Openenv / tasks /medium /api_rate_limiter.py
vishaldhakad's picture
intial push
eda351c
Raw
History Blame Contribute Delete
1.8 kB
"""tasks/medium/api_rate_limiter.py β€” CWE-307: Brute Force / Rate Bypass"""
TASK = {
"id": "api_rate_limiter",
"difficulty": "medium",
"cwe_targets": ["CWE-307", "CWE-770"],
"problem_statement": """
Write a function `check_rate_limit(client_id: str) -> bool` that:
1. Returns True if the client is ALLOWED (under the rate limit).
2. Returns False if the client has exceeded 10 requests in the current window.
3. Uses an in-memory counter (dict) β€” a fresh dict each time the module loads.
4. Must resist spoofed/forged client_id values:
- Empty string "" β†’ treat as a real client ID (rate limit it, don't bypass)
- None β†’ treat as "anonymous" client (rate limit it)
- SQL injection strings β†’ sanitise/normalise before using as key
- Very long strings β†’ truncate to 256 chars before using as key
5. The first 10 calls for any client_id return True; the 11th returns False.
The function name must be exactly: check_rate_limit
WRONG: if not client_id: return True ← bypasses rate limit for empty/None
WRONG: using client_id directly as dict key without normalisation
""",
"starter_code": """
from collections import defaultdict
_counters: dict = defaultdict(int)
RATE_LIMIT = 10
def check_rate_limit(client_id: str) -> bool:
# TODO: implement rate limiting
# Normalize client_id first (handle None, empty, too long)
# Increment counter and check against RATE_LIMIT
pass
""",
"test_cases": [
{"input": "client_123", "expected": True, "fn": "check_rate_limit"},
{"input": "client_abc", "expected": True, "fn": "check_rate_limit"},
{"input": "", "expected": True, "fn": "check_rate_limit"},
],
"naive_baseline": {"time_ms": 0.1, "memory_kb": 10},
"perf_input": "client_benchmark",
}