# Typeorm (JavaScript) Security

Security vulnerabilities and detection rules for typeorm framework. 5 rules across 4 CWE categories.

- Total rules: 5
- CWE categories: 4
- Critical rules: 3

## CWEs

- **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- **CWE-20**: Improper Input Validation
- **CWE-754**: Improper Check for Unusual or Exceptional Conditions
- **CWE-915**: Improperly Controlled Modification of Dynamically-Determined Object Attributes

## Rules

- **TypeORM Entity Missing Validation** [HIGH]: TypeORM entities without class-validator decorators accept any data, enabling
injection attacks and data integrity violations.
- **TypeORM Mass Assignment Vulnerability** [CRITICAL]: Directly assigning req.body to entities allows attackers to modify protected
fields like role, isAdmin, or credits.
- **TypeORM SQL Injection in Raw Query** [CRITICAL]: Raw SQL queries with string concatenation or template literals bypass TypeORM's
parameterization, enabling SQL injection attacks.
- **TypeORM Unsafe Database Migration** [HIGH]: Unsafe migrations with DROP TABLE/COLUMN operations without backups cause permanent
data loss and application crashes from schema mismatches.
- **TypeORM Query Builder SQL Injection** [CRITICAL]: QueryBuilder where clauses with template literals or concatenation bypass
parameter binding, enabling SQL injection.