Incorrect Type Conversion or Cast (CWE-704)

Incorrect Type Conversion or Cast

The product does not correctly convert an object, resource, or structure from one type to a different type.

Type conversions often have implications for resource and bounds checking. When types are not converted properly, this can lead to access of out-of-bounds memory or misinterpretation of data.

普及度

中

1 言語をカバー

影響度

ハイ

3 件の重大度ハイのルール

予防

文書化済み

5 件の修正例

2 予防

この脆弱性の修正方法

5 件の Shoulder 検出ルールに基づく Incorrect Type Conversion の予防策。

🟨 JavaScript すべて表示 JavaScript 詳細 →

tRPC Type Safety Bypass with Any MEDIUM

Use Zod schemas with type inference instead of 'any' to maintain end-to-end type safety in tRPC

+19 -9 javascript

  import { router, publicProcedure } from './trpc';
- 
- export const postRouter = router({
-   createPost: publicProcedure
-     .mutation(async ({ input }: { input: any }) => {
-       return await db.post.create({ data: input });
-     }),
- 
-   getPost: publicProcedure
-     .query(async ({ input }: any) => {
+ import { z } from 'zod';
+ 
+ const createPostInput = z.object({
+   title: z.string().min(1).max(200),
+   content: z.string().min(1),
+   published: z.boolean().default(false),
+ });
+ 
+ export const postRouter = router({
+   createPost: publicProcedure
+     .input(createPostInput)
+     .mutation(async ({ input }) => {
+       // input is typed as { title: string; content: string; published: boolean }
+       return await db.post.create({ data: input });
+     }),
+ 
+   getPost: publicProcedure
+     .input(z.object({ postId: z.number().int().positive() }))
+     .query(async ({ input }) => {
        return await db.post.findUnique({
          where: { id: input.postId },
        });
      }),
  });

TypeScript Unconstrained Generic Type Parameters MEDIUM

Add type constraints using 'extends' to ensure generic parameters have required properties

+15 -7 javascript

- function getIdentifier<T>(entity: T): string {
-   return entity.id.toString(); // T has no guaranteed 'id' property
- }
- 
- function processEntities<T>(items: T[]): void {
-   items.forEach(item => {
-     console.log(item.name); // Runtime error if 'name' missing
+ interface Identifiable {
+   id: number | string;
+ }
+ 
+ interface Named {
+   name: string;
+ }
+ 
+ function getIdentifier<T extends Identifiable>(entity: T): string {
+   return entity.id.toString();
+ }
+ 
+ function processEntities<T extends Named>(items: T[]): void {
+   items.forEach(item => {
+     console.log(item.name);
    });
  }

TypeScript Strict Mode Disabled HIGH

Enable strict mode in tsconfig.json to activate all strict type-checking options

+3 -3 javascript

  {
    "compilerOptions": {
      "target": "ES2020",
      "module": "commonjs",
-     "strict": false,
-     "strictNullChecks": false,
-     "noImplicitAny": false
+     "strict": true,
+     "forceConsistentCasingInFileNames": true,
+     "skipLibCheck": true
    }
  }

3 検出

コードの脆弱性を見つける

Shoulderを使用してコードのIncorrect Type Conversion or Castパターンをスキャンしましょう。 5 ルール.

ターミナル

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=704

# Or scan entire project
npx @shoulderdev/cli trust .

検出ルール (5)

🔷 Typescript 5 rules

tRPC Type Safety Bypass with Any MEDIUM

Using 'any' type in tRPC procedures defeats type safety and allows unvalidated data to pass through, enabling injection and runtime errors.

TypeScript Unconstrained Generic Type Parameters MEDIUM

Unconstrained generics (<T> or <T extends any>) allow any type to pass through, causing runtime errors and type confusion when accessing properties that do not exist.

TypeScript Strict Mode Disabled HIGH

Disabled TypeScript strict mode flags weaken type safety and allow null/undefined errors, implicit any types, and unsafe function parameters that lead to runtime vulnerabilities.

Unsafe 'any' Type in Security-Sensitive Context HIGH

Using 'any' type with untrusted input bypasses TypeScript's type safety, allowing unvalidated data to flow into security-sensitive operations.

TypeScript Unsafe Type Guard HIGH

Type guards that always return true or use assertions without validation create type confusion, allowing untrusted data to bypass security checks.

🟨 Javascript 1 rules

tRPC Type Safety Bypass with Any MEDIUM

Using 'any' type in tRPC procedures defeats type safety and allows unvalidated data to pass through, enabling injection and runtime errors.

4 警告サイン

コードレビューで注目すべき点

これらのパターンはIncorrect Type Conversion or Castの潜在的な脆弱性を示しています。コードレビューとセキュリティ監査中に探してください。

🟠

tsconfig.json has '...' disabled. Enable strict mode for better type safety and security. typescript-strict-mode-violations

🟠

Variable declared with 'any' type receives untrusted input from .... This bypasses TypeScript's type safety and may lead typescript-unsafe-any-usage

🟠

Type guard '...' uses 'is' predicate but lacks proper runtime validation. This creates type confusion vulnerabilities. typescript-unsafe-type-guard

🟡

tRPC code uses 'any' type which defeats type safety. Use proper TypeScript types or Zod inference. trpc-type-inference-bypass

🟡

Generic type parameter '...' lacks constraints. Add 'extends' constraint to ensure type safety. typescript-generic-constraint-bypass

🔍

コードベースをスキャン: Incorrect Type Conversion or Cast

Shoulder CLI はコードベース全体から脆弱なパターンを見つけます。

npx shoulder trust すべてのルールを表示