Commit 9c15124f authored by Magdalena Frankiewicz's avatar Magdalena Frankiewicz Committed by Mikołaj Wawrzyniak

Rate limit /users/sign_up

This is to mitigate abuse, such us attempts to discover usernames
or emails

Changelog: security
parent dfa84df8
......@@ -13,6 +13,9 @@ class RegistrationsController < Devise::RegistrationsController
before_action :ensure_destroy_prerequisites_met, only: [:destroy]
before_action :load_recaptcha, only: :new
before_action :set_invite_params, only: :new
before_action only: [:create] do
check_rate_limit!(:user_sign_up, scope: request.ip) if Feature.enabled?(:rate_limit_user_sign_up_endpoint, default_enabled: :yaml)
end
feature_category :authentication_and_authorization
......
---
name: rate_limit_user_sign_up_endpoint
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77835
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/349843
milestone: '14.7'
type: development
group: group::optimize
default_enabled: false
......@@ -51,6 +51,7 @@ module Gitlab
web_hook_calls: { interval: 1.minute },
users_get_by_id: { threshold: 10, interval: 1.minute },
username_exists: { threshold: 20, interval: 1.minute },
user_sign_up: { threshold: 20, interval: 1.minute },
profile_resend_email_confirmation: { threshold: 5, interval: 1.minute },
profile_update_username: { threshold: 10, interval: 1.minute },
update_environment_canary_ingress: { threshold: 1, interval: 1.minute },
......
......@@ -20,6 +20,10 @@ RSpec.describe RegistrationsController do
end
describe '#create' do
before do
allow(::Gitlab::ApplicationRateLimiter).to receive(:throttled?).and_return(false)
end
let_it_be(:base_user_params) do
{ first_name: 'first', last_name: 'last', username: 'new_username', email: 'new@user.com', password: 'Any_password' }
end
......@@ -410,6 +414,18 @@ RSpec.describe RegistrationsController do
end
end
context 'when the rate limit has been reached' do
it 'returns status 429 Too Many Requests', :aggregate_failures do
ip = '1.2.3.4'
expect(::Gitlab::ApplicationRateLimiter).to receive(:throttled?).with(:user_sign_up, scope: ip).and_return(true)
controller.request.env['REMOTE_ADDR'] = ip
post(:create, params: user_params, session: session_params)
expect(response).to have_gitlab_http_status(:too_many_requests)
end
end
it "logs a 'User Created' message" do
expect(Gitlab::AppLogger).to receive(:info).with(/\AUser Created: username=new_username email=new@user.com.+\z/).and_call_original
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment