# Potential IDOR - Generic Data Access

- ID: javascript-idor-generic
- Severity: MEDIUM
- CWE: Authorization Bypass Through User-Controlled Key (CWE-639)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nextjs, koa, hapi, nestjs

## Description

Detects endpoints where route parameters flow to generic data access patterns
(Map.get, object property access, cache lookups, custom repositories) without
visible ownership verification in the function.

This rule catches patterns that ORM-specific detection misses, but requires
human verification that authorization is not enforced elsewhere (middleware,
decorators, API gateway, etc.).

**This is a "potential" finding - verify authorization exists somewhere.**

## Remediation

Verify ownership before returning data by checking resource belongs to authenticated user.

```javascript
const order = orders.get(req.params.id);
if (order.userId !== req.user.id) {
  return res.status(403).json({ error: 'Forbidden' });
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-639/idor-generic

## Documentation

[object Object]

## Related Rules

- **Horizontal Privilege Escalation** [HIGH]: 
- **Insecure Direct Object Reference (IDOR)** [HIGH]: 
- **Potential IDOR - Generic Data Access** [MEDIUM]: 
- **Horizontal Privilege Escalation** [CRITICAL]: 
- **Insecure Direct Object Reference (IDOR)** [HIGH]: