python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config
semgrepAuthor
6,591
Download Count*
License
Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add 'DEFAULT_THROTTLE_CLASSES' and 'DEFAULT_THROTTLE_RATES' to add rate-limiting to your application.
Run Locally
Run in CI
Defintion
rules:
- id: missing-throttle-config
patterns:
- pattern-not-inside: |
REST_FRAMEWORK = {
...,
"DEFAULT_THROTTLE_RATES": ...
}
- pattern-inside: |
REST_FRAMEWORK = ...
- pattern: REST_FRAMEWORK
message: Django REST framework configuration is missing default rate- limiting
options. This could inadvertently allow resource starvation or Denial of
Service (DoS) attacks. Add 'DEFAULT_THROTTLE_CLASSES' and
'DEFAULT_THROTTLE_RATES' to add rate-limiting to your application.
metadata:
owasp:
- A05:2021 - Security Misconfiguration
- A06:2017 - Security Misconfiguration
cwe:
- "CWE-400: Uncontrolled Resource Consumption"
references:
- https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy
category: security
technology:
- django
cwe2022-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Denial-of-Service (DoS)
severity: WARNING
languages:
- python
Examples
missing-throttle-config.py
# ok: missing-throttle-config
REST_FRAMEWORK = {
'PAGE_SIZE': 10,
'DEFAULT_THROTTLE_CLASSES': [
'rest_framework.throttling.AnonRateThrottle',
'rest_framework.throttling.UserRateThrottle'
],
'DEFAULT_THROTTLE_RATES': {
'anon': '100/day',
'user': '1000/day'
},
"SOMETHING_ELSE": {1: 2}
}
# ruleid: missing-throttle-config
REST_FRAMEWORK = {
'PAGE_SIZE': 10
}
Short Link: https://sg.run/vzBY