# Missing Authorization (CWE-862) The product does not perform an authorization check when an actor attempts to access a resource or perform an action. **Stack:** Python - Prevalence: 高 頻繁に悪用される - Impact: ハイ 3 件の重大度ハイのルール - Prevention: 文書化済み 3 件の修正例 **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource. When authorization checks are completely missing, any authenticated user can access protected resources. ## Prevention 1 件の Shoulder 検出ルールに基づく Missing Authorization の予防策。 ### Python Require human approval for sensitive operations and limit agent loop iterations ## Warning Signs - [HIGH] Excessive LLM agency detected: ... - [HIGH] LLM implementations with excessive autonomy that can lead to unintended consequences ## Consequences - アプリケーションデータの読み取り - アプリケーションデータの変更 - 権限の取得 ## Mitigations - 保護されたすべてのリソースに対して認可チェックを実装する - 認可は集中管理された仕組みを使用する - デフォルト拒否の原則に従う ## Detection - Total rules: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Python (1 rules) - **LLM Excessive Agency** [HIGH]: Detects LLM implementations with excessive autonomy that can lead to unintended consequences. OWASP LLM08 - Excessive Agency. Excessive agency occurs when LLMs are granted: - Ability to perform destructive operations without confirmation - Auto-execution of LLM-generated code or commands - Direct database modifications without approval - Financial transactions without human oversight - Remediation: Require human approval for sensitive operations and set iteration limits. ```python SENSITIVE_OPERATIONS = {'delete_record', 'send_email', 'process_payment'} MAX_ITERATIONS = 10 for tool_call in response.choices[0].message.tool_calls: if tool_call.function.name in SENSITIVE_OPERATIONS: await queue_for_approval(tool_call) else: await execute_safe_tool_call(tool_call) ``` Learn more: https://shoulder.dev/learn/python/cwe-862/llm-excessive-agency