Skip to content

Commit fef582c

Browse files
hvitvedhvitved
committed
JS: Add test case for Fastify per-route rate limiting
1 parent 33cc887 commit fef582c

File tree

2 files changed

+29
-0
lines changed

2 files changed

+29
-0
lines changed

javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/MissingRateLimiting.expected

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
#select
12
| MissingRateLimiting.js:4:19:8:1 | functio ... ath);\\n} | This route handler performs $@, but is not rate-limited. | MissingRateLimiting.js:7:5:7:22 | res.sendFile(path) | a file system access |
23
| MissingRateLimiting.js:25:19:25:20 | f1 | This route handler performs $@, but is not rate-limited. | MissingRateLimiting.js:13:5:13:22 | res.sendFile(path) | a file system access |
34
| MissingRateLimiting.js:25:27:25:28 | f3 | This route handler performs $@, but is not rate-limited. | MissingRateLimiting.js:22:5:22:22 | res.sendFile(path) | a file system access |
@@ -9,3 +10,9 @@
910
| tst.js:64:25:64:63 | functio ... req); } | This route handler performs $@, but is not rate-limited. | tst.js:64:46:64:60 | verifyUser(req) | authorization |
1011
| tst.js:76:25:76:53 | catchAs ... ndler1) | This route handler performs $@, but is not rate-limited. | tst.js:14:40:14:46 | login() | authorization |
1112
| tst.js:88:24:88:40 | expensiveHandler1 | This route handler performs $@, but is not rate-limited. | tst.js:14:40:14:46 | login() | authorization |
13+
| tst.js:103:4:103:20 | expensiveHandler1 | This route handler performs $@, but is not rate-limited. | tst.js:14:40:14:46 | login() | authorization |
14+
| tst.js:110:4:110:20 | expensiveHandler1 | This route handler performs $@, but is not rate-limited. | tst.js:14:40:14:46 | login() | authorization |
15+
| tst.js:112:28:112:44 | expensiveHandler1 | This route handler performs $@, but is not rate-limited. | tst.js:14:40:14:46 | login() | authorization |
16+
testFailures
17+
| tst.js:103:4:103:20 | This route handler performs $@, but is not rate-limited. | Unexpected result: Alert |
18+
| tst.js:110:4:110:20 | This route handler performs $@, but is not rate-limited. | Unexpected result: Alert |

javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/tst.js

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,3 +88,25 @@ const fastifyApp = require('fastify')();
8888
fastifyApp.get('/foo', expensiveHandler1); // $ Alert
8989
fastifyApp.register(require('fastify-rate-limit'));
9090
fastifyApp.get('/bar', expensiveHandler1);
91+
92+
// Fastify per-route rate limiting via config.rateLimit
93+
const fastifyApp2 = require('fastify')();
94+
fastifyApp2.register(require('@fastify/rate-limit'));
95+
96+
fastifyApp2.post('/login', {
97+
config: {
98+
rateLimit: {
99+
max: 3,
100+
timeWindow: '1 minute'
101+
}
102+
}
103+
}, expensiveHandler1); // OK - has per-route rateLimit config
104+
105+
fastifyApp2.post('/signup', {
106+
rateLimit: {
107+
max: 5,
108+
timeWindow: '1 minute'
109+
}
110+
}, expensiveHandler1); // OK - has per-route rateLimit directly in options
111+
112+
fastifyApp2.post('/other', expensiveHandler1); // $ Alert - no rate limiting

0 commit comments

Comments
 (0)