JS: Recognize Fastify per-route rate limiting#21700
Open
hvitved wants to merge 3 commits intogithub:mainfrom
Open
JS: Recognize Fastify per-route rate limiting#21700hvitved wants to merge 3 commits intogithub:mainfrom
hvitved wants to merge 3 commits intogithub:mainfrom
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
javascript/ql/lib/semmle/javascript/security/dataflow/MissingRateLimiting.qll
Fixed
Show fixed
Hide fixed
hvitved
force-pushed
the
js/fastify-per-route-rate-limiting
branch
from
406c235 to
7a48409
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the js/missing-rate-limiting query’s modeling and tests to recognize Fastify per-route rate limiting configurations.
Changes:
- Add modeling for Fastify per-route rate limiting via route options (
config.rateLimitandrateLimit). - Extend the CWE-770 MissingRateLimit query test to include per-route-limited and non-limited Fastify routes.
- Add a change note documenting the analysis improvement.
Show a summary per file
| File | Description |
|---|---|
| javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/tst.js | Adds Fastify per-route rate limiting test cases and a new expected alert for an un-limited route. |
| javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/MissingRateLimiting.expected | Updates expected results to include the new un-limited Fastify route alert. |
| javascript/ql/src/change-notes/2026-04-13-fastify-per-route-rate-limit.md | Documents the query improvement in change notes. |
| javascript/ql/lib/semmle/javascript/security/dataflow/MissingRateLimiting.qll | Introduces a new model class to treat per-route Fastify rate limit options as rate limiting. |
Copilot's findings
- Files reviewed: 4/4 changed files
- Comments generated: 2
Comment on lines
+196
to
+197
| * An options object with a `rateLimit` config passed to a Fastify shorthand route method, | ||
| * such as `fastify.post('/path', { config: { rateLimit: { ... } } }, handler)`. |
There was a problem hiding this comment.
The comment describes only the config.rateLimit form, but the implementation also treats a top-level rateLimit property in the options object as per-route rate limiting. Consider updating the doc comment to mention both supported shapes so the documentation matches the behavior.
Suggested change
| * An options object with a `rateLimit` config passed to a Fastify shorthand route method, | |
| * such as `fastify.post('/path', { config: { rateLimit: { ... } } }, handler)`. | |
| * An options object passed to a Fastify shorthand route method that enables per-route | |
| * rate limiting, either via `config.rateLimit` or via a top-level `rateLimit` property, | |
| * such as `fastify.post('/path', { config: { rateLimit: { ... } } }, handler)` or | |
| * `fastify.post('/path', { rateLimit: { ... } }, handler)`. |
| fastifyApp.register(require('fastify-rate-limit')); | ||
| fastifyApp.get('/bar', expensiveHandler1); | ||
|
|
||
| // Fastify per-route rate limiting via config.rateLimit |
There was a problem hiding this comment.
This section header mentions only config.rateLimit, but the following test cases also cover the { rateLimit: ... } options shape. Consider adjusting the comment to reflect both forms to avoid confusion when updating/reading the tests later.
Suggested change
| // Fastify per-route rate limiting via config.rateLimit | |
| // Fastify per-route rate limiting via config.rateLimit or direct { rateLimit: ... } options |
asgerf
approved these changes
Apr 13, 2026
Contributor
asgerf
left a comment
asgerf
left a comment
There was a problem hiding this comment.
LGTM if DCA doesn't complain
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Authored with help from Copilot CLI.