Missing rate limiting¶
ID: js/missing-rate-limitingKind: problemSecurity severity: 7.5Severity: warningPrecision: highTags: - security - external/cwe/cwe-770 - external/cwe/cwe-307 - external/cwe/cwe-400Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
HTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.
Recommendation¶
A rate-limiting middleware should be used to prevent such attacks.
Example¶
The following example shows an Express application that serves static files without rate limiting:
varexpress=require('express');varapp=express();app.get('/:path',function(req,res){letpath=req.params.path;if(isValidPath(path))res.sendFile(path);});
To prevent denial-of-service attacks, theexpress-rate-limit package can be used:
varexpress=require('express');varapp=express();// set up rate limiter: maximum of five requests per minutevarRateLimit=require('express-rate-limit');varlimiter=RateLimit({windowMs:15*60*1000,// 15 minutesmax:100,// max 100 requests per windowMs});// apply rate limiter to all requestsapp.use(limiter);app.get('/:path',function(req,res){letpath=req.params.path;if(isValidPath(path))res.sendFile(path);});
References¶
Wikipedia:Denial-of-service attack.
NPM:express-rate-limit.
Common Weakness Enumeration:CWE-770.
Common Weakness Enumeration:CWE-307.
Common Weakness Enumeration:CWE-400.