# Exposure of Resource to Wrong Sphere (CWE-668)

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

- Prevalence: 높음 자주 악용됨
- Impact: 치명적 1개의 치명적 심각도 규칙
- Prevention: 문서화됨 3개의 수정 예시

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

Resources should only be accessible to actors that are intended to use them. When resources are exposed to the wrong sphere (e.g., public instead of private), unauthorized actors can access sensitive data or functionality.

## Prevention

### Kubernetes

Use PersistentVolumeClaim or emptyDir instead of hostPath volumes

Use ClusterIP with Ingress or LoadBalancer instead of NodePort for production services

### JavaScript

Use ECMAScript private fields (#) for true runtime encapsulation instead of TypeScript's compile-time-only modifiers

## Warning Signs

- [HIGH] Access modifier bypass detected using .... Private/protected fields accessed through runtime mechanisms.
- [MEDIUM] Service uses NodePort type which exposes the application on all cluster nodes.
- [MEDIUM] services using NodePort type which exposes the application on all cluster nodes
- [CRITICAL] HostPath volumes mount directories from the host filesystem into the pod.
- [CRITICAL] HostPath volumes that mount directories from the host filesystem into pods

## Consequences

- 애플리케이션 데이터 읽기
- 애플리케이션 데이터 수정
- 권한 획득

## Mitigations

- 모든 리소스에 적절한 접근 제어를 구현하세요
- 최소 권한 원칙을 사용하세요
- 리소스를 신뢰 수준에 따라 분리하세요

## Detection

- Total rules: 3
- Critical: 1
- Languages: yaml, typescript

## Rules by Language

### Yaml (2 rules)

- **HostPath Volume Mounted** [CRITICAL]: Detects HostPath volumes that mount directories from the host filesystem into pods.
  - Remediation: Use PersistentVolumeClaim or emptyDir instead of hostPath.

```yaml
volumes:
  - name: data
    persistentVolumeClaim:
      claimName: my-pvc
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-668/hostpath-volume
- **NodePort Service Exposes Application** [MEDIUM]: Detects services using NodePort type which exposes the application on all cluster nodes.
  - Remediation: Use ClusterIP with Ingress or LoadBalancer instead.

```yaml
spec:
  type: ClusterIP
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-668/nodeport-service

### Typescript (1 rules)

- **TypeScript Access Modifier Bypass** [HIGH]: TypeScript private/protected modifiers are compile-time only. Bracket notation and
type assertions bypass them at runtime, exposing sensitive data like passwords and tokens.
  - Remediation: Use ECMAScript private fields (#) for true runtime encapsulation.

```typescript
class User {
  #password: string;

  constructor(password: string) {
    this.#password = password;
  }

  verifyPassword(input: string): boolean {
    return this.#password === input;
  }
}
```

Learn more: https://shoulder.dev/learn/typescript/cwe-668/access-modifier-bypass