Module MissingRateLimiting
Provides classes for reasoning about rate limiting.
We model two main concepts:
- expensive route handlers, which should be rate-limited;
- rate-limited route handler expressions, that set up a route handler in such a way that it is rate-limited.
The query then looks for expensive route handlers that are not rate-limited.
Both concepts are modeled as abstract classes (ExpensiveRouteHandler
and
RateLimitedRouteHandlerExpr
, respectively) with a few default subclasses capturing
common use cases. They can be customized by adding more subclasses.
For ExpensiveRouteHandler
, the default subclasses recognize route handlers performing
expensive actions, again modeled as an abstract class ExpensiveAction
. By default,
file system access, operating system command execution, and database access are considered
expensive; other kinds of expensive actions can be modeled by adding more subclasses.
For RateLimitedRouteHandlerExpr
, the default subclasses model popular npm packages;
other means of rate-limiting can be supported by adding more subclasses.
Import path
import semmle.javascript.security.dataflow.MissingRateLimiting
Imports
javascript | Provides classes for working with JavaScript programs, as well as JSON, YAML and HTML. |
Classes
AuthorizationCallAsExpensiveAction | A call to an authorization function, considered as an expensive action. |
BruteForceRateLimit | A rate limiter constructed using the |
DatabaseAccessAsExpensiveAction | A database access, considered as an expensive action. |
ExpensiveAction | A data flow node that corresponds to a resource-intensive action being taken. |
ExpensiveRouteHandler | A route handler that should be rate-limited. |
ExpressRateLimit | A rate limiter constructed using the |
FileSystemAccessAsExpensiveAction | A file system access, considered as an expensive action. |
RateLimiterFlexibleRateLimiter | A rate-handler function implemented using one of the rate-limiting classes provided by the |
RateLimitingMiddleware | The creation of a middleware function that acts as a rate limiter. |
RouteHandlerLimitedByExpressLimiter | A rate limiter constructed using the |
RouteHandlerLimitedByRateLimiterFlexible | A route-handler expression that is rate-limited by the |
RouteHandlerPerformingExpensiveAction | A route handler that performs an expensive action, and hence should be rate-limited. |
SystemCommandExecutionAsExpensiveAction | A system command execution, considered as an expensive action. |