# Improper Access Control (CWE-284) The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. **Stack:** Python - Prevalence: Wysoka Często wykorzystywana - Impact: Wysoki 3 reguł o wysokim poziomie - Prevention: Udokumentowane 4 przykładów poprawek **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description Access control involves determining which subjects can access which objects. When access control is implemented incorrectly, it can lead to unauthorized access to sensitive data or functionality. ## Prevention Strategie zapobiegania dla Improper Access Control oparte na 1 regułach detekcji Shoulder. ### Python Use Pydantic for tool input validation and maintain a strict allowlist for permitted tools ## Warning Signs - [HIGH] Insecure plugin implementation: ... - [HIGH] insecure plugin/function calling implementations in AI/LLM systems ## Consequences - Odczyt danych aplikacji - Modyfikacja danych aplikacji - Wykonanie nieautoryzowanego kodu - Uzyskanie uprawnień ## Mitigations - Wdroż odpowiednie kontrole dostępu na wszystkich zasobach - Stosuj zasadę najmniejszych uprawnień - Egzekwuj kontrolę dostępu po stronie serwera, nie tylko w interfejsie ## Detection - Total rules: 4 - Languages: go, javascript, typescript, kubernetes, yaml, python ## Rules by Language ### Python (1 rules) - **LLM Insecure Plugin Design** [HIGH]: Detects insecure plugin/function calling implementations in AI/LLM systems. OWASP LLM07 - Insecure Plugin Design. Insecure plugin design can lead to: - Remote code execution via tool/function calls - Unauthorized data access through plugins - Privilege escalation via overly permissive tools - SSRF through URL-handling plugins - Command injection through shell plugins - Remediation: Use Pydantic for tool input validation and maintain an allowlist of tools. ```python from pydantic import BaseModel, Field class SearchArgs(BaseModel): query: str = Field(max_length=100, pattern=r'^[a-zA-Z0-9\s]+$') ALLOWED_TOOLS = {'search_products', 'get_weather'} def execute(tool_call): if tool_call.function.name not in ALLOWED_TOOLS: raise ValueError('Unknown tool') args = SearchArgs.parse_raw(tool_call.function.arguments) return handlers[tool_call.function.name](args) ``` Learn more: https://shoulder.dev/learn/python/cwe-284/llm-insecure-plugin