# Always-Incorrect Control Flow Implementation (CWE-670)

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement.

- Prevalence: Medium 1 language covered
- Impact: Medium Review recommended
- Prevention: Documented 1 fix examples

**OWASP:** Insecure Design (A04:2021-Insecure Design) - #4

## Description

When tests or validation logic is incorrectly implemented, it may always pass or always fail regardless of the actual condition. This can lead to security checks being bypassed.

## Prevention

Prevention strategies for Always-Incorrect Control Flow based on 1 Shoulder detection rules.

### Node.js

Replace trivial always-passing assertions with meaningful test logic that validates actual behavior

## Warning Signs

- [MEDIUM] JavaScript test functions that only contain trivial assertions or no assertions at all

## Consequences

- Bypass Protection Mechanism
- Execute Unauthorized Code

## Mitigations

- Review and test all control flow logic thoroughly
- Use code coverage tools to ensure all paths are tested
- Implement mutation testing to verify test effectiveness

## Detection

- Total rules: 1
- Languages: javascript, typescript

## Rules by Language

### Javascript (1 rules)

- **JavaScript Test with Trivial Always-Passing Assertion** [MEDIUM]: Detects JavaScript test functions that only contain trivial assertions or no assertions at all.
These tests provide no actual validation and give false confidence about code correctness.
Common patterns include expect(true).toBe(true), assert(true), or tests with only comments.
  - Remediation: Replace trivial assertions with meaningful test logic:

```javascript
it('should process data correctly', () => {
  const result = processData(testInput);
  expect(result.status).toBe('success');
  expect(result.data).toHaveLength(3);
  expect(result.data[0].id).toBeDefined();
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-670/trivial-test-assertion

### Typescript (1 rules)

- **JavaScript Test with Trivial Always-Passing Assertion** [MEDIUM]: Detects JavaScript test functions that only contain trivial assertions or no assertions at all.
These tests provide no actual validation and give false confidence about code correctness.
Common patterns include expect(true).toBe(true), assert(true), or tests with only comments.
  - Remediation: Replace trivial assertions with meaningful test logic:

```javascript
it('should process data correctly', () => {
  const result = processData(testInput);
  expect(result.status).toBe('success');
  expect(result.data).toHaveLength(3);
  expect(result.data[0].id).toBeDefined();
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-670/trivial-test-assertion