# Improper Access Control (CWE-284)

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

**Stack:** JavaScript

- Prevalence: Wysoka Często wykorzystywana
- Impact: Wysoki 3 reguł o wysokim poziomie
- Prevention: Udokumentowane 4 przykładów poprawek

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

Access control involves determining which subjects can access which objects. When access control is implemented incorrectly, it can lead to unauthorized access to sensitive data or functionality.

## Prevention

Strategie zapobiegania dla Improper Access Control oparte na 1 regułach detekcji Shoulder.

### JavaScript

Validate tool inputs against schemas and use allowlists for permitted tools

## Warning Signs

- [HIGH] Insecure plugin implementation: ...
- [HIGH] insecure plugin/function calling implementations in AI/LLM systems

## Consequences

- Odczyt danych aplikacji
- Modyfikacja danych aplikacji
- Wykonanie nieautoryzowanego kodu
- Uzyskanie uprawnień

## Mitigations

- Wdroż odpowiednie kontrole dostępu na wszystkich zasobach
- Stosuj zasadę najmniejszych uprawnień
- Egzekwuj kontrolę dostępu po stronie serwera, nie tylko w interfejsie

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, kubernetes, yaml, python

## Rules by Language

### Javascript (1 rules)

- **LLM Insecure Plugin Design** [HIGH]: Detects insecure plugin/function calling implementations in AI/LLM systems.
OWASP LLM07 - Insecure Plugin Design.

Insecure plugin design can lead to:
- Remote code execution via tool/function calls
- Unauthorized data access through plugins
- Privilege escalation via overly permissive tools
- SSRF through URL-handling plugins
- Command injection through shell plugins

This rule detects:
- Function calling without input validation
- Dynamic function execution from LLM output
- Plugin execution w
  - Remediation: Validate tool inputs against schemas and use allowlists for permitted tools.

```javascript
if (!allowedTools.includes(name)) throw new Error('Unknown tool');
const validate = ajv.compile(toolSchemas[name]);
if (!validate(JSON.parse(args))) throw new Error('Invalid arguments');
```

Learn more: https://shoulder.dev/learn/javascript/cwe-284/llm-insecure-plugin

### Typescript (1 rules)

- **LLM Insecure Plugin Design** [HIGH]: Detects insecure plugin/function calling implementations in AI/LLM systems.
OWASP LLM07 - Insecure Plugin Design.

Insecure plugin design can lead to:
- Remote code execution via tool/function calls
- Unauthorized data access through plugins
- Privilege escalation via overly permissive tools
- SSRF through URL-handling plugins
- Command injection through shell plugins

This rule detects:
- Function calling without input validation
- Dynamic function execution from LLM output
- Plugin execution w
  - Remediation: Validate tool inputs against schemas and use allowlists for permitted tools.

```javascript
if (!allowedTools.includes(name)) throw new Error('Unknown tool');
const validate = ajv.compile(toolSchemas[name]);
if (!validate(JSON.parse(args))) throw new Error('Invalid arguments');
```

Learn more: https://shoulder.dev/learn/javascript/cwe-284/llm-insecure-plugin