# tRPC Unsafe Context Usage

- ID: trpc-context-injection
- Severity: HIGH
- CWE: Improper Input Validation (CWE-20)
- Languages: JavaScript, TypeScript
- Frameworks: trpc

## Description

Using unvalidated headers, cookies, or query params in context creation allows
attackers to bypass authentication and impersonate users.

## Detection Message

Context creation uses raw request data without validation. Verify and validate all request data before adding to context.

## Remediation

Verify JWT signatures or use session libraries instead of trusting raw headers.

```typescript
import { getServerSession } from 'next-auth';

export async function createContext({ req, res }: CreateNextContextOptions) {
  const session = await getServerSession(req, res, authOptions);
  return {
    user: session?.user ?? null,
    db
  };
}
```

Learn more: https://shoulder.dev/learn/typescript/cwe-20/context-injection

## Documentation

[object Object]

## Related Rules

- **FastAPI Missing Request Validation** [MEDIUM]: 
- **Business Logic Input Validation** [MEDIUM]: 
- **Echo Missing Input Validation** [MEDIUM]: 
- **Fiber Missing Input Validation** [MEDIUM]: 
- **Gin Missing Input Validation** [MEDIUM]: