2020-01-29 13:08:47 -05:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
module Spam
|
2020-04-21 11:21:10 -04:00
|
|
|
class SpamActionService
|
|
|
|
include SpamConstants
|
2020-01-29 13:08:47 -05:00
|
|
|
|
2021-01-27 04:09:01 -05:00
|
|
|
##
|
|
|
|
# Utility method to filter SpamParams from parameters, which will later be passed to #execute
|
|
|
|
# after the spammable is created/updated based on the remaining parameters.
|
|
|
|
#
|
|
|
|
# Takes a hash of parameters from an incoming request to modify a model (via a controller,
|
2021-02-25 04:10:45 -05:00
|
|
|
# service, or GraphQL mutation). The parameters will either be camelCase (if they are
|
|
|
|
# received directly via controller params) or underscore_case (if they have come from
|
|
|
|
# a GraphQL mutation which has converted them to underscore)
|
2021-01-27 04:09:01 -05:00
|
|
|
#
|
|
|
|
# Deletes the parameters which are related to spam and captcha processing, and returns
|
|
|
|
# them in a SpamParams parameters object. See:
|
|
|
|
# https://refactoring.com/catalog/introduceParameterObject.html
|
|
|
|
def self.filter_spam_params!(params)
|
|
|
|
# NOTE: The 'captcha_response' field can be expanded to multiple fields when we move to future
|
|
|
|
# alternative captcha implementations such as FriendlyCaptcha. See
|
|
|
|
# https://gitlab.com/gitlab-org/gitlab/-/issues/273480
|
2021-02-25 04:10:45 -05:00
|
|
|
captcha_response = params.delete(:captcha_response) || params.delete(:captchaResponse)
|
2021-01-27 04:09:01 -05:00
|
|
|
|
|
|
|
SpamParams.new(
|
|
|
|
api: params.delete(:api),
|
|
|
|
captcha_response: captcha_response,
|
2021-02-25 04:10:45 -05:00
|
|
|
spam_log_id: params.delete(:spam_log_id) || params.delete(:spamLogId)
|
2021-01-27 04:09:01 -05:00
|
|
|
)
|
|
|
|
end
|
|
|
|
|
2020-02-27 07:09:12 -05:00
|
|
|
attr_accessor :target, :request, :options
|
2020-01-29 13:08:47 -05:00
|
|
|
attr_reader :spam_log
|
|
|
|
|
2021-01-27 04:09:01 -05:00
|
|
|
def initialize(spammable:, request:, user:, action:)
|
2020-02-27 07:09:12 -05:00
|
|
|
@target = spammable
|
2020-01-29 13:08:47 -05:00
|
|
|
@request = request
|
2020-06-08 02:08:19 -04:00
|
|
|
@user = user
|
2021-01-27 04:09:01 -05:00
|
|
|
@action = action
|
2020-01-29 13:08:47 -05:00
|
|
|
@options = {}
|
2021-01-27 04:09:01 -05:00
|
|
|
end
|
2020-01-29 13:08:47 -05:00
|
|
|
|
2021-01-27 04:09:01 -05:00
|
|
|
def execute(spam_params:)
|
|
|
|
if request
|
|
|
|
options[:ip_address] = request.env['action_dispatch.remote_ip'].to_s
|
|
|
|
options[:user_agent] = request.env['HTTP_USER_AGENT']
|
|
|
|
options[:referrer] = request.env['HTTP_REFERRER']
|
2020-01-29 13:08:47 -05:00
|
|
|
else
|
2021-01-27 04:09:01 -05:00
|
|
|
# TODO: This code is never used, because we do not perform a verification if there is not a
|
|
|
|
# request. Why? Should it be deleted? Or should we check even if there is no request?
|
|
|
|
options[:ip_address] = target.ip_address
|
|
|
|
options[:user_agent] = target.user_agent
|
2020-01-29 13:08:47 -05:00
|
|
|
end
|
|
|
|
|
2021-01-27 04:09:01 -05:00
|
|
|
recaptcha_verified = Captcha::CaptchaVerificationService.new.execute(
|
|
|
|
captcha_response: spam_params.captcha_response,
|
|
|
|
request: request
|
|
|
|
)
|
|
|
|
|
2020-01-29 13:08:47 -05:00
|
|
|
if recaptcha_verified
|
2021-01-27 04:09:01 -05:00
|
|
|
# If it's a request which is already verified through captcha,
|
2020-01-29 13:08:47 -05:00
|
|
|
# update the spam log accordingly.
|
2021-01-27 04:09:01 -05:00
|
|
|
SpamLog.verify_recaptcha!(user_id: user.id, id: spam_params.spam_log_id)
|
|
|
|
ServiceResponse.success(message: "Captcha was successfully verified")
|
2020-01-29 13:08:47 -05:00
|
|
|
else
|
2021-01-27 04:09:01 -05:00
|
|
|
return ServiceResponse.success(message: 'Skipped spam check because user was allowlisted') if allowlisted?(user)
|
|
|
|
return ServiceResponse.success(message: 'Skipped spam check because request was not present') unless request
|
|
|
|
return ServiceResponse.success(message: 'Skipped spam check because it was not required') unless check_for_spam?
|
2020-04-21 11:21:10 -04:00
|
|
|
|
2021-01-27 04:09:01 -05:00
|
|
|
perform_spam_service_check(spam_params.api)
|
|
|
|
ServiceResponse.success(message: "Spam check performed, check #{target.class.name} spammable model for any errors or captcha requirement")
|
2020-01-29 13:08:47 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-04-21 11:21:10 -04:00
|
|
|
delegate :check_for_spam?, to: :target
|
|
|
|
|
2020-01-29 13:08:47 -05:00
|
|
|
private
|
|
|
|
|
2021-01-27 04:09:01 -05:00
|
|
|
attr_reader :user, :action
|
|
|
|
|
|
|
|
##
|
|
|
|
# In order to be proceed to the spam check process, the target must be
|
|
|
|
# a dirty instance, which means it should be already assigned with the new
|
|
|
|
# attribute values.
|
|
|
|
def ensure_target_is_dirty
|
|
|
|
msg = "Target instance of #{target.class.name} must be dirty (must have changes to save)"
|
|
|
|
raise(msg) unless target.has_changes_to_save?
|
|
|
|
end
|
2020-06-08 02:08:19 -04:00
|
|
|
|
2020-05-06 08:09:36 -04:00
|
|
|
def allowlisted?(user)
|
2020-10-19 05:08:58 -04:00
|
|
|
user.try(:gitlab_employee?) || user.try(:gitlab_bot?) || user.try(:gitlab_service_user?)
|
2020-05-06 08:09:36 -04:00
|
|
|
end
|
|
|
|
|
2021-01-27 04:09:01 -05:00
|
|
|
##
|
|
|
|
# Performs the spam check using the spam verdict service, and modifies the target model
|
|
|
|
# accordingly based on the result.
|
2020-04-21 11:21:10 -04:00
|
|
|
def perform_spam_service_check(api)
|
2021-01-27 04:09:01 -05:00
|
|
|
ensure_target_is_dirty
|
|
|
|
|
2020-04-21 11:21:10 -04:00
|
|
|
# since we can check for spam, and recaptcha is not verified,
|
|
|
|
# ask the SpamVerdictService what to do with the target.
|
|
|
|
spam_verdict_service.execute.tap do |result|
|
|
|
|
case result
|
2020-05-25 23:08:02 -04:00
|
|
|
when CONDITIONAL_ALLOW
|
|
|
|
# at the moment, this means "ask for reCAPTCHA"
|
2020-04-21 11:21:10 -04:00
|
|
|
create_spam_log(api)
|
2020-01-29 13:08:47 -05:00
|
|
|
|
2020-04-21 11:21:10 -04:00
|
|
|
break if target.allow_possible_spam?
|
2020-01-29 13:08:47 -05:00
|
|
|
|
2020-04-21 11:21:10 -04:00
|
|
|
target.needs_recaptcha!
|
|
|
|
when DISALLOW
|
|
|
|
# TODO: remove `unless target.allow_possible_spam?` once this flag has been passed to `SpamVerdictService`
|
|
|
|
# https://gitlab.com/gitlab-org/gitlab/-/issues/214739
|
|
|
|
target.spam! unless target.allow_possible_spam?
|
|
|
|
create_spam_log(api)
|
|
|
|
when ALLOW
|
|
|
|
target.clear_spam_flags!
|
|
|
|
end
|
|
|
|
end
|
2020-01-29 13:08:47 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def create_spam_log(api)
|
|
|
|
@spam_log = SpamLog.create!(
|
|
|
|
{
|
2020-02-27 07:09:12 -05:00
|
|
|
user_id: target.author_id,
|
|
|
|
title: target.spam_title,
|
|
|
|
description: target.spam_description,
|
2020-01-29 13:08:47 -05:00
|
|
|
source_ip: options[:ip_address],
|
|
|
|
user_agent: options[:user_agent],
|
2021-01-27 04:09:01 -05:00
|
|
|
noteable_type: noteable_type,
|
2020-01-29 13:08:47 -05:00
|
|
|
via_api: api
|
|
|
|
}
|
|
|
|
)
|
2020-04-21 11:21:10 -04:00
|
|
|
|
|
|
|
target.spam_log = spam_log
|
|
|
|
end
|
|
|
|
|
|
|
|
def spam_verdict_service
|
2021-01-27 04:09:01 -05:00
|
|
|
context = {
|
|
|
|
action: action,
|
|
|
|
target_type: noteable_type
|
|
|
|
}
|
|
|
|
|
2020-04-21 11:21:10 -04:00
|
|
|
SpamVerdictService.new(target: target,
|
2020-06-08 02:08:19 -04:00
|
|
|
user: user,
|
2021-01-27 04:09:01 -05:00
|
|
|
request: request,
|
2020-06-08 02:08:19 -04:00
|
|
|
options: options,
|
2021-01-27 04:09:01 -05:00
|
|
|
context: context)
|
2020-06-08 02:08:19 -04:00
|
|
|
end
|
|
|
|
|
2021-01-27 04:09:01 -05:00
|
|
|
def noteable_type
|
2020-06-08 02:08:19 -04:00
|
|
|
@notable_type ||= target.class.to_s
|
2020-01-29 13:08:47 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|