Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Access control involves determining which subjects can access which objects. When access control is implemented incorrectly, it can lead to unauthorized access to sensitive data or functionality.
이 취약점을 수정하는 방법
4개의 Shoulder 탐지 규칙을 기반으로 한 Improper Access Control 예방 전략.
Validate tool inputs against strict schemas and use an allowlist for permitted tools
- func handleToolCall(toolCall ToolCall) (interface{}, error) { - return tools[toolCall.Name](toolCall.Arguments) + var toolRegistry = map[string]ToolConfig{ + "search": {Handler: searchHandler, Validator: validateSearch, Permission: "read"}, + "weather": {Handler: weatherHandler, Validator: validateWeather, Permission: "read"}, + } + + func handleToolCall(userPerms map[string]bool, toolCall ToolCall) (interface{}, error) { + config, ok := toolRegistry[toolCall.Name] + if !ok { + return nil, fmt.Errorf("unknown tool: %s", toolCall.Name) + } + if !userPerms[config.Permission] { + return nil, fmt.Errorf("permission denied for tool: %s", toolCall.Name) + } + args, err := config.Validator(toolCall.Arguments) + if err != nil { + return nil, fmt.Errorf("invalid arguments: %w", err) + } + return config.Handler(args) }
Validate tool inputs against schemas and use allowlists for permitted tools
- for (const toolCall of response.tool_calls) { - const fn = tools[toolCall.function.name]; - const result = await fn(JSON.parse(toolCall.function.arguments)); + const allowedTools = new Set(['search', 'calculate', 'getWeather']); + + for (const toolCall of response.tool_calls) { + if (!allowedTools.has(toolCall.function.name)) { + throw new Error('Unknown tool'); + } + const validate = ajv.compile(toolSchemas[toolCall.function.name]); + const args = JSON.parse(toolCall.function.arguments); + if (!validate(args)) throw new Error('Invalid arguments'); + await tools[toolCall.function.name](args); }
Define NetworkPolicy resources to restrict pod-to-pod traffic and enforce network segmentation
- apiVersion: apps/v1 - kind: Deployment - metadata: - name: web - spec: - replicas: 3 - template: - spec: - containers: - - name: web - image: nginx:1.25 + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: web-policy + spec: + podSelector: + matchLabels: + app: web + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + role: frontend + ports: + - port: 80
Use Pydantic for tool input validation and maintain a strict allowlist for permitted tools
- def handle_tool_call(tool_call): - name = tool_call.function.name - args = json.loads(tool_call.function.arguments) - return tools[name](args) + from pydantic import BaseModel, Field + + class SearchArgs(BaseModel): + query: str = Field(max_length=100, pattern=r'^[a-zA-Z0-9\s]+$') + + ALLOWED_TOOLS = {'search_products': SearchArgs, 'get_weather': WeatherArgs} + + def handle_tool_call(tool_call): + name = tool_call.function.name + if name not in ALLOWED_TOOLS: + raise ValueError(f'Unknown tool: {name}') + schema = ALLOWED_TOOLS[name] + args = schema.parse_raw(tool_call.function.arguments) + return handlers[name](args)
코드에서 취약점 찾기
Shoulder를 사용하여 코드에서 Improper Access Control 패턴을 스캔하세요. 4 규칙.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=284 # Or scan entire project npx @shoulderdev/cli trust .
탐지 규칙 (4)
코드 리뷰에서 주의할 점
이 패턴은 잠재적인 Improper Access Control 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.
코드베이스를 스캔하세요: Improper Access Control
Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.