BETA Shoulder ist in der Beta — Befunde können manchmal falsch sein. Dein Feedback bestimmt, was wir als Nächstes beheben. Feedback teilen
Shoulder.dev

Bedrohungsintelligenz für Entwickler
🔒

Exposure of Resource to Wrong Sphere

🛡️ 3 Regeln erkennen dies

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Resources should only be accessible to actors that are intended to use them. When resources are exposed to the wrong sphere (e.g., public instead of private), unauthorized actors can access sensitive data or functionality.

Verbreitung
Hoch
Häufig ausgenutzt
Auswirkung
Kritisch
1 Regeln mit kritischem Schweregrad
Prävention
Dokumentiert
3 Fix-Beispiele
2 Prävention
2 Prävention

So behebst du diese Schwachstelle

☸️ Kubernetes Alle anzeigen Kubernetes Details →
HostPath Volume Mounted CRITICAL

Use PersistentVolumeClaim or emptyDir instead of hostPath volumes

+2 -2 yaml 
  apiVersion: v1
  kind: Pod
  spec:
    volumes:
    - name: data
-     hostPath:
-       path: /data
+     persistentVolumeClaim:
+       claimName: app-data-pvc
    containers:
    - name: app
      image: nginx:1.25
      volumeMounts:
      - name: data
        mountPath: /app/data
NodePort Service Exposes Application MEDIUM

Use ClusterIP with Ingress or LoadBalancer instead of NodePort for production services

+4 -4 yaml 
  apiVersion: v1
  kind: Service
  spec:
-   type: NodePort
-   ports:
-     - port: 80
-       nodePort: 30080
+   type: ClusterIP
+   ports:
+     - port: 80
+       targetPort: 8080
🟨 JavaScript Alle anzeigen JavaScript Details →
TypeScript Access Modifier Bypass HIGH

Use ECMAScript private fields (#) for true runtime encapsulation instead of TypeScript's compile-time-only modifiers

+16 -12 javascript 
  class UserSession {
-   private token: string;
-   private _refreshToken: string;
- 
-   constructor(token: string, refresh: string) {
-     this.token = token;
-     this._refreshToken = refresh;
-   }
- }
- 
- const session = new UserSession('abc', 'xyz');
- const leaked = (session as any).token;
- const alsoLeaked = session['_refreshToken'];
+   #token: string;
+   #refreshToken: string;
+ 
+   constructor(token: string, refresh: string) {
+     this.#token = token;
+     this.#refreshToken = refresh;
+   }
+ 
+   validateToken(input: string): boolean {
+     return this.#token === input;
+   }
+ }
+ 
+ const session = new UserSession('abc', 'xyz');
+ // session.#token -> SyntaxError at runtime
+ // session['#token'] -> undefined
3 Erkennung
3 Erkennung

Finden Sie Schwachstellen in Ihrem Code

Verwenden Sie Shoulder, um Ihren Code nach Exposure of Resource to Wrong Sphere-Mustern zu scannen. 3 Regeln.

Terminal
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=668

# Or scan entire project
npx @shoulderdev/cli trust .

Erkennungsregeln (3)

4 Warnzeichen
4 Warnzeichen

Worauf bei Code-Reviews zu achten ist

Diese Muster weisen auf potenzielle Exposure of Resource to Wrong Sphere-Schwachstellen hin. Achten Sie bei Code-Reviews und Sicherheitsaudits darauf.

🟠
Access modifier bypass detected using .... Private/protected fields accessed through runtime mechanisms. typescript-access-modifier-bypass
🟡
Service uses NodePort type which exposes the application on all cluster nodes. kubernetes-nodeport-service
🟡
services using NodePort type which exposes the application on all cluster nodes kubernetes-nodeport-service
🔴
HostPath volumes mount directories from the host filesystem into the pod. kubernetes-hostpath-volume
🔴
HostPath volumes that mount directories from the host filesystem into pods kubernetes-hostpath-volume
🔍

Scanne deine Codebasis nach Exposure of Resource to Wrong Sphere

Shoulder CLI findet anfällige Muster in deiner gesamten Codebasis.

npx shoulder trust Alle Regeln durchsuchen