From f3547556874377474cfe1f64ccbb22f83088a8e4 Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Fri, 7 Mar 2025 04:46:37 -0800
Subject: [PATCH] Fix Rack Attack incorrectly rate limiting runner API

To update a job status, the runner uses the PUT /api/v4/:jobs endpoint
with the job token in two places:

1. The PRIVATE-TOKEN header
2. The `token` parameter in the JSON body

Previously `AuthFinders` looked up the PAT and raised an unauthorized
exception because no user was found. Instead, it should continue to
see if it can authenticate the job with the `token` parameter.

This commit makes `access_token` return blank if it has the CI build
token prefix so that the exception is not raised. That way Rack Attack
can then ensure the request is authenticated with the job token.

Changelog: fixed
---
 lib/gitlab/auth/auth_finders.rb                           | 5 +++++
 spec/lib/gitlab/auth/auth_finders_spec.rb                 | 8 ++++++++
 spec/support/helpers/http_basic_auth_helpers.rb           | 4 ++++
 .../requests/api/npm_packages_shared_examples.rb          | 2 +-
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb
index 4f1006503da9..383b330ccdd6 100644
--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -299,6 +299,11 @@ def find_personal_access_token
         token = extract_personal_access_token
         return unless token
 
+        # The runner sends the job token for PUT /api/jobs/:id in the PRIVATE-TOKEN header
+        # and the token JSON parameter. Ignore this personal access token so
+        # that the job token can be authenticated.
+        return if api_request? && token.start_with?(::Ci::Build::TOKEN_PREFIX)
+
         # Expiration, revocation and scopes are verified in `validate_access_token!`
         PersonalAccessToken.find_by_token(token.to_s) || raise(UnauthorizedError)
       end
diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb
index 35b36be0c09e..fd659d31cb76 100644
--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -706,6 +706,14 @@ def set_bearer_token(token)
       expect(find_personal_access_token).to be_nil
     end
 
+    it 'returns nil if PAT looks like a build token' do
+      set_header('SCRIPT_NAME', nil)
+      set_header('PATH_INFO', '/api/v4/jobs/1')
+      set_header(described_class::PRIVATE_TOKEN_HEADER, "#{::Ci::Build::TOKEN_PREFIX}ABCD")
+
+      expect(find_personal_access_token).to be_nil
+    end
+
     it 'returns exception if invalid personal_access_token' do
       set_header(described_class::PRIVATE_TOKEN_HEADER, 'invalid_token')
 
diff --git a/spec/support/helpers/http_basic_auth_helpers.rb b/spec/support/helpers/http_basic_auth_helpers.rb
index 530007a9a7b6..b630be7a30e5 100644
--- a/spec/support/helpers/http_basic_auth_helpers.rb
+++ b/spec/support/helpers/http_basic_auth_helpers.rb
@@ -11,6 +11,10 @@ def job_basic_auth_header(job)
     basic_auth_header(::Gitlab::Auth::CI_JOB_USER, job.token)
   end
 
+  def job_token_auth_header(job)
+    { 'JOB-TOKEN' => job.token }
+  end
+
   def deploy_token_basic_auth_header(deploy_token)
     basic_auth_header(deploy_token.username, deploy_token.token)
   end
diff --git a/spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb b/spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb
index 2a7ee15aad25..20ee8b47a6b4 100644
--- a/spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb
@@ -163,7 +163,7 @@
     end
 
     context 'with a job token for a completed job' do
-      let(:headers) { build_token_auth_header(job.token) }
+      let(:headers) { job_token_auth_header(job) }
 
       before do
         job.update!(status: :success)
-- 
GitLab