Module MissingRateLimiting

Provides classes for reasoning about rate limiting.

We model two main concepts:

  1. expensive route handlers, which should be rate-limited;
  2. rate-limited route handler expressions, that set up a route handler in such a way that it is rate-limited.

The query then looks for expensive route handlers that are not rate-limited.

Both concepts are modeled as abstract classes (ExpensiveRouteHandler and RateLimitedRouteHandlerExpr, respectively) with a few default subclasses capturing common use cases. They can be customized by adding more subclasses.

For ExpensiveRouteHandler, the default subclasses recognize route handlers performing expensive actions, again modeled as an abstract class ExpensiveAction. By default, file system access, operating system command execution, and database access are considered expensive; other kinds of expensive actions can be modeled by adding more subclasses.

For RateLimitedRouteHandlerExpr, the default subclasses model popular npm packages; other means of rate-limiting can be supported by adding more subclasses.

Import path

semmle.javascript.security.dataflow.MissingRateLimiting

Imports

javascript

Provides classes for working with JavaScript programs, as well as JSON, YAML and HTML.

Classes

AuthorizationCallAsExpensiveAction

A call to an authorization function, considered as an expensive action.

BruteForceRateLimit

A rate limiter constructed using the express-brute package.

DatabaseAccessAsExpensiveAction

A database access, considered as an expensive action.

ExpensiveAction

A data flow node that corresponds to a resource-intensive action being taken.

ExpensiveRouteHandler

A route handler that should be rate-limited.

ExpressRateLimit

A rate limiter constructed using the express-rate-limit package.

FileSystemAccessAsExpensiveAction

A file system access, considered as an expensive action.

RateLimitedRouteHandlerExpr

A route handler expression that is rate limited.

RateLimiter

A middleware that acts as a rate limiter.

RouteHandlerExpressionWithRateLimiter

A route handler expression that is rate-limited by a rate-limiting middleware.

RouteHandlerLimitedByExpressLimiter

A route handler expression that is rate-limited by the express-limiter package.

RouteHandlerPerformingExpensiveAction

A route handler that performs an expensive action, and hence should be rate-limited.

SystemCommandExecutionAsExpensiveAction

A system command execution, considered as an expensive action.