# Detection Rules - Shoulder

Browse 347 security detection rules across 7 languages

- Total rules: 347
- CWE coverage: 94
- Languages: javascript, typescript, python, dockerfile, go, yaml, kubernetes

## Rules

### Dangerous Linux Capabilities Added

- ID: kubernetes-dangerous-capabilities
- Severity: CRITICAL
- CWE: CWE-250 (CWE-250)
- Languages: YAML

Detects containers adding dangerous Linux capabilities like SYS_ADMIN, NET_ADMIN, or SYS_PTRACE.

### Hardcoded Secrets in Manifest

- ID: kubernetes-hardcoded-secrets
- Severity: CRITICAL
- CWE: Hardcoded Credentials (CWE-798)
- Languages: YAML

Detects hardcoded secrets, passwords, or API keys in Kubernetes manifests.

### Host Namespace Access Enabled

- ID: kubernetes-host-access
- Severity: CRITICAL
- CWE: CWE-250 (CWE-250)
- Languages: YAML

Detects pods configured to access host namespaces (network, PID, or IPC).

### HostPath Volume Mounted

- ID: kubernetes-hostpath-volume
- Severity: CRITICAL
- CWE: CWE-668 (CWE-668)
- Languages: YAML

Detects HostPath volumes that mount directories from the host filesystem into pods.

### Privileged Container Detected

- ID: kubernetes-privileged-container
- Severity: CRITICAL
- CWE: CWE-250 (CWE-250)
- Languages: YAML

Detects containers running with privileged security context.

### NestJS Sensitive Route Missing Guard

- ID: nestjs-missing-route-guard
- Severity: CRITICAL
- CWE: Improper Authorization (CWE-285)
- Languages: JavaScript, TypeScript

Controllers without @UseGuards on sensitive operations allow unauthorized access
to create, update, delete, and admin endpoints.

### Prisma Mass Assignment Vulnerability

- ID: prisma-mass-assignment
- Severity: CRITICAL
- CWE: Mass Assignment (CWE-915)
- Languages: JavaScript, TypeScript

Spreading req.body into Prisma create/update allows attackers to modify
protected fields like role, credits, or permissions.

### Prisma Raw Query SQL Injection

- ID: prisma-raw-query-injection
- Severity: CRITICAL
- CWE: SQL Injection (CWE-89)
- Languages: JavaScript, TypeScript

Using template literals instead of Prisma.sql`` in $queryRaw bypasses
parameter binding and enables SQL injection.

### Prisma Sensitive Field Exposure

- ID: prisma-sensitive-field-exposure
- Severity: CRITICAL
- CWE: Information Exposure (CWE-200)
- Languages: JavaScript, TypeScript

Prisma returns all fields by default. Without 'select' or 'omit', password hashes
and API tokens can leak to clients.

### Authentication Bypass Vulnerability

- ID: python-authentication-bypass
- Severity: CRITICAL
- CWE: Improper Authentication (CWE-287)
- Languages: Python

Detects authentication checks that can be bypassed due to missing return statements or weak boolean logic.

### Client-Controlled Authorization Data

- ID: python-client-controlled-authorization
- Severity: CRITICAL
- CWE: CWE-807 (CWE-807)
- Languages: Python

Detects authorization decisions based on client-controllable data such as
cookies, query parameters, or form fields.

### Code Injection via eval/exec

- ID: python-code-injection
- Severity: CRITICAL
- CWE: Code Injection (CWE-94)
- Languages: Python

Detects untrusted user input flowing into code evaluation functions
(eval, exec, compile).

### OS Command Injection

- ID: python-command-injection
- Severity: CRITICAL
- CWE: OS Command Injection (CWE-78)
- Languages: Python

Detects untrusted user input flowing into operating system command execution
functions without proper sanitization.

### Dangerous Function Usage

- ID: python-dangerous-functions
- Severity: CRITICAL
- CWE: Code Injection (CWE-94)
- Languages: Python

Detects usage of dangerous Python functions that can lead to arbitrary code
execution: eval(), exec(), compile(), __import__() with user input, or
pickle deserialization. These should be avoided or heavily restricted.

### JWT Algorithm Confusion Attack

- ID: python-jwt-algorithm-confusion
- Severity: CRITICAL
- CWE: Improper Signature Verification (CWE-347)
- Languages: Python

Detects JWT tokens decoded without algorithm verification or accepting the 'none' algorithm, allowing token forgery.

### Sensitive Field Exposure in API Response

- ID: python-sensitive-field-response-exposure
- Severity: CRITICAL
- CWE: Information Exposure (CWE-200)
- Languages: Python

Detects when sensitive data fields (passwords, tokens, secrets) are
exposed through API endpoint responses. This commonly happens when:

1. Returning user dictionaries with sensitive fields
2. Serializing ORM objects without excluding sensitive fields
3. Including sensitive fields in JSON responses

Security Impact:
- Password hash exposure enabling offline cracking attacks
- API key/token leakage allowing account takeover
- Session token exposure enabling session hijacking
- PII disclosure violating privacy regulations (GDPR, CCPA)

### SQL Injection via Database Queries

- ID: python-sql-injection
- Severity: CRITICAL
- CWE: SQL Injection (CWE-89)
- Languages: Python

Detects untrusted user input flowing into SQL database queries without proper
parameterization.

### Server-Side Template Injection (SSTI)

- ID: python-ssti
- Severity: CRITICAL
- CWE: Code Injection (CWE-94)
- Languages: Python

Detects user input used directly in template rendering, allowing arbitrary
code execution.

### Unsafe Deserialization

- ID: python-unsafe-deserialization
- Severity: CRITICAL
- CWE: Deserialization of Untrusted Data (CWE-502)
- Languages: Python

Detects untrusted user input being deserialized using unsafe methods like
pickle.loads() or yaml.load().

### Credential Exfiltration via User-Controlled Endpoint

- ID: python-webhook-credential-exfiltration
- Severity: CRITICAL
- CWE: CWE-201 (CWE-201)
- Languages: Python

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests
to user-controlled endpoints. This allows attackers to exfiltrate server credentials
by providing a malicious webhook URL that captures the sensitive headers or body data.

Example vulnerable pattern:
```python
# User controls 'endpoint' from request
endpoint = request.form.get('webhook_url')

# Server sends its internal API key to attacker-controlled URL
requests.post(endpoint, headers={'X-API-Key': os.environ['INTERNAL_API_KEY']})
```

This is different from standard SSRF (which accesses internal resources) - here the attacker
exfiltrates server credentials to their own controlled endpoint.

### Unsafe YAML Deserialization

- ID: python-yaml-deserialization
- Severity: CRITICAL
- CWE: Deserialization of Untrusted Data (CWE-502)
- Languages: Python

Detects unsafe YAML deserialization using yaml.load() without SafeLoader.

### tRPC Protected Procedure Missing Authentication

- ID: trpc-missing-auth-middleware
- Severity: CRITICAL
- CWE: Improper Authorization (CWE-285)
- Languages: JavaScript, TypeScript

Using publicProcedure for mutations or user-specific data allows unauthenticated
access and account manipulation.

### TypeORM Mass Assignment Vulnerability

- ID: typeorm-mass-assignment
- Severity: CRITICAL
- CWE: Mass Assignment (CWE-915)
- Languages: JavaScript, TypeScript

Directly assigning req.body to entities allows attackers to modify protected
fields like role, isAdmin, or credits.

### TypeORM SQL Injection in Raw Query

- ID: typeorm-sql-injection-raw-query
- Severity: CRITICAL
- CWE: SQL Injection (CWE-89)
- Languages: JavaScript, TypeScript

Raw SQL queries with string concatenation or template literals bypass TypeORM's
parameterization, enabling SQL injection attacks.

### TypeORM Query Builder SQL Injection

- ID: typeorm-unsafe-query-builder
- Severity: CRITICAL
- CWE: SQL Injection (CWE-89)
- Languages: JavaScript, TypeScript

QueryBuilder where clauses with template literals or concatenation bypass
parameter binding, enabling SQL injection.

---
Showing 25 of 347 rules (page 2/14)