feat: rate limit responses check for content too

stoplightio · Dec 31, 2022 · 95b862d · 95b862d
1 parent edb735b
commit 95b862d
Show file tree

Hide file tree

Showing 2 changed files with 101 additions and 6 deletions.
diff --git a/__tests__/owasp-api4-2019-rate-limit-responses-429.test.ts b/__tests__/owasp-api4-2019-rate-limit-responses-429.test.ts
@@ -0,0 +1,88 @@
+import { DiagnosticSeverity } from "@stoplight/types";
+import testRule from "./__helpers__/helper";
+
+testRule("owasp:api4:2019-rate-limit-responses-429", [
+  {
+    name: "valid: defines a 429 response with content",
+    document: {
+      openapi: "3.1.0",
+      info: { version: "1.0" },
+      paths: {
+        "/": {
+          get: {
+            responses: {
+              "429": {
+                description: "ok",
+                content: {
+                  "application/problem+json": {},
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+    errors: [],
+  },
+
+  {
+    name: "invalid: 429 is not defined at all",
+    document: {
+      openapi: "3.1.0",
+      info: { version: "1.0" },
+      paths: {
+        "/": {
+          get: {
+            responses: {
+              "200": {
+                description: "ok",
+                content: {
+                  "application/json": {},
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+    errors: [
+      {
+        message:
+          "Operation is missing rate limiting response in responses[429].",
+        path: ["paths", "/", "get", "responses"],
+        severity: DiagnosticSeverity.Warning,
+      },
+      {
+        message:
+          "Operation is missing rate limiting response in responses[429].content.",
+        path: ["paths", "/", "get", "responses"],
+        severity: DiagnosticSeverity.Warning,
+      },
+    ],
+  },
+
+  {
+    name: "invalid: 429 exists but content is missing",
+    document: {
+      openapi: "3.1.0",
+      info: { version: "1.0" },
+      paths: {
+        "/": {
+          get: {
+            responses: {
+              "429": {},
+            },
+          },
+        },
+      },
+    },
+    errors: [
+      {
+        message:
+          "Operation is missing rate limiting response in [429].content.",
+        path: ["paths", "/", "get", "responses", "429"],
+        severity: DiagnosticSeverity.Warning,
+      },
+    ],
+  },
+]);
diff --git a/src/ruleset.ts b/src/ruleset.ts
@@ -479,14 +479,21 @@ export default {
      * @author: Jason Harmon <https://github.com/jharmn>
      */
     "owasp:api4:2019-rate-limit-responses-429": {
-      description: "429 response should be defined.",
-      message: "{{description}}. Missing {{property}}",
+      message: "Operation is missing rate limiting response in {{property}}.",
+      description:
+        "OWASP API Security recommends defining schemas for all responses, even errors. A HTTP 429 response signals the API client is making too many requests, and will supply information about when to retry so that the client can back off calmly without everything breaking. Defining this response is important not just for documentation, but to empower contract testing to make sure the proper JSON structure is being returned instead of leaking implementation details in backtraces. It also ensures your API/framework/gateway actually has rate limiting set up.",
       severity: DiagnosticSeverity.Warning,
       given: "$.paths..responses",
-      then: {
-        field: "429",
-        function: truthy,
-      },
+      then: [
+        {
+          field: "429",
+          function: truthy,
+        },
+        {
+          field: "429.content",
+          function: truthy,
+        },
+      ],
     },
 
     /**