Improper Privilege Management (CWE-269)

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

When privileges are not properly managed, users may gain access to resources or functionality they should not have. This includes privilege escalation and improper role assignment.

普及度

高

頻繁に悪用される

影響度

ハイ

2 件の重大度ハイのルール

予防

文書化済み

2 件の修正例

2 予防

この脆弱性の修正方法

🐍 Python すべて表示 Python 詳細 →

Default Privilege Assignment in User Creation HIGH

Create users with least-privilege defaults and require explicit admin action for privilege elevation

+4 -4 python

  def register(request):
      data = request.get_json()
-     user = User.objects.create(
-         username=data['username'],
-         email=data['email'],
-         is_staff=True,
+     user = User.objects.create_user(
+         username=data['username'],
+         email=data['email'],
+         password=data['password'],
      )
      return {'status': 'created'}

Missing Role/Permission Checks HIGH

Use permission decorators to verify user roles before any privilege modification

+5 -3 python

- from django.http import JsonResponse
- from django.contrib.auth.models import User
- 
+ from django.contrib.auth.decorators import permission_required
+ from django.http import JsonResponse
+ from django.contrib.auth.models import User
+ 
+ @permission_required('auth.change_user', raise_exception=True)
  def promote_user(request, user_id):
      user = User.objects.get(id=user_id)
      user.is_staff = True
      user.save()
      return JsonResponse({'status': 'promoted'})

3 検出

コードの脆弱性を見つける

Shoulderを使用してコードのImproper Privilege Managementパターンをスキャンしましょう。 2 ルール.

ターミナル

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=269

# Or scan entire project
npx @shoulderdev/cli trust .

検出ルール (2)

🐍 Python 2 rules

Default Privilege Assignment in User Creation HIGH

Detects user creation flows that assign elevated privileges by default.

Missing Role/Permission Checks HIGH

Detects privileged operations like role modification without verifying user permissions.

4 警告サイン

コードレビューで注目すべき点

これらのパターンはImproper Privilege Managementの潜在的な脆弱性を示しています。コードレビューとセキュリティ監査中に探してください。

🟠

user creation flows that assign elevated privileges by default python-default-privilege-assignment

🟠

privileged operations like role modification without verifying user permissions python-privilege-escalation

🔍

コードベースをスキャン: Improper Privilege Management

Shoulder CLI はコードベース全体から脆弱なパターンを見つけます。

npx shoulder trust すべてのルールを表示