing
- `200` if event was tracked or any errors - `200` if event was tracked or any errors
- `400 Bad request` if event parameter is missing
- `401 Unauthorized` if user is not authenticated
- `403 Forbidden` for invalid CSRF token provided
1. Track event using base module `Gitlab::UsageDataCounters::HLLRedisCounter.track_event(entity_id, event_name)`. 1. Track event using base module `Gitlab::UsageDataCounters::HLLRedisCounter.track_event(entity_id, event_name)`.
......
...@@ -7,6 +7,7 @@ module API ...@@ -7,6 +7,7 @@ module API
namespace 'usage_data' do namespace 'usage_data' do
before do before do
not_found! unless Feature.enabled?(:usage_data_api) not_found! unless Feature.enabled?(:usage_data_api)
forbidden!('Invalid CSRF token is provided') unless verified_request?
end end
desc 'Track usage data events' do desc 'Track usage data events' do
......
...@@ -10,6 +10,17 @@ RSpec.describe API::UsageData do ...@@ -10,6 +10,17 @@ RSpec.describe API::UsageData do
let(:known_event) { 'g_compliance_dashboard' } let(:known_event) { 'g_compliance_dashboard' }
let(:unknown_event) { 'unknown' } let(:unknown_event) { 'unknown' }
context 'without CSRF token' do
it 'returns forbidden' do
stub_feature_flags(usage_data_api: true)
allow(Gitlab::RequestForgeryProtection).to receive(:verified?).and_return(false)
post api(endpoint, user), params: { event: known_event }
expect(response).to have_gitlab_http_status(:forbidden)
end
end
context 'usage_data_api feature not enabled' do context 'usage_data_api feature not enabled' do
it 'returns not_found' do it 'returns not_found' do
stub_feature_flags(usage_data_api: false) stub_feature_flags(usage_data_api: false)
...@@ -33,6 +44,7 @@ RSpec.describe API::UsageData do ...@@ -33,6 +44,7 @@ RSpec.describe API::UsageData do
stub_feature_flags(usage_data_api: true) stub_feature_flags(usage_data_api: true)
stub_feature_flags("usage_data_#{known_event}" => true) stub_feature_flags("usage_data_#{known_event}" => true)
stub_application_setting(usage_ping_enabled: true) stub_application_setting(usage_ping_enabled: true)
allow(Gitlab::RequestForgeryProtection).to receive(:verified?).and_return(true)
end end
context 'when event is missing from params' do context 'when event is missing from params' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment