Exposure of Resource to Wrong Sphere (CWE-668)

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Resources should only be accessible to actors that are intended to use them. When resources are exposed to the wrong sphere (e.g., public instead of private), unauthorized actors can access sensitive data or functionality.

普及度

高

頻繁に悪用される

影響度

クリティカル

1 件の重大度クリティカルなルール

予防

文書化済み

3 件の修正例

2 予防

この脆弱性の修正方法

☸️ Kubernetes すべて表示 Kubernetes 詳細 →

HostPath Volume Mounted CRITICAL

Use PersistentVolumeClaim or emptyDir instead of hostPath volumes

+2 -2 yaml

  apiVersion: v1
  kind: Pod
  spec:
    volumes:
    - name: data
-     hostPath:
-       path: /data
+     persistentVolumeClaim:
+       claimName: app-data-pvc
    containers:
    - name: app
      image: nginx:1.25
      volumeMounts:
      - name: data
        mountPath: /app/data

NodePort Service Exposes Application MEDIUM

Use ClusterIP with Ingress or LoadBalancer instead of NodePort for production services

+4 -4 yaml

  apiVersion: v1
  kind: Service
  spec:
-   type: NodePort
-   ports:
-     - port: 80
-       nodePort: 30080
+   type: ClusterIP
+   ports:
+     - port: 80
+       targetPort: 8080

🟨 JavaScript すべて表示 JavaScript 詳細 →

TypeScript Access Modifier Bypass HIGH

Use ECMAScript private fields (#) for true runtime encapsulation instead of TypeScript's compile-time-only modifiers

+16 -12 javascript

  class UserSession {
-   private token: string;
-   private _refreshToken: string;
- 
-   constructor(token: string, refresh: string) {
-     this.token = token;
-     this._refreshToken = refresh;
-   }
- }
- 
- const session = new UserSession('abc', 'xyz');
- const leaked = (session as any).token;
- const alsoLeaked = session['_refreshToken'];
+   #token: string;
+   #refreshToken: string;
+ 
+   constructor(token: string, refresh: string) {
+     this.#token = token;
+     this.#refreshToken = refresh;
+   }
+ 
+   validateToken(input: string): boolean {
+     return this.#token === input;
+   }
+ }
+ 
+ const session = new UserSession('abc', 'xyz');
+ // session.#token -> SyntaxError at runtime
+ // session['#token'] -> undefined

3 検出

コードの脆弱性を見つける

Shoulderを使用してコードのExposure of Resource to Wrong Sphereパターンをスキャンしましょう。 3 ルール.

ターミナル

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=668

# Or scan entire project
npx @shoulderdev/cli trust .

検出ルール (3)

📄 Yaml 2 rules

HostPath Volume Mounted CRITICAL

Detects HostPath volumes that mount directories from the host filesystem into pods.

NodePort Service Exposes Application MEDIUM

Detects services using NodePort type which exposes the application on all cluster nodes.

🔷 Typescript 1 rules

TypeScript Access Modifier Bypass HIGH

TypeScript private/protected modifiers are compile-time only. Bracket notation and type assertions bypass them at runtime, exposing sensitive data like passwords and tokens.

4 警告サイン

コードレビューで注目すべき点

これらのパターンはExposure of Resource to Wrong Sphereの潜在的な脆弱性を示しています。コードレビューとセキュリティ監査中に探してください。

🟠

Access modifier bypass detected using .... Private/protected fields accessed through runtime mechanisms. typescript-access-modifier-bypass

🟡

Service uses NodePort type which exposes the application on all cluster nodes. kubernetes-nodeport-service

🟡

services using NodePort type which exposes the application on all cluster nodes kubernetes-nodeport-service

🔴

HostPath volumes mount directories from the host filesystem into the pod. kubernetes-hostpath-volume

🔴

HostPath volumes that mount directories from the host filesystem into pods kubernetes-hostpath-volume

🔍

コードベースをスキャン: Exposure of Resource to Wrong Sphere

Shoulder CLI はコードベース全体から脆弱なパターンを見つけます。

npx shoulder trust すべてのルールを表示