Spam and Anti-bot Protection In Gitlab
The admin of gitlab can enable spam and anti-bot protection in page /admin/application_settings/reporting#js-spam-settings, see the image below:
Three third-party services are included:
Google reCAPTCHA
the recaptcha will appear in five scenarios:
- sign up page if the admin ticked the Enable reCAPTCHA checkbox
- sign in page if the admin ticked both the Enable reCAPTCHA checkbox and the Enable reCAPTCHA for login
- create issue page if the admin ticked the Enable Akismet checkbox and the user tried to submit some spam content
- create top level group page if the gitlab started with flag true(https://gitlab.com/gitlab-jh/gitlab/-/blob/main-jh/config/feature_flags/ops/recaptcha_on_top_level_group_creation.yml#L8), for more details see this MR
- submit code snippets, see details in https://gitlab.cn/jihulab/jh-infra/saas-feedback/-/issues/5
the recaptcha has three versions: v2, v3, and enterprise, for v2 and v3 it's free with a limitation of 1,000,000 call per month. For v2 and v3 version, users can get keys for deployment on https://www.google.com/recaptcha/admin/create. For enterprise version, the price is $1 per 1000 calls when exceed 1,000,000 calls, and for migration it need to transform the sitekey through gcloud sdk ([doc])(https://cloud.google.com/recaptcha-enterprise/docs/migrate-recaptcha)
the recaptcha service need both the site frontend and backend to request its main domain www.google.com, which unfortunately is blocked is China. The solution is to replace the domain to its global domain www.recaptcha.net which is available in China, the work for gitlab jh version is on progress see this MR
Akismet
Akismet is an anti spam content service. In gitlab, the admin can enable it by ticking the Enable Akismet checkbox, then once the user is trying to submit some spam content in issue like asdasd123123, he or she will be blocked and asked to pass a recaptcha.
Akismet doesn't require the site load any frontend lib, the backend need to send request to rest.akismet.com, this domain is located in USA but is available in China according to the ping test. It need to buy a plan to use it:
Invisible Captcha
Invisible Captcha is an open source anti bot gem lib based on the honeypot principle, which provides a better user experience since there are no extra steps for real users, only for the bots. In gitlab, the admin can enabld it by ticking the Enable Invisible Captcha during sign up checkbox.
This lib doesn't require the site to send any request in frontend nor the backend.
Others
In addition, gitlab.com is also using the cdn provider CloudFlare's anti bot service 
Payments
The payment method of Goolge reCAPTCHA enterprice at least support Visa and MasterCard credit card issued in China, and Akismet at least support UnionPay credit card issued in China, not clear about other methods.
动态
assigned to @qk44077907
By Kun Qian on 2021-06-17T16:53:32 (imported from GitLab)
the recaptcha has three version: v2, v3, and enterprise, for v2 and v3 it's free with a limitation of 1,000,000 call per month. For v2 and v3 version, users can get keys for deployment on https://www.google.com/recaptcha/admin/create. For enterprise version, the price is $1 per 1000 calls when exceed 1,000,000 calls, and for migration it need to transform the sitekey through gcloud sdk ([doc])(https://cloud.google.com/recaptcha-enterprise/docs/migrate-recaptcha)
@jeromezng @kwiebers Do you happen to know which version of reCAPTCHA is being used by GitLab.com?
By Qian Zhang on 2021-06-18T14:08:29 (imported from GitLab)
由 Ghost User 已编辑 于-
@kwiebers reCAPTCHA does not fall under the Trust and Safety team but it seems we might be using v2 according to: https://docs.gitlab.com/ee/integration/recaptcha.html
By Charl de Wit on 2021-06-21T09:02:35 (imported from GitLab)
-
Hi @kwiebers, Do you happen to know which plan of Akismet is being used by Gitlab.com?
By Kun Qian on 2021-07-01T02:29:28 (imported from GitLab)
由 Qian Zhang (Gary) 已编辑 于 -
I'm not sure which tier GitLab.com uses, but I am much more confident that this does fall under Trust and Safety.
@cjdewit - Can you help with this question?
By Kyle Wiebers on 2021-07-01T16:05:16 (imported from GitLab)
由 Qian Zhang (Gary) 已编辑 于 -
Hi @kwiebers and @qk44077907, Akismet is owned by the Security Automation team as per: https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/76552 I did some digging and it seems we are on the
Plusplan.Hope this helps and please let me know if there is anything else I can assist with :)
By Charl de Wit on 2021-07-08T17:15:35 (imported from GitLab)
由 Ghost User 已编辑 于
added workflowin dev label
mentioned in issue #125 (closed)
By Kun Qian on 2021-06-30T07:27:43 (imported from GitLab)
mentioned in issue #131 (closed)
By Kun Qian on 2021-07-02T04:11:49 (imported from GitLab)
-
@qk44077907 What is the latest status of this issue? Any leftover tasks?
By Qian Zhang on 2021-07-18T15:43:57 (imported from GitLab)
由 Ghost User 已编辑 于 -
@qianzhangxa The investigating and purchasing have been done. Waiting for the deployment in JH 14.1
By Kun Qian on 2021-07-18T15:43:56 (imported from GitLab)
mentioned in epic &5253 (closed)
By Kun Qian on 2021-10-30T05:47:37 (imported from GitLab)
mentioned in issue #465 (closed)
By Kun Qian on 2021-12-20T12:56:24 (imported from GitLab)
mentioned in issue #488 (closed)
