Tool
CodeQL
Rule ID
js/missing-rate-limiting
Query
View source
HTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.
Recommendation
A rate-limiting middleware should be used to prevent such attacks.
Example
The following example shows an Express application that serves static files without rate limiting:
var express = require('express');
var app = express();
app.get('/:path', function(req, res) {
let path = req.params.path;
if (isValidPath(path))
res.sendFile(path);
});
To prevent denial-of-service attacks, the express-rate-limit package can be used:
var express = require('express');
var app = express();
// set up rate limiter: maximum of five requests per minute
var RateLimit = require('express-rate-limit');
var limiter = new RateLimit({
windowMs: 1601000, // 1 minute
max: 5
});
// apply rate limiter to all requests
app.use(limiter);
app.get('/:path', function(req, res) {
let path = req.params.path;
if (isValidPath(path))
res.sendFile(path);
});
References
OWASP: Denial of Service Cheat Sheet.
Wikipedia: Denial-of-service attack.
NPM: express-rate-limit.
Common Weakness Enumeration: CWE-770.
Common Weakness Enumeration: CWE-307.
Common Weakness Enumeration: CWE-400.
Tool CodeQL Rule ID js/missing-rate-limiting Query View source HTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.
Recommendation A rate-limiting middleware should be used to prevent such attacks.
Example The following example shows an Express application that serves static files without rate limiting:
var express = require('express'); var app = express();
app.get('/:path', function(req, res) { let path = req.params.path; if (isValidPath(path)) res.sendFile(path); }); To prevent denial-of-service attacks, the express-rate-limit package can be used:
var express = require('express'); var app = express();
// set up rate limiter: maximum of five requests per minute var RateLimit = require('express-rate-limit'); var limiter = new RateLimit({ windowMs: 1601000, // 1 minute max: 5 });
// apply rate limiter to all requests app.use(limiter);
app.get('/:path', function(req, res) { let path = req.params.path; if (isValidPath(path)) res.sendFile(path); }); References OWASP: Denial of Service Cheat Sheet. Wikipedia: Denial-of-service attack. NPM: express-rate-limit. Common Weakness Enumeration: CWE-770. Common Weakness Enumeration: CWE-307. Common Weakness Enumeration: CWE-400.