# Detection Rules - Shoulder Browse 347 security detection rules across 7 languages - Total rules: 347 - CWE coverage: 94 - Languages: javascript, typescript, python, dockerfile, go, yaml, kubernetes ## Rules ### Code Injection via os/exec - ID: go-code-injection - Severity: CRITICAL - CWE: Code Injection (CWE-94) - Languages: Go Detects user input flowing to template functions that bypass HTML escaping. ### Command Injection via os/exec - ID: go-command-injection - Severity: CRITICAL - CWE: OS Command Injection (CWE-78) - Languages: Go Detects user input flowing to os/exec command execution, enabling OS command injection. ### Hardcoded Secrets in Source Code - ID: go-hardcoded-secrets - Severity: CRITICAL - CWE: Hardcoded Credentials (CWE-798) - Languages: Go API keys, passwords, or tokens hardcoded in source code. ### Sensitive Field Exposure in API Response - ID: go-sensitive-field-response-exposure - Severity: CRITICAL - CWE: Information Exposure (CWE-200) - Languages: Go Sensitive fields like password, token, or apiKey included in HTTP responses. ### SQL Injection via Database Queries - ID: go-sql-injection - Severity: CRITICAL - CWE: SQL Injection (CWE-89) - Languages: Go Detects user input flowing to SQL queries without parameterization. ### Server-Side Template Injection - ID: go-ssti - Severity: CRITICAL - CWE: Code Injection (CWE-94) - Languages: Go User input passed directly to template.Parse without sanitization. ### Credential Exfiltration via User-Controlled Endpoint - ID: go-webhook-credential-exfiltration - Severity: CRITICAL - CWE: CWE-201 (CWE-201) - Languages: Go Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```go // User controls 'endpoint' from request endpoint := r.FormValue("webhook_url") // Server sends its internal API key to attacker-controlled URL req, _ := http.NewRequest("POST", endpoint, nil) req.Header.Set("X-API-Key", os.Getenv("INTERNAL_API_KEY")) client.Do(req) ``` This is different from standard SSRF (which accesses internal resources) - here the attacker exfiltrates server credentials to their own controlled endpoint. ### Business Logic Bypass - ID: go-business-logic-bypass - Severity: HIGH - CWE: CWE-840 (CWE-840) - Languages: Go Client-controlled financial values flow to payment operations without server-side calculation. ### Channel Misuse - ID: go-channel-misuse - Severity: HIGH - CWE: CWE-833 (CWE-833) - Languages: Go Improper channel usage can cause deadlocks, goroutine leaks, or panics. Common issues include send/receive on unbuffered channel in same goroutine, not closing channels, and sending on closed channels. ### Concurrent Slice Access - ID: go-concurrent-slice-access - Severity: HIGH - CWE: Race Condition (CWE-362) - Languages: Go Concurrent access to slices (especially append) without synchronization can cause data races, lost data, or panics. Slices in Go are not thread-safe. ### Direct Map Access on Thread-Safe Struct - ID: go-direct-map-access - Severity: HIGH - CWE: Race Condition (CWE-362) - Languages: Go Direct access to map fields on structs that provide thread-safe accessor methods can cause race conditions. Use the provided accessor methods instead. ### Echo Missing JWT Middleware - ID: go-echo-missing-jwt - Severity: HIGH - CWE: CWE-306 (CWE-306) - Languages: Go API endpoints lack JWT authentication middleware protection. ### Echo Running Without TLS - ID: go-echo-missing-tls - Severity: HIGH - CWE: CWE-319 (CWE-319) - Languages: Go Echo server running over HTTP instead of HTTPS. ### Email Header Injection - ID: go-email-header-injection - Severity: HIGH - CWE: CWE-93 (CWE-93) - Languages: Go User input flows into email headers without CRLF validation. ### Environment Variable Exposure - ID: go-env-var-exposure - Severity: HIGH - CWE: CWE-526 (CWE-526) - Languages: Go Environment variables logged or included in HTTP responses. ### Environment Variable Secret Exposure - ID: go-env-vars-secret-exposure - Severity: HIGH - CWE: Information Exposure (CWE-200) - Languages: Go Environment variables containing secrets flow to logs or HTTP responses. ### Failing Open on Error - ID: go-failing-open - Severity: HIGH - CWE: CWE-636 (CWE-636) - Languages: Go Security validation returns true/grants access when an error occurs. ### Fiber Missing JWT Middleware - ID: go-fiber-missing-jwt - Severity: HIGH - CWE: CWE-306 (CWE-306) - Languages: Go API endpoints lack JWT authentication middleware protection. ### Fiber Running Without TLS - ID: go-fiber-missing-tls - Severity: HIGH - CWE: CWE-319 (CWE-319) - Languages: Go Fiber server running over HTTP instead of HTTPS. ### Missing CSRF Protection (Gin) - ID: go-gin-missing-csrf-protection - Severity: HIGH - CWE: Cross-Site Request Forgery (CWE-352) - Languages: Go State-changing endpoints lack CSRF token protection. ### Gin Missing JWT Middleware - ID: go-gin-missing-jwt - Severity: HIGH - CWE: CWE-306 (CWE-306) - Languages: Go API endpoints lack JWT authentication middleware protection. ### Horizontal Privilege Escalation - ID: go-horizontal-privilege-escalation - Severity: HIGH - CWE: Authorization Bypass Through User-Controlled Key (CWE-639) - Languages: Go Detects horizontal privilege escalation where users can access or modify other users' resources. ### Insecure Direct Object Reference (IDOR) - ID: go-idor - Severity: HIGH - CWE: Authorization Bypass Through User-Controlled Key (CWE-639) - Languages: Go Detects IDOR vulnerabilities where user-supplied IDs access resources without authorization checks. ### Insecure Deserialization - ID: go-insecure-deserialization - Severity: HIGH - CWE: Deserialization of Untrusted Data (CWE-502) - Languages: Go Detects truly dangerous deserialization in Go. Unlike Java or Python, Go's encoding/json is safe (data-only parsing, no code execution). This rule focuses on: - gob.Decoder: Can instantiate arbitrary types, potential RCE (CRITICAL) - json/yaml/xml to interface{}: Type confusion risk when combined with untrusted input (MEDIUM) Note: json.Unmarshal to typed structs is NOT flagged as it cannot execute code. ### Insecure Session Management - ID: go-insecure-session-management - Severity: HIGH - CWE: Session Fixation (CWE-384) - Languages: Go Session IDs use predictable values or cookies lack Secure/HttpOnly flags. --- Showing 25 of 90 rules (page 1/4)