Potential fix for code scanning alert no. 84: Unvalidated dynamic method call (#5746)

* Potential fix for code scanning alert no. 84: Unvalidated dynamic method call

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 84: Unvalidated dynamic method call#5746

* Potential fix for code scanning alert no. 100: Unvalidated dynamic method call

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 84: Unvalidated dynamic method call#5746

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: christopherholland-workday <christopher.holland+evisort@workday.com>

Author: 3 people

packages/server/src/utils/rateLimit.ts

@@ -14,7 +14,7 @@ const QUEUE_NAME = 'ratelimit'
 const QUEUE_EVENT_NAME = 'updateRateLimiter'
 
 export class RateLimiterManager {
-    private rateLimiters: Record<string, RateLimitRequestHandler> = {}
+    private rateLimiters: Map<string, RateLimitRequestHandler> = new Map()
     private rateLimiterMutex: Mutex = new Mutex()
     private redisClient: Redis
     private static instance: RateLimiterManager
@@ -95,50 +95,56 @@ export class RateLimiterManager {
         const release = await this.rateLimiterMutex.acquire()
         try {
             if (process.env.MODE === MODE.QUEUE) {
-                this.rateLimiters[id] = rateLimit({
-                    windowMs: duration * 1000,
-                    max: limit,
-                    standardHeaders: true,
-                    legacyHeaders: false,
-                    message,
-                    store: new RedisStore({
-                        prefix: `rl:${id}`,
-                        // @ts-expect-error - Known issue: the `call` function is not present in @types/ioredis
-                        sendCommand: (...args: string[]) => this.redisClient.call(...args)
+                this.rateLimiters.set(
+                    id,
+                    rateLimit({
+                        windowMs: duration * 1000,
+                        max: limit,
+                        standardHeaders: true,
+                        legacyHeaders: false,
+                        message,
+                        store: new RedisStore({
+                            prefix: `rl:${id}`,
+                            // @ts-expect-error - Known issue: the `call` function is not present in @types/ioredis
+                            sendCommand: (...args: string[]) => this.redisClient.call(...args)
+                        })
                     })
-                })
+                )
             } else {
-                this.rateLimiters[id] = rateLimit({
-                    windowMs: duration * 1000,
-                    max: limit,
-                    message
-                })
+                this.rateLimiters.set(
+                    id,
+                    rateLimit({
+                        windowMs: duration * 1000,
+                        max: limit,
+                        message
+                    })
+                )
             }
         } finally {
             release()
         }
     }
 
     public removeRateLimiter(id: string): void {
-        if (this.rateLimiters[id]) {
-            delete this.rateLimiters[id]
-        }
+        this.rateLimiters.delete(id)
     }
 
     public getRateLimiter(): (req: Request, res: Response, next: NextFunction) => void {
         return (req: Request, res: Response, next: NextFunction) => {
             const id = req.params.id
-            if (!this.rateLimiters[id]) return next()
-            const idRateLimiter = this.rateLimiters[id]
-            return idRateLimiter(req, res, next)
+            if (typeof id === 'string' && id.length > 0 && this.rateLimiters.has(id)) {
+                return this.rateLimiters.get(id)!(req, res, next)
+            }
+            return next()
         }
     }
 
     public getRateLimiterById(id: string): (req: Request, res: Response, next: NextFunction) => void {
         return (req: Request, res: Response, next: NextFunction) => {
-            if (!this.rateLimiters[id]) return next()
-            const idRateLimiter = this.rateLimiters[id]
-            return idRateLimiter(req, res, next)
+            if (this.rateLimiters.has(id)) {
+                return this.rateLimiters.get(id)!(req, res, next)
+            }
+            return next()
         }
     }