Skip to content

CodeQL false positive: js/missing-rate-limiting on admin routes with custom middleware #691

Description

@Ferryx349

Summary

CodeQL flags js/missing-rate-limiting (High) on authenticated admin routes that already use our custom Redis-backed rate limiter. This blocks otherwise correct admin PRs in CI.

Affected PRs

Example (#690)

router.patch('/settings', adminRateLimitMiddleware, adminAuthMiddleware, json(), ...)
router.post('/settings/validate', adminRateLimitMiddleware, adminAuthMiddleware, ...)

Both routes include adminRateLimitMiddleware before auth. CodeQL still reports missing rate limiting.

Proposed fix

CodeQL config to recognize adminRateLimitMiddleware as a rate limiter

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions