# typeorm (TypeScript) Security Rules

5 detection rules for typeorm framework in TypeScript

- Total rules: 5
- CWE coverage: 4

## CRITICAL (3)

- **TypeORM Mass Assignment Vulnerability**: Directly assigning req.body to entities allows attackers to modify protected
fields like role, isAdmin, or credits.
- **TypeORM SQL Injection in Raw Query**: Raw SQL queries with string concatenation or template literals bypass TypeORM's
parameterization, enabling SQL injection attacks.
- **TypeORM Query Builder SQL Injection**: QueryBuilder where clauses with template literals or concatenation bypass
parameter binding, enabling SQL injection.

## HIGH (2)

- **TypeORM Entity Missing Validation**: TypeORM entities without class-validator decorators accept any data, enabling
injection attacks and data integrity violations.
- **TypeORM Unsafe Database Migration**: Unsafe migrations with DROP TABLE/COLUMN operations without backups cause permanent
data loss and application crashes from schema mismatches.