# Missing Authorization (CWE-862) The product does not perform an authorization check when an actor attempts to access a resource or perform an action. - Prevalence: उच्च बार-बार शोषित - Impact: उच्च 3 उच्च गंभीरता वाले नियम - Prevention: प्रलेखित 3 फिक्स उदाहरण **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource. When authorization checks are completely missing, any authenticated user can access protected resources. ## Prevention 3 Shoulder डिटेक्शन नियमों पर आधारित Missing Authorization के लिए रोकथाम रणनीतियाँ। ### Go Require human approval for sensitive operations and limit agent loop iterations ## Warning Signs - [HIGH] Excessive LLM agency detected: ... - [HIGH] LLM implementations with excessive autonomy allowing destructive operations without human approval ## Consequences - एप्लिकेशन डेटा पढ़ना - एप्लिकेशन डेटा संशोधित करना - विशेषाधिकार प्राप्त करना ## Mitigations - सभी संरक्षित संसाधनों के लिए प्राधिकरण जाँचें लागू करें - केंद्रीकृत प्राधिकरण तंत्र का उपयोग करें - deny by default के सिद्धांत का पालन करें ## Detection - Total rules: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Go (1 rules) - **LLM Excessive Agency** [HIGH]: Detects LLM implementations with excessive autonomy allowing destructive operations without human approval. - Remediation: Require human approval for sensitive operations and add iteration limits. ```go if sensitiveOperations[toolName] { queueForApproval(toolCall) } ``` Learn more: https://shoulder.dev/learn/go/cwe-862/llm-excessive-agency ### Javascript (1 rules) - **LLM Excessive Agency** [HIGH]: Detects LLM implementations with excessive autonomy that can lead to unintended consequences. OWASP LLM08 - Excessive Agency. Excessive agency occurs when LLMs are granted: - Ability to perform destructive operations without confirmation - Auto-execution of LLM-generated code or commands - Direct database modifications without approval - Financial transactions without human oversight - Email/communication sending without review This rule detects: - Auto-execution of tool calls without human ap - Remediation: Require human approval for sensitive operations and set iteration limits on agent loops. ```javascript if (SENSITIVE_OPERATIONS.has(toolName)) { await queueForApproval(toolCall); } else { await executeSafeToolCall(toolCall); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-862/llm-excessive-agency ### Typescript (1 rules) - **LLM Excessive Agency** [HIGH]: Detects LLM implementations with excessive autonomy that can lead to unintended consequences. OWASP LLM08 - Excessive Agency. Excessive agency occurs when LLMs are granted: - Ability to perform destructive operations without confirmation - Auto-execution of LLM-generated code or commands - Direct database modifications without approval - Financial transactions without human oversight - Email/communication sending without review This rule detects: - Auto-execution of tool calls without human ap - Remediation: Require human approval for sensitive operations and set iteration limits on agent loops. ```javascript if (SENSITIVE_OPERATIONS.has(toolName)) { await queueForApproval(toolCall); } else { await executeSafeToolCall(toolCall); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-862/llm-excessive-agency ### Python (1 rules) - **LLM Excessive Agency** [HIGH]: Detects LLM implementations with excessive autonomy that can lead to unintended consequences. OWASP LLM08 - Excessive Agency. Excessive agency occurs when LLMs are granted: - Ability to perform destructive operations without confirmation - Auto-execution of LLM-generated code or commands - Direct database modifications without approval - Financial transactions without human oversight - Remediation: Require human approval for sensitive operations and set iteration limits. ```python SENSITIVE_OPERATIONS = {'delete_record', 'send_email', 'process_payment'} MAX_ITERATIONS = 10 for tool_call in response.choices[0].message.tool_calls: if tool_call.function.name in SENSITIVE_OPERATIONS: await queue_for_approval(tool_call) else: await execute_safe_tool_call(tool_call) ``` Learn more: https://shoulder.dev/learn/python/cwe-862/llm-excessive-agency