# Detection Rules - Shoulder Browse 347 security detection rules across 7 languages - Total rules: 347 - CWE coverage: 94 - Languages: javascript, typescript, python, dockerfile, go, yaml, kubernetes ## Rules ### Angular Missing Route Guard - ID: angular-missing-route-guard - Severity: CRITICAL - CWE: Improper Authorization (CWE-285) - Languages: JavaScript, TypeScript Routes without canActivate guards allow unauthorized access to admin panels, user profiles, and sensitive operations. ### Angular Unsafe Security Context Bypass - ID: angular-unsafe-pipe - Severity: CRITICAL - CWE: Cross-Site Scripting (XSS) (CWE-79) - Languages: JavaScript, TypeScript DomSanitizer.bypassSecurityTrust* methods completely disable XSS protection, enabling script injection when used with any user-controllable data. ### Code Injection via eval() and Function constructor - ID: javascript-code-injection - Severity: CRITICAL - CWE: Code Injection (CWE-94) - Languages: JavaScript, TypeScript Detects user input flowing to code execution functions like eval() or Function constructor. ### Command Injection via child_process - ID: javascript-command-injection - Severity: CRITICAL - CWE: OS Command Injection (CWE-78) - Languages: JavaScript, TypeScript Detects user input flowing to shell command execution functions. ### Failing Open on Security Check Errors - ID: javascript-failing-open - Severity: CRITICAL - CWE: CWE-636 (CWE-636) - Languages: JavaScript, TypeScript Detects security checks (authentication, authorization, validation) that grant access when an error occurs instead of denying it. This is a critical security flaw where the system "fails open" rather than "failing closed/secure". When authentication or authorization checks encounter errors, the system should DENY access by default, not grant it. ### Hardcoded High-Entropy Secrets Detection - ID: javascript-hardcoded-secrets - Severity: CRITICAL - CWE: Hardcoded Credentials (CWE-798) - Languages: JavaScript, TypeScript Detects hardcoded secrets with high entropy (randomness) that indicate real credentials. This rule uses entropy analysis to avoid false positives from: - Example/placeholder values ("keyboard cat", "your-secret-here") - Test fixtures ("test123", "fake-api-key") - Short/simple strings ("secret", "password") Only flags strings that appear to be REAL secrets: - High entropy (random-looking characters) - Sufficient length (20+ characters for API keys) - Known secret patterns (AWS keys, JWT tokens, private keys) Hardcoded real secrets pose security risks: - Exposure in version control - Difficult credential rotation - Accidental disclosure in logs/errors - No dev/prod separation ### Hardcoded Secrets in Security Operations - ID: javascript-hardcoded-secrets-experimental - Severity: CRITICAL - CWE: Hardcoded Credentials (CWE-798) - Languages: JavaScript, TypeScript Detects hardcoded secrets (API keys, tokens, passwords) flowing into security-sensitive operations. Uses taint analysis to track hardcoded secret strings from their definition to actual usage in authentication, API calls, or cryptographic operations. This approach reduces false positives by only flagging secrets that are actually used, not just defined in comments, examples, or unused variables. ### Horizontal Privilege Escalation - ID: javascript-horizontal-privilege-escalation - Severity: CRITICAL - CWE: Authorization Bypass Through User-Controlled Key (CWE-639) - Languages: JavaScript, TypeScript Detects when user-controlled input is used to access resources belonging to other users at the same privilege level without verifying ownership. ### JWT Decode Used for User Identity (Authentication Bypass) - ID: javascript-jwt-unverified-user-identity - Severity: CRITICAL - CWE: Improper Authentication (CWE-287) - Languages: JavaScript, TypeScript Detects when jwt.decode() output is used for user identity, allowing complete authentication bypass since decode() does not verify signatures. ### JWT User-Controlled Secret - ID: javascript-jwt-weak-secret - Severity: CRITICAL - CWE: Hardcoded Cryptographic Key (CWE-321) - Languages: JavaScript, TypeScript Detects JWT signing or verification using user-controlled secrets. JWT security relies on keeping the secret key confidential. If an attacker can control or influence the secret used for signing or verification, they can: - Forge valid tokens for any user - Bypass authentication entirely - Impersonate other users This includes: - Using req.body.secret, req.query.secret directly as the JWT secret - Allowing users to provide custom secrets for verification - Using weak or predictable secrets from user input ### Path Traversal in File Operations - ID: javascript-path-traversal - Severity: CRITICAL - CWE: Path Traversal (CWE-22) - Languages: JavaScript, TypeScript Detects untrusted user input used in file system operations without proper validation. This can allow attackers to read or write arbitrary files on the server. ### Sensitive Field Exposure in API Response - ID: javascript-sensitive-field-response-exposure - Severity: CRITICAL - CWE: Information Exposure (CWE-200) - Languages: JavaScript, TypeScript Detects when sensitive data fields (passwords, tokens, secrets, API keys) are exposed through API endpoint responses. This commonly happens when: 1. Mapping user data with sensitive fields: `.map(u => ({ password: u.password }))` 2. Returning entire user objects: `res.json(user)` where user has password field 3. Including sensitive fields in response objects: `res.json({ password: user.password })` This is particularly dangerous when AI-generated code returns user collections without filtering sensitive fields, as in debug endpoints or admin panels. Security Impact: - Password hash exposure enabling offline cracking attacks - API key/token leakage allowing account takeover - Session token exposure enabling session hijacking - PII disclosure violating privacy regulations (GDPR, CCPA) ### SQL Injection via Database Queries - ID: javascript-sql-injection - Severity: CRITICAL - CWE: SQL Injection (CWE-89) - Languages: JavaScript, TypeScript Detects user input flowing into SQL queries without parameterization. ### Unsafe Deserialization - ID: javascript-unsafe-deserialization - Severity: CRITICAL - CWE: Deserialization of Untrusted Data (CWE-502) - Languages: JavaScript, TypeScript Detects user input flowing to unsafe deserialization functions like node-serialize or yaml.load(). ### Credential Exfiltration via User-Controlled Endpoint - ID: javascript-webhook-credential-exfiltration - Severity: CRITICAL - CWE: CWE-201 (CWE-201) - Languages: JavaScript, TypeScript Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```javascript // User controls 'endpoint' from request const endpoint = req.body.webhookUrl; // Server sends its internal API key to attacker-controlled URL await fetch(endpoint, { headers: { 'X-API-Key': process.env.INTERNAL_API_KEY } }); ``` This is different from standard SSRF (which accesses internal resources) - here the attacker exfiltrates server credentials to their own controlled endpoint. ### NestJS Sensitive Route Missing Guard - ID: nestjs-missing-route-guard - Severity: CRITICAL - CWE: Improper Authorization (CWE-285) - Languages: JavaScript, TypeScript Controllers without @UseGuards on sensitive operations allow unauthorized access to create, update, delete, and admin endpoints. ### Prisma Mass Assignment Vulnerability - ID: prisma-mass-assignment - Severity: CRITICAL - CWE: Mass Assignment (CWE-915) - Languages: JavaScript, TypeScript Spreading req.body into Prisma create/update allows attackers to modify protected fields like role, credits, or permissions. ### Prisma Raw Query SQL Injection - ID: prisma-raw-query-injection - Severity: CRITICAL - CWE: SQL Injection (CWE-89) - Languages: JavaScript, TypeScript Using template literals instead of Prisma.sql`` in $queryRaw bypasses parameter binding and enables SQL injection. ### Prisma Sensitive Field Exposure - ID: prisma-sensitive-field-exposure - Severity: CRITICAL - CWE: Information Exposure (CWE-200) - Languages: JavaScript, TypeScript Prisma returns all fields by default. Without 'select' or 'omit', password hashes and API tokens can leak to clients. ### tRPC Protected Procedure Missing Authentication - ID: trpc-missing-auth-middleware - Severity: CRITICAL - CWE: Improper Authorization (CWE-285) - Languages: JavaScript, TypeScript Using publicProcedure for mutations or user-specific data allows unauthenticated access and account manipulation. ### TypeORM Mass Assignment Vulnerability - ID: typeorm-mass-assignment - Severity: CRITICAL - CWE: Mass Assignment (CWE-915) - Languages: JavaScript, TypeScript Directly assigning req.body to entities allows attackers to modify protected fields like role, isAdmin, or credits. ### TypeORM SQL Injection in Raw Query - ID: typeorm-sql-injection-raw-query - Severity: CRITICAL - CWE: SQL Injection (CWE-89) - Languages: JavaScript, TypeScript Raw SQL queries with string concatenation or template literals bypass TypeORM's parameterization, enabling SQL injection attacks. ### TypeORM Query Builder SQL Injection - ID: typeorm-unsafe-query-builder - Severity: CRITICAL - CWE: SQL Injection (CWE-89) - Languages: JavaScript, TypeScript QueryBuilder where clauses with template literals or concatenation bypass parameter binding, enabling SQL injection. ### Angular Missing HTTP Security Interceptor - ID: angular-http-interceptor-missing - Severity: HIGH - CWE: Cross-Site Request Forgery (CWE-352) - Languages: JavaScript, TypeScript Missing HTTP interceptors require manual token and CSRF protection on every request, leading to inconsistent security and unauthorized API access. ### Angular Unsafe Property Binding - ID: angular-unsafe-property-binding - Severity: HIGH - CWE: Cross-Site Scripting (XSS) (CWE-79) - Languages: JavaScript, TypeScript Property bindings like [innerHTML] and [src] with untrusted data enable XSS attacks when Angular's sanitizer is bypassed or insufficient. --- Showing 25 of 121 rules (page 1/5)