python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config

profile photo of returntocorpreturntocorp
Author
6,591
Download Count*

Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add 'DEFAULT_THROTTLE_CLASSES' and 'DEFAULT_THROTTLE_RATES' to add rate-limiting to your application.

Run Locally

Run in CI

Defintion

rules:
  - id: missing-throttle-config
    patterns:
      - pattern-not-inside: |
          REST_FRAMEWORK = {
            ...,
            "DEFAULT_THROTTLE_RATES": ...
          }
      - pattern-inside: |
          REST_FRAMEWORK = ...
      - pattern: REST_FRAMEWORK
    message: Django REST framework configuration is missing default rate- limiting
      options. This could inadvertently allow resource starvation or Denial of
      Service (DoS) attacks. Add 'DEFAULT_THROTTLE_CLASSES' and
      'DEFAULT_THROTTLE_RATES' to add rate-limiting to your application.
    metadata:
      owasp:
        - A05:2021 - Security Misconfiguration
        - A06:2017 - Security Misconfiguration
      cwe:
        - "CWE-400: Uncontrolled Resource Consumption"
      references:
        - https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy
      category: security
      technology:
        - django
      cwe2022-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    severity: WARNING
    languages:
      - python

Examples

missing-throttle-config.py

# ok: missing-throttle-config
REST_FRAMEWORK = {
    'PAGE_SIZE': 10,
    'DEFAULT_THROTTLE_CLASSES': [
        'rest_framework.throttling.AnonRateThrottle',
        'rest_framework.throttling.UserRateThrottle'
    ],
    'DEFAULT_THROTTLE_RATES': {
        'anon': '100/day',
        'user': '1000/day'
    },
    "SOMETHING_ELSE": {1: 2}
}

# ruleid: missing-throttle-config
REST_FRAMEWORK = {
    'PAGE_SIZE': 10
}