# Prisma (JavaScript) Security

Security vulnerabilities and detection rules for prisma framework. 5 rules across 5 CWE categories.

- Total rules: 5
- CWE categories: 5
- Critical rules: 3

## CWEs

- **CWE-20**: Improper Input Validation
- **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor
- **CWE-770**: Allocation of Resources Without Limits or Throttling
- **CWE-915**: Improperly Controlled Modification of Dynamically-Determined Object Attributes

## Rules

- **Prisma Mass Assignment Vulnerability** [CRITICAL]: Spreading req.body into Prisma create/update allows attackers to modify
protected fields like role, credits, or permissions.
- **Prisma Missing Input Validation** [HIGH]: Passing req.body directly to Prisma where/data allows users to filter by
unauthorized fields and bypass access controls.
- **Prisma Raw Query SQL Injection** [CRITICAL]: Using template literals instead of Prisma.sql`` in $queryRaw bypasses
parameter binding and enables SQL injection.
- **Prisma Sensitive Field Exposure** [CRITICAL]: Prisma returns all fields by default. Without 'select' or 'omit', password hashes
and API tokens can leak to clients.
- **Prisma Unbounded Relation Loading** [MEDIUM]: Unbounded includes without 'take' limits can exhaust database and memory
resources, causing denial of service.