Incorrect Type Conversion or Cast (CWE-704)

Incorrect Type Conversion or Cast

The product does not correctly convert an object, resource, or structure from one type to a different type.

Type conversions often have implications for resource and bounds checking. When types are not converted properly, this can lead to access of out-of-bounds memory or misinterpretation of data.

Prevalence

Medium

1 languages covered

Impact

High

3 high-severity rules

Prevention

Documented

5 fix examples

2 Prevention

How to fix this vulnerability

Prevention strategies for Incorrect Type Conversion based on 5 Shoulder detection rules.

🟨 JavaScript View all JavaScript details →

tRPC Type Safety Bypass with Any MEDIUM

Use Zod schemas with type inference instead of 'any' to maintain end-to-end type safety in tRPC

+19 -9 javascript

  import { router, publicProcedure } from './trpc';
- 
- export const postRouter = router({
-   createPost: publicProcedure
-     .mutation(async ({ input }: { input: any }) => {
-       return await db.post.create({ data: input });
-     }),
- 
-   getPost: publicProcedure
-     .query(async ({ input }: any) => {
+ import { z } from 'zod';
+ 
+ const createPostInput = z.object({
+   title: z.string().min(1).max(200),
+   content: z.string().min(1),
+   published: z.boolean().default(false),
+ });
+ 
+ export const postRouter = router({
+   createPost: publicProcedure
+     .input(createPostInput)
+     .mutation(async ({ input }) => {
+       // input is typed as { title: string; content: string; published: boolean }
+       return await db.post.create({ data: input });
+     }),
+ 
+   getPost: publicProcedure
+     .input(z.object({ postId: z.number().int().positive() }))
+     .query(async ({ input }) => {
        return await db.post.findUnique({
          where: { id: input.postId },
        });
      }),
  });

TypeScript Unconstrained Generic Type Parameters MEDIUM

Add type constraints using 'extends' to ensure generic parameters have required properties

+15 -7 javascript

- function getIdentifier<T>(entity: T): string {
-   return entity.id.toString(); // T has no guaranteed 'id' property
- }
- 
- function processEntities<T>(items: T[]): void {
-   items.forEach(item => {
-     console.log(item.name); // Runtime error if 'name' missing
+ interface Identifiable {
+   id: number | string;
+ }
+ 
+ interface Named {
+   name: string;
+ }
+ 
+ function getIdentifier<T extends Identifiable>(entity: T): string {
+   return entity.id.toString();
+ }
+ 
+ function processEntities<T extends Named>(items: T[]): void {
+   items.forEach(item => {
+     console.log(item.name);
    });
  }

TypeScript Strict Mode Disabled HIGH

Enable strict mode in tsconfig.json to activate all strict type-checking options

+3 -3 javascript

  {
    "compilerOptions": {
      "target": "ES2020",
      "module": "commonjs",
-     "strict": false,
-     "strictNullChecks": false,
-     "noImplicitAny": false
+     "strict": true,
+     "forceConsistentCasingInFileNames": true,
+     "skipLibCheck": true
    }
  }

3 Detection

Find vulnerabilities in your code

Use Shoulder to scan your codebase for Incorrect Type Conversion or Cast patterns. 5 rules.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=704

# Or scan entire project
npx @shoulderdev/cli trust .

Detection Rules (5)

🔷 Typescript 5 rules

tRPC Type Safety Bypass with Any MEDIUM

Using 'any' type in tRPC procedures defeats type safety and allows unvalidated data to pass through, enabling injection and runtime errors.

TypeScript Unconstrained Generic Type Parameters MEDIUM

Unconstrained generics (<T> or <T extends any>) allow any type to pass through, causing runtime errors and type confusion when accessing properties that do not exist.

TypeScript Strict Mode Disabled HIGH

Disabled TypeScript strict mode flags weaken type safety and allow null/undefined errors, implicit any types, and unsafe function parameters that lead to runtime vulnerabilities.

Unsafe 'any' Type in Security-Sensitive Context HIGH

Using 'any' type with untrusted input bypasses TypeScript's type safety, allowing unvalidated data to flow into security-sensitive operations.

TypeScript Unsafe Type Guard HIGH

Type guards that always return true or use assertions without validation create type confusion, allowing untrusted data to bypass security checks.

🟨 Javascript 1 rules

tRPC Type Safety Bypass with Any MEDIUM

Using 'any' type in tRPC procedures defeats type safety and allows unvalidated data to pass through, enabling injection and runtime errors.

4 Warning Signs

What to watch for in code reviews

These patterns indicate potential Incorrect Type Conversion or Cast vulnerabilities. Look for these during code reviews and security audits.

🟠

tsconfig.json has '...' disabled. Enable strict mode for better type safety and security. typescript-strict-mode-violations

🟠

Variable declared with 'any' type receives untrusted input from .... This bypasses TypeScript's type safety and may lead typescript-unsafe-any-usage

🟠

Type guard '...' uses 'is' predicate but lacks proper runtime validation. This creates type confusion vulnerabilities. typescript-unsafe-type-guard

🟡

tRPC code uses 'any' type which defeats type safety. Use proper TypeScript types or Zod inference. trpc-type-inference-bypass

🟡

Generic type parameter '...' lacks constraints. Add 'extends' constraint to ensure type safety. typescript-generic-constraint-bypass

🔍

Scan your codebase for Incorrect Type Conversion or Cast

Shoulder CLI finds vulnerable patterns across your entire codebase.

npx shoulder trust Browse all rules