added support for singulsr RateLimit header.

stoplightio · Feb 5, 2024 · ce37483 · ce37483
1 parent 32f93a4
commit ce37483
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 13 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,8 +15,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added `owasp:api5:2023-admin-security-unique`.
 - Added `owasp:api7:2023-concerning-url-parameter` to keep an eye out for URLs being passed as parameters and warn about server-side request forgery.
 - Added `owasp:api8:2023-no-server-http` which supports `servers` having a `url` which is a relative path.
-- Added `owasp:api9:2023-inventory-access` to indicate intended audience of every server
-- Added `owasp:api9:2023-inventory-environment` to declare intended environment for every server
+- Added `owasp:api9:2023-inventory-access` to indicate intended audience of every server.
+- Added `owasp:api9:2023-inventory-environment` to declare intended environment for every server.
 
 ### Changed
 
@@ -31,7 +31,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Renamed `owasp:api3:2019-define-error-validation` to `owasp:api8:2023-define-error-validation`.
 - Renamed `owasp:api3:2019-define-error-responses-401` to `owasp:api8:2023-define-error-responses-401`.
 - Renamed `owasp:api3:2019-define-error-responses-500` to `owasp:api8:2023-define-error-responses-500`.
-- Renamed `owasp:api4:2019-rate-limit` to `owasp:api4:2023-rate-limit`.
+- Renamed `owasp:api4:2019-rate-limit` to `owasp:api4:2023-rate-limit` and added support for the singular `RateLimit` header in draft-ietf-httpapi-ratelimit-headers-07.
 - Renamed `owasp:api4:2019-rate-limit-retry-after` to `owasp:api4:2023-rate-limit-retry-after`.
 - Renamed `owasp:api4:2019-rate-limit-responses-429` to `owasp:api4:2023-rate-limit-responses-429`.
 - Renamed `owasp:api4:2019-array-limit` to `owasp:api4:2023-array-limit`.

diff --git a/__tests__/owasp-api4-2023-rate-limit.test.ts b/__tests__/owasp-api4-2023-rate-limit.test.ts
@@ -3,7 +3,7 @@ import testRule from "./__helpers__/helper";
 
 testRule("owasp:api4:2023-rate-limit", [
   {
-    name: "valid use of IETF Draft HTTP RateLimit Headers",
+    name: "valid use of IETF Draft HTTP RateLimit-* Headers",
     document: {
       openapi: "3.1.0",
       info: { version: "1.0" },
@@ -34,6 +34,33 @@ testRule("owasp:api4:2023-rate-limit", [
     errors: [],
   },
 
+  {
+    name: "valid use of IETF Draft HTTP RateLimit Headers",
+    document: {
+      openapi: "3.1.0",
+      info: { version: "1.0" },
+      paths: {
+        "/": {
+          get: {
+            responses: {
+              "201": {
+                description: "ok",
+                headers: {
+                  RateLimit: {
+                    schema: {
+                      type: "string",
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+    errors: [],
+  },
+
   {
     name: "valid use of Twitter-style Rate Limit Headers",
     document: {

diff --git a/src/ruleset.ts b/src/ruleset.ts
@@ -451,6 +451,9 @@ export default {
           schema: {
             type: "object",
             oneOf: [
+              {
+                required: ["RateLimit"],
+              },
               {
                 required: ["RateLimit-Limit", "RateLimit-Reset"],
               },
@@ -733,7 +736,6 @@ export default {
      * - ✅ Missing, outdated, or misconfigured TLS
      * - ❌ Exposed storage or server management panels
      * - ✅ Missing CORS policy or security headers
-     * https://github.com/stoplightio/spectral-owasp-ruleset/issues/5
      * - 🟠 Error messages with stack traces
      * https://github.com/stoplightio/spectral-owasp-ruleset/issues/12
      * - ❌ Unnecessary features enabled
@@ -924,16 +926,9 @@ export default {
      * Use case
      * - ❌ Interacts with other APIs over an unencrypted channel;
      * - ❌ Does not properly validate and sanitize data gathered from other APIs prior to processing it or passing it to downstream components;
-     * - 🟠 Blindly follows redirections;
-     *  https://github.com/stoplightio/spectral-owasp-ruleset/issues/55
+     * - ✅ Blindly follows redirections;
      * - ❌ Does not limit the number of resources available to process third-party services responses;
      * - ❌ Does not implement timeouts for interactions with third-party services;
-     *
-     * How to prevent
-     * - ❌ When evaluating service providers, assess their API security posture.
-     * - ❌ Ensure all API interactions (to upstream dependencies) happen over a secure communication channel (TLS).
-     * - ❌ Always validate and properly sanitize data received from integrated APIs before using it.
-     * - ❌ Maintain an allowlist of well-known locations integrated APIs may redirect yours to: do not blindly follow redirects.
      */
   },
 };