Skip to content

Commit

Permalink
added support for singulsr RateLimit header.
Browse files Browse the repository at this point in the history
  • Loading branch information
philsturgeon committed Feb 5, 2024
1 parent 5174d1d commit f567f33
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 13 deletions.
6 changes: 3 additions & 3 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Added `owasp:api5:2023-admin-security-unique`.
- Added `owasp:api7:2023-concerning-url-parameter` to keep an eye out for URLs being passed as parameters and warn about server-side request forgery.
- Added `owasp:api8:2023-no-server-http` which supports `servers` having a `url` which is a relative path.
- Added `owasp:api9:2023-inventory-access` to indicate intended audience of every server
- Added `owasp:api9:2023-inventory-environment` to declare intended environment for every server
- Added `owasp:api9:2023-inventory-access` to indicate intended audience of every server.
- Added `owasp:api9:2023-inventory-environment` to declare intended environment for every server.

### Changed

Expand All @@ -31,7 +31,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Renamed `owasp:api3:2019-define-error-validation` to `owasp:api8:2023-define-error-validation`.
- Renamed `owasp:api3:2019-define-error-responses-401` to `owasp:api8:2023-define-error-responses-401`.
- Renamed `owasp:api3:2019-define-error-responses-500` to `owasp:api8:2023-define-error-responses-500`.
- Renamed `owasp:api4:2019-rate-limit` to `owasp:api4:2023-rate-limit`.
- Renamed `owasp:api4:2019-rate-limit` to `owasp:api4:2023-rate-limit` and added support for the singular `RateLimit` header in draft-ietf-httpapi-ratelimit-headers-07.
- Renamed `owasp:api4:2019-rate-limit-retry-after` to `owasp:api4:2023-rate-limit-retry-after`.
- Renamed `owasp:api4:2019-rate-limit-responses-429` to `owasp:api4:2023-rate-limit-responses-429`.
- Renamed `owasp:api4:2019-array-limit` to `owasp:api4:2023-array-limit`.
Expand Down
29 changes: 28 additions & 1 deletion __tests__/owasp-api4-2023-rate-limit.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ import testRule from "./__helpers__/helper";

testRule("owasp:api4:2023-rate-limit", [
{
name: "valid use of IETF Draft HTTP RateLimit Headers",
name: "valid use of IETF Draft HTTP RateLimit-* Headers",
document: {
openapi: "3.1.0",
info: { version: "1.0" },
Expand Down Expand Up @@ -34,6 +34,33 @@ testRule("owasp:api4:2023-rate-limit", [
errors: [],
},

{
name: "valid use of IETF Draft HTTP RateLimit Headers",
document: {
openapi: "3.1.0",
info: { version: "1.0" },
paths: {
"/": {
get: {
responses: {
"201": {
description: "ok",
headers: {
RateLimit: {
schema: {
type: "string",
},
},
},
},
},
},
},
},
},
errors: [],
},

{
name: "valid use of Twitter-style Rate Limit Headers",
document: {
Expand Down
13 changes: 4 additions & 9 deletions src/ruleset.ts
Original file line number Diff line number Diff line change
Expand Up @@ -451,6 +451,9 @@ export default {
schema: {
type: "object",
oneOf: [
{
required: ["RateLimit"],
},
{
required: ["RateLimit-Limit", "RateLimit-Reset"],
},
Expand Down Expand Up @@ -733,7 +736,6 @@ export default {
* - ✅ Missing, outdated, or misconfigured TLS
* - ❌ Exposed storage or server management panels
* - ✅ Missing CORS policy or security headers
* https://github.com/stoplightio/spectral-owasp-ruleset/issues/5
* - 🟠 Error messages with stack traces
* https://github.com/stoplightio/spectral-owasp-ruleset/issues/12
* - ❌ Unnecessary features enabled
Expand Down Expand Up @@ -924,16 +926,9 @@ export default {
* Use case
* - ❌ Interacts with other APIs over an unencrypted channel;
* - ❌ Does not properly validate and sanitize data gathered from other APIs prior to processing it or passing it to downstream components;
* - 🟠 Blindly follows redirections;
* https://github.com/stoplightio/spectral-owasp-ruleset/issues/55
* - ✅ Blindly follows redirections;
* - ❌ Does not limit the number of resources available to process third-party services responses;
* - ❌ Does not implement timeouts for interactions with third-party services;
*
* How to prevent
* - ❌ When evaluating service providers, assess their API security posture.
* - ❌ Ensure all API interactions (to upstream dependencies) happen over a secure communication channel (TLS).
* - ❌ Always validate and properly sanitize data received from integrated APIs before using it.
* - ❌ Maintain an allowlist of well-known locations integrated APIs may redirect yours to: do not blindly follow redirects.
*/
},
};

0 comments on commit f567f33

Please sign in to comment.