From 5ddd576c7e93da1c97b81af90f65e1f368266547 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Francisco=20Javier=20L=C3=B3pez?= <fjlopez@gitlab.com>
Date: Thu, 15 Feb 2018 16:54:36 +0000
Subject: [PATCH] Remove internal api calls from the rack::attack throttling

---
 .../fj-42910-unauthenticated-limit-via-ssh.yml         |  5 +++++
 config/initializers/rack_attack_global.rb              |  5 +++++
 spec/requests/rack_attack_global_spec.rb               | 10 ++++++++++
 3 files changed, 20 insertions(+)
 create mode 100644 changelogs/unreleased/fj-42910-unauthenticated-limit-via-ssh.yml

diff --git a/changelogs/unreleased/fj-42910-unauthenticated-limit-via-ssh.yml b/changelogs/unreleased/fj-42910-unauthenticated-limit-via-ssh.yml
new file mode 100644
index 00000000000..cef339ef787
--- /dev/null
+++ b/changelogs/unreleased/fj-42910-unauthenticated-limit-via-ssh.yml
@@ -0,0 +1,5 @@
+---
+title: Fixed bug with unauthenticated requests through git ssh
+merge_request: 17149
+author:
+type: fixed
diff --git a/config/initializers/rack_attack_global.rb b/config/initializers/rack_attack_global.rb
index 9453df2ec5a..a90516eee7d 100644
--- a/config/initializers/rack_attack_global.rb
+++ b/config/initializers/rack_attack_global.rb
@@ -26,6 +26,7 @@ class Rack::Attack
   throttle('throttle_unauthenticated', Gitlab::Throttle.unauthenticated_options) do |req|
     Gitlab::Throttle.settings.throttle_unauthenticated_enabled &&
       req.unauthenticated? &&
+      !req.api_internal_request? &&
       req.ip
   end
 
@@ -54,6 +55,10 @@ class Rack::Attack
       path.start_with?('/api')
     end
 
+    def api_internal_request?
+      path =~ %r{^/api/v\d+/internal/}
+    end
+
     def web_request?
       !api_request?
     end
diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb
index 0fec14d0cce..b18e922b063 100644
--- a/spec/requests/rack_attack_global_spec.rb
+++ b/spec/requests/rack_attack_global_spec.rb
@@ -22,6 +22,7 @@ describe 'Rack Attack global throttles' do
 
   let(:url_that_does_not_require_authentication) { '/users/sign_in' }
   let(:url_that_requires_authentication) { '/dashboard/snippets' }
+  let(:url_api_internal) { '/api/v4/internal/check' }
   let(:api_partial_url) { '/todos' }
 
   around do |example|
@@ -172,6 +173,15 @@ describe 'Rack Attack global throttles' do
         get url_that_does_not_require_authentication
         expect(response).to have_http_status 200
       end
+
+      context 'when the request is to the api internal endpoints' do
+        it 'allows requests over the rate limit' do
+          (1 + requests_per_period).times do
+            get url_api_internal, secret_token: Gitlab::Shell.secret_token
+            expect(response).to have_http_status 200
+          end
+        end
+      end
     end
 
     context 'when the throttle is disabled' do