# trpc (TypeScript) Security Rules

5 detection rules for trpc framework in TypeScript

- Total rules: 5
- CWE coverage: 4

## CRITICAL (1)

- **tRPC Protected Procedure Missing Authentication**: Using publicProcedure for mutations or user-specific data allows unauthenticated
access and account manipulation.

## HIGH (2)

- **tRPC Unsafe Context Usage**: Using unvalidated headers, cookies, or query params in context creation allows
attackers to bypass authentication and impersonate users.
- **tRPC Procedure Missing Input Validation**: tRPC procedures without .input() validation accept unvalidated payloads at
runtime, enabling injection and type confusion attacks.

## MEDIUM (2)

- **tRPC Error Information Disclosure**: Exposing raw errors, stack traces, or database details to clients aids attackers
in reconnaissance and exploitation.
- **tRPC Type Safety Bypass with Any**: Using 'any' type in tRPC procedures defeats type safety and allows unvalidated
data to pass through, enabling injection and runtime errors.