Missing rate limiting¶
ID: js/missing-rate-limiting Kind: problem Security severity: 7.5 Severity: warning Precision: high Tags: - security - external/cwe/cwe-770 - external/cwe/cwe-307 - external/cwe/cwe-400 Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls Click to see the query in the CodeQL repository
HTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.
Recommendation¶
A rate-limiting middleware should be used to prevent such attacks.
Example¶
The following example shows an Express application that serves static files without rate limiting:
varexpress=require('express');varapp=express();app.get('/:path',function(req,res){letpath=req.params.path;if(isValidPath(path))res.sendFile(path);});To prevent denial-of-service attacks, the express-rate-limit package can be used:
varexpress=require('express');varapp=express();// set up rate limiter: maximum of five requests per minutevarRateLimit=require('express-rate-limit');varlimiter=RateLimit({windowMs:15*60*1000,// 15 minutesmax:100,// max 100 requests per windowMs});// apply rate limiter to all requestsapp.use(limiter);app.get('/:path',function(req,res){letpath=req.params.path;if(isValidPath(path))res.sendFile(path);});References¶
OWASP: Denial of Service Cheat Sheet.
Wikipedia: Denial-of-service attack.
NPM: express-rate-limit.
Common Weakness Enumeration: CWE-770.
Common Weakness Enumeration: CWE-307.
Common Weakness Enumeration: CWE-400.
