# Inclusion of Functionality from Untrusted Control Sphere (CWE-829)

The product imports, requires, or includes executable functionality from a source that is outside of the intended control sphere.

**Stack:** Kubernetes

- Prevalence: 높음 자주 악용됨
- Impact: 높음 3개의 높은 심각도 규칙
- Prevention: 문서화됨 4개의 수정 예시

**OWASP:** Vulnerable and Outdated Components (A06:2021-Vulnerable and Outdated Components) - #6

## Description

When software includes functionality from untrusted sources (such as third-party scripts, external modules, or code from untrusted URLs), attackers can inject malicious code that will be executed with the same privileges as the application.

## Prevention

1개의 Shoulder 탐지 규칙을 기반으로 한 Inclusion of Untrusted Functionality 예방 전략.

### Kubernetes

Pin container images to specific version tags or SHA digests for reproducible deployments

## Warning Signs

- [MEDIUM] Container image uses 'latest' tag or no tag.
- [MEDIUM] container images using 'latest' tag or no tag

## Consequences

- 승인되지 않은 코드 실행
- 애플리케이션 데이터 읽기
- 애플리케이션 데이터 수정

## Mitigations

- 신뢰할 수 있는 검증된 출처의 코드만 포함하세요
- 외부 스크립트에는 Subresource Integrity(SRI)를 사용하세요
- 실행 가능한 코드의 출처를 제한하기 위해 Content Security Policy(CSP)를 구현하세요

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, yaml, python

## Rules by Language

### Yaml (1 rules)

- **Container Using Latest Tag** [MEDIUM]: Detects container images using 'latest' tag or no tag.
  - Remediation: Use specific image tags for production.

```yaml
containers:
  - name: app
    image: nginx:1.21.6-alpine
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-829/image-latest-tag