JavaScript: Add support for rateLimit export from express-rate-limit package.

Author: Max Schaefer

javascript/ql/lib/semmle/javascript/security/dataflow/MissingRateLimiting.qll

@@ -114,7 +114,14 @@ abstract class RateLimitingMiddleware extends DataFlow::SourceNode {
  * A rate limiter constructed using the `express-rate-limit` package.
  */
 class ExpressRateLimit extends RateLimitingMiddleware {
-  ExpressRateLimit() { this = API::moduleImport("express-rate-limit").getReturn().asSource() }
+  ExpressRateLimit() {
+    exists(API::Node rateLimitImport, API::Node rateLimit |
+      rateLimitImport = API::moduleImport("express-rate-limit") and
+      rateLimit in [rateLimitImport, rateLimitImport.getMember("rateLimit")]
+    |
+      this = rateLimit.getReturn().asSource()
+    )
+  }
 }
 
 /**

javascript/ql/src/change-notes/2023-10-26-express-rate-limit.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added modeling for importing `express-rate-limit` using a named import.

javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/tst3.js

@@ -0,0 +1,10 @@
+import express from "express";
+import { rateLimit } from "express-rate-limit";
+
+const app = express();
+
+const limiter = rateLimit();
+app.use(limiter)
+
+function expensiveHandler(req, res) { login(); }
+app.get('/:path', expensiveHandler);  // OK

javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/tst4.js

@@ -0,0 +1,10 @@
+import express from "express";
+import rateLimit from "express-rate-limit";
+
+const app = express();
+
+const limiter = rateLimit();
+app.use(limiter)
+
+function expensiveHandler(req, res) { login(); }
+app.get('/:path', expensiveHandler);  // OK