Module MissingRateLimiting
Provides classes for reasoning about rate limiting.
We model two main concepts:
- expensive route handlers, which should be rate-limited;
- rate-limited route handler expressions, that set up a route handler in such a way that it is rate-limited.
The query then looks for expensive route handlers that are not rate-limited.
Both concepts are modeled as abstract classes (ExpensiveRouteHandler and
RateLimitedRouteHandlerExpr, respectively) with a few default subclasses capturing
common use cases. They can be customized by adding more subclasses.
For ExpensiveRouteHandler, the default subclasses recognize route handlers performing
expensive actions, again modeled as an abstract class ExpensiveAction. By default,
file system access, operating system command execution, and database access are considered
expensive; other kinds of expensive actions can be modeled by adding more subclasses.
For RateLimitedRouteHandlerExpr, the default subclasses model popular npm packages;
other means of rate-limiting can be supported by adding more subclasses.
Import path
import semmle.javascript.security.dataflow.MissingRateLimitingImports
| javascript | Provides classes for working with JavaScript programs, as well as JSON, YAML and HTML. |
Classes
| AuthorizationCallAsExpensiveAction | A call to an authorization function, considered as an expensive action. |
| BruteForceRateLimit | A rate limiter constructed using the |
| DatabaseAccessAsExpensiveAction | A database access, considered as an expensive action. |
| ExpensiveAction | A data flow node that corresponds to a resource-intensive action being taken. |
| ExpensiveRouteHandler | A route handler that should be rate-limited. |
| ExpressRateLimit | A rate limiter constructed using the |
| FileSystemAccessAsExpensiveAction | A file system access, considered as an expensive action. |
| RateLimiterFlexibleRateLimiter | A rate-handler function implemented using one of the rate-limiting classes provided by the |
| RateLimitingMiddleware | The creation of a middleware function that acts as a rate limiter. |
| RouteHandlerLimitedByExpressLimiter | A rate limiter constructed using the |
| RouteHandlerLimitedByRateLimiterFlexible | A route-handler expression that is rate-limited by the |
| RouteHandlerPerformingExpensiveAction | A route handler that performs an expensive action, and hence should be rate-limited. |
| SystemCommandExecutionAsExpensiveAction | A system command execution, considered as an expensive action. |