# TypeScript Unsafe Decorator Usage

- ID: typescript-unsafe-decorator
- Severity: HIGH
- CWE: Code Injection (CWE-94)
- Languages: TypeScript
- Frameworks: typescript

## Description

Decorators that use eval(), modify global state, or accept user input as parameters
enable code injection, prototype pollution, and authorization bypass.

## Detection Message

Decorator '{decorator}' executes unsafe code or accesses global state. This can lead to code injection or unauthorized access.

## Remediation

Use static values for decorator parameters and avoid eval/global modifications.

```typescript
enum Role { Admin = 'admin', User = 'user' }

function RequireRole(...roles: Role[]) {
  return function(target: any, key: string, desc: PropertyDescriptor) {
    const original = desc.value;
    desc.value = function(...args: any[]) {
      if (!roles.includes(this.user?.role)) {
        throw new Error('Unauthorized');
      }
      return original.apply(this, args);
    };
  };
}
```

Learn more: https://shoulder.dev/learn/typescript/cwe-94/unsafe-decorator

## Documentation

[object Object]

## Related Rules

- **Code Injection via os/exec** [CRITICAL]: 
- **LLM Insecure Output Handling** [HIGH]: 
- **Server-Side Template Injection** [CRITICAL]: 
- **Code Injection via eval() and Function constructor** [CRITICAL]: 
- **LLM Insecure Output Handling** [HIGH]: