Missing rate limiting¶
ID: js/missing-rate-limiting
Kind: problem
Security severity: 7.5
Severity: warning
Precision: high
Tags:
- security
- external/cwe/cwe-770
- external/cwe/cwe-307
- external/cwe/cwe-400
Query suites:
- javascript-code-scanning.qls
- javascript-security-extended.qls
- javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
HTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.
Recommendation¶
A rate-limiting middleware should be used to prevent such attacks.
Example¶
The following example shows an Express application that serves static files without rate limiting:
var express = require('express');
var app = express();
app.get('/:path', function(req, res) {
let path = req.params.path;
if (isValidPath(path))
res.sendFile(path);
});
To prevent denial-of-service attacks, the express-rate-limit package can be used:
var express = require('express');
var app = express();
// set up rate limiter: maximum of five requests per minute
var RateLimit = require('express-rate-limit');
var limiter = RateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // max 100 requests per windowMs
});
// apply rate limiter to all requests
app.use(limiter);
app.get('/:path', function(req, res) {
let path = req.params.path;
if (isValidPath(path))
res.sendFile(path);
});
References¶
OWASP: Denial of Service Cheat Sheet.
Wikipedia: Denial-of-service attack.
NPM: express-rate-limit.
Common Weakness Enumeration: CWE-770.
Common Weakness Enumeration: CWE-307.
Common Weakness Enumeration: CWE-400.