# Missing Authorization (CWE-862) The product does not perform an authorization check when an actor attempts to access a resource or perform an action. - Prevalence: Élevée Fréquemment exploitée - Impact: Élevé 3 règles de sévérité élevée - Prevention: Documentée 3 exemples de correctifs **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource. When authorization checks are completely missing, any authenticated user can access protected resources. ## Prevention Stratégies de prévention pour Missing Authorization basées sur 3 règles de détection Shoulder. ### Go Require human approval for sensitive operations and limit agent loop iterations ## Warning Signs - [HIGH] Excessive LLM agency detected: ... - [HIGH] LLM implementations with excessive autonomy allowing destructive operations without human approval ## Consequences - Lecture des données de l'application - Modification des données de l'application - Obtenir des privilèges ## Mitigations - Mettez en place des contrôles d'autorisation pour toutes les ressources protégées - Utilisez un mécanisme d'autorisation centralisé - Suivez le principe de refus par défaut ## Detection - Total rules: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Go (1 rules) - **LLM Excessive Agency** [HIGH]: Detects LLM implementations with excessive autonomy allowing destructive operations without human approval. - Remediation: Require human approval for sensitive operations and add iteration limits. ```go if sensitiveOperations[toolName] { queueForApproval(toolCall) } ``` Learn more: https://shoulder.dev/learn/go/cwe-862/llm-excessive-agency ### Javascript (1 rules) - **LLM Excessive Agency** [HIGH]: Detects LLM implementations with excessive autonomy that can lead to unintended consequences. OWASP LLM08 - Excessive Agency. Excessive agency occurs when LLMs are granted: - Ability to perform destructive operations without confirmation - Auto-execution of LLM-generated code or commands - Direct database modifications without approval - Financial transactions without human oversight - Email/communication sending without review This rule detects: - Auto-execution of tool calls without human ap - Remediation: Require human approval for sensitive operations and set iteration limits on agent loops. ```javascript if (SENSITIVE_OPERATIONS.has(toolName)) { await queueForApproval(toolCall); } else { await executeSafeToolCall(toolCall); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-862/llm-excessive-agency ### Typescript (1 rules) - **LLM Excessive Agency** [HIGH]: Detects LLM implementations with excessive autonomy that can lead to unintended consequences. OWASP LLM08 - Excessive Agency. Excessive agency occurs when LLMs are granted: - Ability to perform destructive operations without confirmation - Auto-execution of LLM-generated code or commands - Direct database modifications without approval - Financial transactions without human oversight - Email/communication sending without review This rule detects: - Auto-execution of tool calls without human ap - Remediation: Require human approval for sensitive operations and set iteration limits on agent loops. ```javascript if (SENSITIVE_OPERATIONS.has(toolName)) { await queueForApproval(toolCall); } else { await executeSafeToolCall(toolCall); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-862/llm-excessive-agency ### Python (1 rules) - **LLM Excessive Agency** [HIGH]: Detects LLM implementations with excessive autonomy that can lead to unintended consequences. OWASP LLM08 - Excessive Agency. Excessive agency occurs when LLMs are granted: - Ability to perform destructive operations without confirmation - Auto-execution of LLM-generated code or commands - Direct database modifications without approval - Financial transactions without human oversight - Remediation: Require human approval for sensitive operations and set iteration limits. ```python SENSITIVE_OPERATIONS = {'delete_record', 'send_email', 'process_payment'} MAX_ITERATIONS = 10 for tool_call in response.choices[0].message.tool_calls: if tool_call.function.name in SENSITIVE_OPERATIONS: await queue_for_approval(tool_call) else: await execute_safe_tool_call(tool_call) ``` Learn more: https://shoulder.dev/learn/python/cwe-862/llm-excessive-agency