From f567f338561ecd389607cf296af827877a43db00 Mon Sep 17 00:00:00 2001 From: Phil Sturgeon <67381+philsturgeon@users.noreply.github.com> Date: Fri, 2 Feb 2024 13:59:03 +0000 Subject: [PATCH] added support for singulsr RateLimit header. --- CHANGELOG.md | 6 ++-- __tests__/owasp-api4-2023-rate-limit.test.ts | 29 +++++++++++++++++++- src/ruleset.ts | 13 +++------ 3 files changed, 35 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2b182c3..a0a3fc5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,8 +15,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Added `owasp:api5:2023-admin-security-unique`. - Added `owasp:api7:2023-concerning-url-parameter` to keep an eye out for URLs being passed as parameters and warn about server-side request forgery. - Added `owasp:api8:2023-no-server-http` which supports `servers` having a `url` which is a relative path. -- Added `owasp:api9:2023-inventory-access` to indicate intended audience of every server -- Added `owasp:api9:2023-inventory-environment` to declare intended environment for every server +- Added `owasp:api9:2023-inventory-access` to indicate intended audience of every server. +- Added `owasp:api9:2023-inventory-environment` to declare intended environment for every server. ### Changed @@ -31,7 +31,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Renamed `owasp:api3:2019-define-error-validation` to `owasp:api8:2023-define-error-validation`. - Renamed `owasp:api3:2019-define-error-responses-401` to `owasp:api8:2023-define-error-responses-401`. - Renamed `owasp:api3:2019-define-error-responses-500` to `owasp:api8:2023-define-error-responses-500`. -- Renamed `owasp:api4:2019-rate-limit` to `owasp:api4:2023-rate-limit`. +- Renamed `owasp:api4:2019-rate-limit` to `owasp:api4:2023-rate-limit` and added support for the singular `RateLimit` header in draft-ietf-httpapi-ratelimit-headers-07. - Renamed `owasp:api4:2019-rate-limit-retry-after` to `owasp:api4:2023-rate-limit-retry-after`. - Renamed `owasp:api4:2019-rate-limit-responses-429` to `owasp:api4:2023-rate-limit-responses-429`. - Renamed `owasp:api4:2019-array-limit` to `owasp:api4:2023-array-limit`. diff --git a/__tests__/owasp-api4-2023-rate-limit.test.ts b/__tests__/owasp-api4-2023-rate-limit.test.ts index 2a4a70d..9e6f3c8 100644 --- a/__tests__/owasp-api4-2023-rate-limit.test.ts +++ b/__tests__/owasp-api4-2023-rate-limit.test.ts @@ -3,7 +3,7 @@ import testRule from "./__helpers__/helper"; testRule("owasp:api4:2023-rate-limit", [ { - name: "valid use of IETF Draft HTTP RateLimit Headers", + name: "valid use of IETF Draft HTTP RateLimit-* Headers", document: { openapi: "3.1.0", info: { version: "1.0" }, @@ -34,6 +34,33 @@ testRule("owasp:api4:2023-rate-limit", [ errors: [], }, + { + name: "valid use of IETF Draft HTTP RateLimit Headers", + document: { + openapi: "3.1.0", + info: { version: "1.0" }, + paths: { + "/": { + get: { + responses: { + "201": { + description: "ok", + headers: { + RateLimit: { + schema: { + type: "string", + }, + }, + }, + }, + }, + }, + }, + }, + }, + errors: [], + }, + { name: "valid use of Twitter-style Rate Limit Headers", document: { diff --git a/src/ruleset.ts b/src/ruleset.ts index 4f12c1b..09171f1 100644 --- a/src/ruleset.ts +++ b/src/ruleset.ts @@ -451,6 +451,9 @@ export default { schema: { type: "object", oneOf: [ + { + required: ["RateLimit"], + }, { required: ["RateLimit-Limit", "RateLimit-Reset"], }, @@ -733,7 +736,6 @@ export default { * - ✅ Missing, outdated, or misconfigured TLS * - ❌ Exposed storage or server management panels * - ✅ Missing CORS policy or security headers - * https://github.com/stoplightio/spectral-owasp-ruleset/issues/5 * - 🟠 Error messages with stack traces * https://github.com/stoplightio/spectral-owasp-ruleset/issues/12 * - ❌ Unnecessary features enabled @@ -924,16 +926,9 @@ export default { * Use case * - ❌ Interacts with other APIs over an unencrypted channel; * - ❌ Does not properly validate and sanitize data gathered from other APIs prior to processing it or passing it to downstream components; - * - 🟠 Blindly follows redirections; - * https://github.com/stoplightio/spectral-owasp-ruleset/issues/55 + * - ✅ Blindly follows redirections; * - ❌ Does not limit the number of resources available to process third-party services responses; * - ❌ Does not implement timeouts for interactions with third-party services; - * - * How to prevent - * - ❌ When evaluating service providers, assess their API security posture. - * - ❌ Ensure all API interactions (to upstream dependencies) happen over a secure communication channel (TLS). - * - ❌ Always validate and properly sanitize data received from integrated APIs before using it. - * - ❌ Maintain an allowlist of well-known locations integrated APIs may redirect yours to: do not blindly follow redirects. */ }, };