Incorrect Type Conversion or Cast (CWE-704)

Incorrect Type Conversion or Cast

The product does not correctly convert an object, resource, or structure from one type to a different type.

Type conversions often have implications for resource and bounds checking. When types are not converted properly, this can lead to access of out-of-bounds memory or misinterpretation of data.

보급률

보통

1개 언어 지원

영향

높음

3개의 높은 심각도 규칙

예방

문서화됨

5개의 수정 예시

2 예방

이 취약점을 수정하는 방법

5개의 Shoulder 탐지 규칙을 기반으로 한 Incorrect Type Conversion 예방 전략.

🟨 JavaScript 모두 보기 JavaScript 자세히 →

tRPC Type Safety Bypass with Any MEDIUM

Use Zod schemas with type inference instead of 'any' to maintain end-to-end type safety in tRPC

+19 -9 javascript

  import { router, publicProcedure } from './trpc';
- 
- export const postRouter = router({
-   createPost: publicProcedure
-     .mutation(async ({ input }: { input: any }) => {
-       return await db.post.create({ data: input });
-     }),
- 
-   getPost: publicProcedure
-     .query(async ({ input }: any) => {
+ import { z } from 'zod';
+ 
+ const createPostInput = z.object({
+   title: z.string().min(1).max(200),
+   content: z.string().min(1),
+   published: z.boolean().default(false),
+ });
+ 
+ export const postRouter = router({
+   createPost: publicProcedure
+     .input(createPostInput)
+     .mutation(async ({ input }) => {
+       // input is typed as { title: string; content: string; published: boolean }
+       return await db.post.create({ data: input });
+     }),
+ 
+   getPost: publicProcedure
+     .input(z.object({ postId: z.number().int().positive() }))
+     .query(async ({ input }) => {
        return await db.post.findUnique({
          where: { id: input.postId },
        });
      }),
  });

TypeScript Unconstrained Generic Type Parameters MEDIUM

Add type constraints using 'extends' to ensure generic parameters have required properties

+15 -7 javascript

- function getIdentifier<T>(entity: T): string {
-   return entity.id.toString(); // T has no guaranteed 'id' property
- }
- 
- function processEntities<T>(items: T[]): void {
-   items.forEach(item => {
-     console.log(item.name); // Runtime error if 'name' missing
+ interface Identifiable {
+   id: number | string;
+ }
+ 
+ interface Named {
+   name: string;
+ }
+ 
+ function getIdentifier<T extends Identifiable>(entity: T): string {
+   return entity.id.toString();
+ }
+ 
+ function processEntities<T extends Named>(items: T[]): void {
+   items.forEach(item => {
+     console.log(item.name);
    });
  }

TypeScript Strict Mode Disabled HIGH

Enable strict mode in tsconfig.json to activate all strict type-checking options

+3 -3 javascript

  {
    "compilerOptions": {
      "target": "ES2020",
      "module": "commonjs",
-     "strict": false,
-     "strictNullChecks": false,
-     "noImplicitAny": false
+     "strict": true,
+     "forceConsistentCasingInFileNames": true,
+     "skipLibCheck": true
    }
  }

3 탐지

코드에서 취약점 찾기

Shoulder를 사용하여 코드에서 Incorrect Type Conversion or Cast 패턴을 스캔하세요. 5 규칙.

터미널

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=704

# Or scan entire project
npx @shoulderdev/cli trust .

탐지 규칙 (5)

🔷 Typescript 5 rules

tRPC Type Safety Bypass with Any MEDIUM

Using 'any' type in tRPC procedures defeats type safety and allows unvalidated data to pass through, enabling injection and runtime errors.

TypeScript Unconstrained Generic Type Parameters MEDIUM

Unconstrained generics (<T> or <T extends any>) allow any type to pass through, causing runtime errors and type confusion when accessing properties that do not exist.

TypeScript Strict Mode Disabled HIGH

Disabled TypeScript strict mode flags weaken type safety and allow null/undefined errors, implicit any types, and unsafe function parameters that lead to runtime vulnerabilities.

Unsafe 'any' Type in Security-Sensitive Context HIGH

Using 'any' type with untrusted input bypasses TypeScript's type safety, allowing unvalidated data to flow into security-sensitive operations.

TypeScript Unsafe Type Guard HIGH

Type guards that always return true or use assertions without validation create type confusion, allowing untrusted data to bypass security checks.

🟨 Javascript 1 rules

tRPC Type Safety Bypass with Any MEDIUM

Using 'any' type in tRPC procedures defeats type safety and allows unvalidated data to pass through, enabling injection and runtime errors.

4 경고 신호

코드 리뷰에서 주의할 점

이 패턴은 잠재적인 Incorrect Type Conversion or Cast 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.

🟠

tsconfig.json has '...' disabled. Enable strict mode for better type safety and security. typescript-strict-mode-violations

🟠

Variable declared with 'any' type receives untrusted input from .... This bypasses TypeScript's type safety and may lead typescript-unsafe-any-usage

🟠

Type guard '...' uses 'is' predicate but lacks proper runtime validation. This creates type confusion vulnerabilities. typescript-unsafe-type-guard

🟡

tRPC code uses 'any' type which defeats type safety. Use proper TypeScript types or Zod inference. trpc-type-inference-bypass

🟡

Generic type parameter '...' lacks constraints. Add 'extends' constraint to ensure type safety. typescript-generic-constraint-bypass

🔍

코드베이스를 스캔하세요: Incorrect Type Conversion or Cast

Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.

npx shoulder trust 모든 규칙 보기