# prisma (TypeScript) Security Rules

5 detection rules for prisma framework in TypeScript

- Total rules: 5
- CWE coverage: 5

## CRITICAL (3)

- **Prisma Mass Assignment Vulnerability**: Spreading req.body into Prisma create/update allows attackers to modify
protected fields like role, credits, or permissions.
- **Prisma Raw Query SQL Injection**: Using template literals instead of Prisma.sql`` in $queryRaw bypasses
parameter binding and enables SQL injection.
- **Prisma Sensitive Field Exposure**: Prisma returns all fields by default. Without 'select' or 'omit', password hashes
and API tokens can leak to clients.

## HIGH (1)

- **Prisma Missing Input Validation**: Passing req.body directly to Prisma where/data allows users to filter by
unauthorized fields and bypass access controls.

## MEDIUM (1)

- **Prisma Unbounded Relation Loading**: Unbounded includes without 'take' limits can exhaust database and memory
resources, causing denial of service.