Rate limit adding new email and re-sending email confirmation

This change rate limits the actions of - user adding new emails to their profile - user resending confirmation emails for emails already added to their profiles

Rate limit adding new email and re-sending email confirmation
This change rate limits the actions of - user adding new emails to their profile - user resending confirmation emails for emails already added to their profiles
52723730 · manojmj · 838f9a61 · 52723730 · 52723730 · 52723730
Commit 52723730 authored Sep 11, 2020 by manojmj
5 changed files
--- a/app/controllers/profiles/emails_controller.rb
+++ b/app/controllers/profiles/emails_controller.rb
@@ -2,6 +2,8 @@

 class Profiles::EmailsController < Profiles::ApplicationController
  before_action :find_email, only: [:destroy, :resend_confirmation_instructions]
+  before_action -> { rate_limit!(:profile_add_new_email) }, only: [:create]
+  before_action -> { rate_limit!(:profile_resend_email_confirmation) }, only: [:resend_confirmation_instructions]

  def index
    @primary_email = current_user.email
@@ -38,6 +40,16 @@ class Profiles::EmailsController < Profiles::ApplicationController

  private

+  def rate_limit!(action)
+    rate_limiter = ::Gitlab::ApplicationRateLimiter
+
+    if rate_limiter.throttled?(action, scope: current_user)
+      rate_limiter.log_request(request, action, current_user)
+
+      redirect_back_or_default(options: { alert: _('This action has been performed too many times. Try again later.') })
+    end
+  end
+
  def email_params
    params.require(:email).permit(:email)
  end

--- a/changelogs/unreleased/security-rate-limit-email-confirmation.yml
+++ b/changelogs/unreleased/security-rate-limit-email-confirmation.yml
+---
+title: Rate limit adding new email and re-sending email confirmation
+merge_request:
+author:
+type: security
--- a/lib/gitlab/application_rate_limiter.rb
+++ b/lib/gitlab/application_rate_limiter.rb
@@ -31,7 +31,9 @@ module Gitlab
          group_export:                 { threshold: -> { application_settings.group_export_limit }, interval: 1.minute },
          group_download_export:        { threshold: -> { application_settings.group_download_export_limit }, interval: 1.minute },
          group_import:                 { threshold: -> { application_settings.group_import_limit }, interval: 1.minute },
-          group_testing_hook:           { threshold: 5, interval: 1.minute }
+          group_testing_hook:           { threshold: 5, interval: 1.minute },
+          profile_add_new_email:        { threshold: 5, interval: 1.minute },
+          profile_resend_email_confirmation:  { threshold: 5, interval: 1.minute }
        }.freeze
      end


--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -25555,6 +25555,9 @@ msgstr ""
 msgid "This action cannot be undone. You will lose the project's repository and all content: issues, merge requests, etc."
 msgstr ""

+msgid "This action has been performed too many times. Try again later."
+msgstr ""
+
 msgid "This action will %{strongOpen}permanently delete%{strongClose} %{codeOpen}%{project}%{codeClose} %{strongOpen}immediately%{strongClose}, including its repositories and all content: issues, merge requests, etc."
 msgstr ""


--- a/spec/controllers/profiles/emails_controller_spec.rb
+++ b/spec/controllers/profiles/emails_controller_spec.rb
@@ -15,6 +15,29 @@ RSpec.describe Profiles::EmailsController do
    end
  end

+  shared_examples_for 'respects the rate limit' do
+    context 'after the rate limit is exceeded' do
+      before do
+        allowed_threshold = Gitlab::ApplicationRateLimiter.rate_limits[action][:threshold]
+
+        allow(Gitlab::ApplicationRateLimiter)
+          .to receive(:increment)
+          .and_return(allowed_threshold + 1)
+      end
+
+      it 'does not send any email' do
+        expect { subject }.not_to change { ActionMailer::Base.deliveries.size }
+      end
+
+      it 'displays an alert' do
+        subject
+
+        expect(response).to have_gitlab_http_status(:redirect)
+        expect(flash[:alert]).to eq(_('This action has been performed too many times. Try again later.'))
+      end
+    end
+  end
+
  describe '#create' do
    let(:email) { 'add_email@example.com' }
    let(:params) { { email: { email: email } } }
@@ -32,6 +55,10 @@ RSpec.describe Profiles::EmailsController do
        expect { subject }.not_to change { ActionMailer::Base.deliveries.size }
      end
    end
+
+    it_behaves_like 'respects the rate limit' do
+      let(:action) { :profile_add_new_email }
+    end
  end

  describe '#resend_confirmation_instructions' do
@@ -54,5 +81,9 @@ RSpec.describe Profiles::EmailsController do
        expect { subject }.not_to change { ActionMailer::Base.deliveries.size }
      end
    end
+
+    it_behaves_like 'respects the rate limit' do
+      let(:action) { :profile_resend_email_confirmation }
+    end
  end
 end