From 6b54ecef4fe410415a3984b70b549b5c22a5d9c7 Mon Sep 17 00:00:00 2001 From: Daniel Volz Date: Tue, 30 Dec 2025 12:46:05 +0100 Subject: [PATCH] chore: add CodeQL config to suppress rate-limit false positives Rate limiting IS implemented via @fastify/rate-limit plugin: - Global: 100 req/min (index.ts) - Auth routes: 5-10 req/min via config.rateLimit option CodeQL doesn't recognize Fastify's plugin-based rate limiting pattern. --- .github/codeql/codeql-config.yml | 16 ++++++++++++++++ backend/src/routes/auth.ts | 5 +++++ 2 files changed, 21 insertions(+) create mode 100644 .github/codeql/codeql-config.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 0000000..82ea1d7 --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,16 @@ +name: "MedAssist CodeQL Config" + +# Paths to ignore in CodeQL analysis +paths-ignore: + - "**/node_modules/**" + - "**/dist/**" + - "**/*.test.ts" + +# Query filters to suppress false positives +# The rate limiting alerts are false positives because we use @fastify/rate-limit plugin +# which CodeQL doesn't recognize. The plugin is registered globally in index.ts +# and route-specific limits are applied via config.rateLimit option. +query-filters: + - exclude: + id: js/missing-rate-limiting + # We use @fastify/rate-limit which CodeQL doesn't detect diff --git a/backend/src/routes/auth.ts b/backend/src/routes/auth.ts index 0b7e434..c19efc4 100644 --- a/backend/src/routes/auth.ts +++ b/backend/src/routes/auth.ts @@ -24,6 +24,10 @@ const ARGON2_OPTIONS: argon2.Options = { // Rate Limiting Configuration for Auth Routes // ============================================================================= // Stricter rate limits for authentication endpoints to prevent brute-force attacks +// Note: Rate limiting is implemented via @fastify/rate-limit plugin registered in index.ts +// and route-specific limits are applied via the 'config.rateLimit' option below. +// CodeQL may not recognize this pattern - see: https://github.com/github/codeql/issues +// lgtm[js/missing-rate-limiting] const authRateLimitConfig = { max: 10, // 10 requests timeWindow: "1 minute", // per minute @@ -33,6 +37,7 @@ const authRateLimitConfig = { }), }; +// lgtm[js/missing-rate-limiting] const sensitiveRateLimitConfig = { max: 5, // 5 requests timeWindow: "15 minutes", // per 15 minutes (for login/register)