Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add RateLimit to list of acceptable rate limiting headers #458

Closed
darrenspurgeon opened this issue Feb 17, 2024 · 3 comments
Closed

Add RateLimit to list of acceptable rate limiting headers #458

darrenspurgeon opened this issue Feb 17, 2024 · 3 comments

Comments

@darrenspurgeon
Copy link

Enhancement request

In looking at the rule owasp-rate-limit and comparing against the RateLimit IETF draft, I wonder if we could add one more header string to the list of acceptable header names.

In the function GetOWASPRateLimitRule() (vacuum/rulesets/owasp_ruleset_functions.go), the following acceptable string values for RateLimit headers are defined:

  • xRatelimitLimit = "X-RateLimit-Limit"
  • xRateLimitLimit = "X-Rate-Limit-Limit"
  • ratelimitLimit = "RateLimit-Limit||RateLimit-Reset"

Those are certainly common, and in the draft the authors refer to the combined header RateLimit as a dictionary and examples show a combined header for limit, remaining, and reset tokens. In reviewing some of that team's Github PRs and commentary, they refer to RateLimit and its dictionary as the new style being proposed. For example:

HTTP/1.1 200 Ok
Content-Type: application/json
RateLimit: limit=100, remaining=0, reset=50

Can we add this to the list of acceptable values? It would be an additional var entry like: ratelimit = "RateLimit" and then adding it to the FunctionOptions below in the model rule.
@daveshanley
Copy link
Owner

daveshanley commented Feb 19, 2024
edited

Yes, we can add it. Please feel free to submit a PR!

daveshanley added a commit that referenced this issue Feb 20, 2024
@daveshanley
Addressed #458
2a3a0a4 
Signed-off-by: quobix <dave@quobix.com>
@daveshanley daveshanley mentioned this issue Feb 20, 2024
Merged
daveshanley added a commit that referenced this issue Feb 20, 2024
@daveshanley
Addressed #458
f1ac2f0 
Signed-off-by: quobix <dave@quobix.com>
daveshanley added a commit that referenced this issue Feb 20, 2024
@daveshanley
Fixed owasp-rate-limit function by removing duplicate name
41c93e9 
#458
Signed-off-by: quobix <dave@quobix.com>
daveshanley added a commit that referenced this issue Feb 20, 2024
@daveshanley
Fixed owasp-rate-limit function by removing duplicate name
28da3ee 
#458
Signed-off-by: quobix <dave@quobix.com>
@daveshanley
Copy link
Owner

This was added in v0.9.9

https://github.com/daveshanley/vacuum/blob/main/rulesets/owasp_ruleset_functions.go#L277

@darrenspurgeon
Copy link
Author

An official thank you, sir!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@daveshanley @darrenspurgeon