# Prisma Sensitive Field Exposure

- ID: prisma-sensitive-field-exposure
- Severity: CRITICAL
- CWE: Information Exposure (CWE-200)
- Languages: JavaScript, TypeScript
- Frameworks: prisma

## Description

Prisma returns all fields by default. Without 'select' or 'omit', password hashes
and API tokens can leak to clients.

## Detection Message

Query on {model} may return sensitive fields. Use 'select' to whitelist safe fields or 'omit' to exclude sensitive ones.

## Remediation

Use 'select' to whitelist safe fields in all queries.

```typescript
const users = await prisma.user.findMany({
  select: {
    id: true,
    email: true,
    name: true
    // passwordHash NOT included
  }
});
```

Learn more: https://shoulder.dev/learn/typescript/cwe-200/sensitive-field-exposure

## Documentation

[object Object]

## Related Rules

- **Environment Variable Secret Exposure** [HIGH]: 
- **LLM Model Theft** [HIGH]: 
- **LLM Sensitive Information Disclosure** [HIGH]: 
- **Sensitive Field Exposure in API Response** [CRITICAL]: 
- **Environment Variable Secret Exposure** [HIGH]: