mirror of
https://github.com/github/codeql.git
synced 2026-03-29 19:58:17 +02:00
49 lines
1.3 KiB
XML
49 lines
1.3 KiB
XML
<!DOCTYPE qhelp PUBLIC
|
|
"-//Semmle//qhelp//EN"
|
|
"qhelp.dtd">
|
|
<qhelp>
|
|
|
|
<overview>
|
|
<p>
|
|
HTTP request handlers should not perform expensive operations such as accessing
|
|
the file system, executing an operating system command or interacting with a database
|
|
without limiting the rate at which requests are accepted. Otherwise, the application
|
|
becomes vulnerable to denial-of-service attacks where an attacker can cause the
|
|
application to crash or become unresponsive by issuing a large number of requests at
|
|
the same time.
|
|
</p>
|
|
</overview>
|
|
|
|
<recommendation>
|
|
<p>
|
|
A rate-limiting middleware should be used to prevent such attacks.
|
|
</p>
|
|
</recommendation>
|
|
|
|
<example>
|
|
<p>
|
|
The following example shows an Express application that serves static files without
|
|
rate limiting:
|
|
</p>
|
|
<sample src="examples/MissingRateLimiting.js" />
|
|
<p>
|
|
To prevent denial-of-service attacks, the <code>express-rate-limit</code> package
|
|
can be used:
|
|
</p>
|
|
<sample src="examples/MissingRateLimitingGood.js" />
|
|
</example>
|
|
|
|
<references>
|
|
<li>
|
|
OWASP:
|
|
<a href="https://www.owasp.org/index.php/Denial_of_Service_Cheat_Sheet">Denial of Service Cheat Sheet</a>.
|
|
</li>
|
|
<li>
|
|
Wikipedia: <a href="https://en.wikipedia.org/wiki/Denial-of-service_attack">Denial-of-service attack</a>.
|
|
</li>
|
|
<li>
|
|
NPM: <a href="https://www.npmjs.com/package/express-rate-limit">express-rate-limit</a>.
|
|
</li>
|
|
</references>
|
|
</qhelp>
|