feat(rate-limiting): Implement core rate limiting functionality with configuration, decision-making, metrics, middleware, and service registration

- Add RateLimitConfig for configuration management with YAML binding support. - Introduce RateLimitDecision to encapsulate the result of rate limit checks. - Implement RateLimitMetrics for OpenTelemetry metrics tracking. - Create RateLimitMiddleware for enforcing rate limits on incoming requests. - Develop RateLimitService to orchestrate instance and environment rate limit checks. - Add RateLimitServiceCollectionExtensions for dependency injection registration.
2025-12-17 18:02:37 +02:00
parent 394b57f6bf
commit 8bbfe4d2d2
211 changed files with 47179 additions and 1590 deletions
--- a/datasets/reachability/corpus.json
+++ b/datasets/reachability/corpus.json
@@ -0,0 +1,143 @@
+{
+  "$schema": "https://stellaops.io/schemas/corpus-index.v1.json",
+  "version": "1.0.0",
+  "description": "Ground-truth corpus for binary reachability benchmarking",
+  "createdAt": "2025-12-17T00:00:00Z",
+  "samples": [
+    {
+      "sampleId": "gt-0001",
+      "category": "basic",
+      "path": "ground-truth/basic/gt-0001/sample.manifest.json",
+      "description": "Direct call to vulnerable sink from main"
+    },
+    {
+      "sampleId": "gt-0002",
+      "category": "basic",
+      "path": "ground-truth/basic/gt-0002/sample.manifest.json",
+      "description": "Two-hop call chain to vulnerable sink"
+    },
+    {
+      "sampleId": "gt-0003",
+      "category": "basic",
+      "path": "ground-truth/basic/gt-0003/sample.manifest.json",
+      "description": "Three-hop call chain with multiple sinks"
+    },
+    {
+      "sampleId": "gt-0004",
+      "category": "basic",
+      "path": "ground-truth/basic/gt-0004/sample.manifest.json",
+      "description": "Function pointer call to sink"
+    },
+    {
+      "sampleId": "gt-0005",
+      "category": "basic",
+      "path": "ground-truth/basic/gt-0005/sample.manifest.json",
+      "description": "Recursive function with sink"
+    },
+    {
+      "sampleId": "gt-0006",
+      "category": "indirect",
+      "path": "ground-truth/indirect/gt-0006/sample.manifest.json",
+      "description": "Indirect call via callback"
+    },
+    {
+      "sampleId": "gt-0007",
+      "category": "indirect",
+      "path": "ground-truth/indirect/gt-0007/sample.manifest.json",
+      "description": "Virtual function dispatch"
+    },
+    {
+      "sampleId": "gt-0008",
+      "category": "guarded",
+      "path": "ground-truth/guarded/gt-0008/sample.manifest.json",
+      "description": "Sink behind constant false guard"
+    },
+    {
+      "sampleId": "gt-0009",
+      "category": "guarded",
+      "path": "ground-truth/guarded/gt-0009/sample.manifest.json",
+      "description": "Sink behind input-dependent guard"
+    },
+    {
+      "sampleId": "gt-0010",
+      "category": "guarded",
+      "path": "ground-truth/guarded/gt-0010/sample.manifest.json",
+      "description": "Sink behind environment variable guard"
+    },
+    {
+      "sampleId": "gt-0011",
+      "category": "basic",
+      "path": "ground-truth/basic/gt-0011/sample.manifest.json",
+      "description": "Unreachable sink - dead code after return"
+    },
+    {
+      "sampleId": "gt-0012",
+      "category": "basic",
+      "path": "ground-truth/basic/gt-0012/sample.manifest.json",
+      "description": "Unreachable sink - never called function"
+    },
+    {
+      "sampleId": "gt-0013",
+      "category": "basic",
+      "path": "ground-truth/basic/gt-0013/sample.manifest.json",
+      "description": "Unreachable sink - #ifdef disabled"
+    },
+    {
+      "sampleId": "gt-0014",
+      "category": "guarded",
+      "path": "ground-truth/guarded/gt-0014/sample.manifest.json",
+      "description": "Unreachable sink - constant true early return"
+    },
+    {
+      "sampleId": "gt-0015",
+      "category": "guarded",
+      "path": "ground-truth/guarded/gt-0015/sample.manifest.json",
+      "description": "Unreachable sink - impossible branch condition"
+    },
+    {
+      "sampleId": "gt-0016",
+      "category": "stripped",
+      "path": "ground-truth/stripped/gt-0016/sample.manifest.json",
+      "description": "Stripped binary - reachable sink"
+    },
+    {
+      "sampleId": "gt-0017",
+      "category": "stripped",
+      "path": "ground-truth/stripped/gt-0017/sample.manifest.json",
+      "description": "Stripped binary - unreachable sink"
+    },
+    {
+      "sampleId": "gt-0018",
+      "category": "obfuscated",
+      "path": "ground-truth/obfuscated/gt-0018/sample.manifest.json",
+      "description": "Control flow obfuscation - reachable"
+    },
+    {
+      "sampleId": "gt-0019",
+      "category": "obfuscated",
+      "path": "ground-truth/obfuscated/gt-0019/sample.manifest.json",
+      "description": "String obfuscation - reachable"
+    },
+    {
+      "sampleId": "gt-0020",
+      "category": "callback",
+      "path": "ground-truth/callback/gt-0020/sample.manifest.json",
+      "description": "Async callback chain - reachable"
+    }
+  ],
+  "statistics": {
+    "totalSamples": 20,
+    "byCategory": {
+      "basic": 8,
+      "indirect": 2,
+      "guarded": 4,
+      "stripped": 2,
+      "obfuscated": 2,
+      "callback": 2
+    },
+    "byExpected": {
+      "reachable": 13,
+      "unreachable": 7
+    }
+  }
+}