Exposure of Resource to Wrong Sphere (CWE-668)

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Resources should only be accessible to actors that are intended to use them. When resources are exposed to the wrong sphere (e.g., public instead of private), unauthorized actors can access sensitive data or functionality.

보급률

높음

자주 악용됨

영향

치명적

1개의 치명적 심각도 규칙

예방

문서화됨

3개의 수정 예시

2 예방

이 취약점을 수정하는 방법

☸️ Kubernetes 모두 보기 Kubernetes 자세히 →

HostPath Volume Mounted CRITICAL

Use PersistentVolumeClaim or emptyDir instead of hostPath volumes

+2 -2 yaml

  apiVersion: v1
  kind: Pod
  spec:
    volumes:
    - name: data
-     hostPath:
-       path: /data
+     persistentVolumeClaim:
+       claimName: app-data-pvc
    containers:
    - name: app
      image: nginx:1.25
      volumeMounts:
      - name: data
        mountPath: /app/data

NodePort Service Exposes Application MEDIUM

Use ClusterIP with Ingress or LoadBalancer instead of NodePort for production services

+4 -4 yaml

  apiVersion: v1
  kind: Service
  spec:
-   type: NodePort
-   ports:
-     - port: 80
-       nodePort: 30080
+   type: ClusterIP
+   ports:
+     - port: 80
+       targetPort: 8080

🟨 JavaScript 모두 보기 JavaScript 자세히 →

TypeScript Access Modifier Bypass HIGH

Use ECMAScript private fields (#) for true runtime encapsulation instead of TypeScript's compile-time-only modifiers

+16 -12 javascript

  class UserSession {
-   private token: string;
-   private _refreshToken: string;
- 
-   constructor(token: string, refresh: string) {
-     this.token = token;
-     this._refreshToken = refresh;
-   }
- }
- 
- const session = new UserSession('abc', 'xyz');
- const leaked = (session as any).token;
- const alsoLeaked = session['_refreshToken'];
+   #token: string;
+   #refreshToken: string;
+ 
+   constructor(token: string, refresh: string) {
+     this.#token = token;
+     this.#refreshToken = refresh;
+   }
+ 
+   validateToken(input: string): boolean {
+     return this.#token === input;
+   }
+ }
+ 
+ const session = new UserSession('abc', 'xyz');
+ // session.#token -> SyntaxError at runtime
+ // session['#token'] -> undefined

3 탐지

코드에서 취약점 찾기

Shoulder를 사용하여 코드에서 Exposure of Resource to Wrong Sphere 패턴을 스캔하세요. 3 규칙.

터미널

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=668

# Or scan entire project
npx @shoulderdev/cli trust .

탐지 규칙 (3)

📄 Yaml 2 rules

HostPath Volume Mounted CRITICAL

Detects HostPath volumes that mount directories from the host filesystem into pods.

NodePort Service Exposes Application MEDIUM

Detects services using NodePort type which exposes the application on all cluster nodes.

🔷 Typescript 1 rules

TypeScript Access Modifier Bypass HIGH

TypeScript private/protected modifiers are compile-time only. Bracket notation and type assertions bypass them at runtime, exposing sensitive data like passwords and tokens.

4 경고 신호

코드 리뷰에서 주의할 점

이 패턴은 잠재적인 Exposure of Resource to Wrong Sphere 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.

🟠

Access modifier bypass detected using .... Private/protected fields accessed through runtime mechanisms. typescript-access-modifier-bypass

🟡

Service uses NodePort type which exposes the application on all cluster nodes. kubernetes-nodeport-service

🟡

services using NodePort type which exposes the application on all cluster nodes kubernetes-nodeport-service

🔴

HostPath volumes mount directories from the host filesystem into the pod. kubernetes-hostpath-volume

🔴

HostPath volumes that mount directories from the host filesystem into pods kubernetes-hostpath-volume

🔍

코드베이스를 스캔하세요: Exposure of Resource to Wrong Sphere

Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.

npx shoulder trust 모든 규칙 보기