hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-17 04:56:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

JavaScript: Add support for rate-limiter-flexible package.

Browse Source
This commit is contained in:
Max Schaefer
2019-09-18 12:13:23 +01:00
parent e7d8fa4251
commit 3970ead7ab
3 changed files with 50 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
change-notes/1.23/analysis-javascript.md
View File

@@ -6,6 +6,7 @@
- [firebase](https://www.npmjs.com/package/firebase)
- [mongodb](https://www.npmjs.com/package/mongodb)
- [mongoose](https://www.npmjs.com/package/mongoose)
- [rate-limiter-flexible](https://www.npmjs.com/package/rate-limiter-flexible)
* The call graph has been improved to resolve method calls in more cases. This may produce more security alerts.

41
javascript/ql/src/semmle/javascript/security/dataflow/MissingRateLimiting.qll
View File

@@ -155,3 +155,44 @@ class RouteHandlerLimitedByExpressLimiter extends RateLimitedRouteHandlerExpr {
)
}
}
/**
* A rate-handler function implemented using one of the rate-limiting classes provided
* by the `rate-limiter-flexible` package.
*
* We look for functions that invoke the `consume` method of one of the `RateLimiter*`
* classes from the `rate-limiter-flexible` package on a property of their first argument,
* like the `rateLimiterMiddleware` function in this example:
*
* ```
* import { RateLimiterRedis } from 'rate-limiter-flexible';
* const rateLimiter = new RateLimiterRedis(...);
* function rateLimiterMiddleware(req, res, next) {
* rateLimiter.consume(req.ip).then(next).catch(res.status(429).send('rate limited'));
* }
* ```
*/
class RateLimiterFlexibleRateLimiter extends DataFlow::FunctionNode {
RateLimiterFlexibleRateLimiter() {
exists(
string rateLimiterClassName, DataFlow::SourceNode rateLimiterClass,
DataFlow::SourceNode rateLimiterInstance
|
rateLimiterClassName.matches("RateLimiter%") and
rateLimiterClass = DataFlow::moduleMember("rate-limiter-flexible", rateLimiterClassName) and
rateLimiterInstance = rateLimiterClass.getAnInstantiation() and
getParameter(0).getAPropertyRead() = rateLimiterInstance
.getAMemberCall("consume")
.getAnArgument()
)
}
}
/**
* A route-handler expression that is rate-limited by the `rate-limiter-flexible` package.
*/
class RouteHandlerLimitedByRateLimiterFlexible extends RateLimiter {
RouteHandlerLimitedByRateLimiterFlexible() {
any(RateLimiterFlexibleRateLimiter rl).flowsToExpr(this)
}
}

8
javascript/ql/test/query-tests/Security/CWE-770/tst.js
View File

@@ -63,3 +63,11 @@ app3.get('/:path', expensiveHandler1); // OK
express().get('/:path', function(req, res) { verifyUser(req); }); // NOT OK
express().get('/:path', RateLimit(), function(req, res) { verifyUser(req); }); // OK
// rate limiting using rate-limiter-flexible
const { RateLimiterRedis } = require('rate-limiter-flexible');
const rateLimiter = new RateLimiterRedis();
const rateLimiterMiddleware = (req, res, next) => {
rateLimiter.consume(req.ip).then(next).catch(res.status(429).send('rate limited'));
};
express().get('/:path', rateLimiterMiddleware, expensiveHandler1);