Improper Access Control (CWE-284) - Security Vulnerability

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Access control involves determining which subjects can access which objects. When access control is implemented incorrectly, it can lead to unauthorized access to sensitive data or functionality.

普遍性

高

频繁被利用

影响

高

3 条严重级别为高的规则

预防

已记录

4 个修复示例

2 预防

如何修复此漏洞

基于 4 条 Shoulder 检测规则的 Improper Access Control 预防策略。

🐹 Go 查看全部 Go 详情 →

LLM Insecure Plugin Design HIGH

Validate tool inputs against strict schemas and use an allowlist for permitted tools

+18 -2 go

- func handleToolCall(toolCall ToolCall) (interface{}, error) {
-     return tools[toolCall.Name](toolCall.Arguments)
+ var toolRegistry = map[string]ToolConfig{
+     "search":  {Handler: searchHandler, Validator: validateSearch, Permission: "read"},
+     "weather": {Handler: weatherHandler, Validator: validateWeather, Permission: "read"},
+ }
+ 
+ func handleToolCall(userPerms map[string]bool, toolCall ToolCall) (interface{}, error) {
+     config, ok := toolRegistry[toolCall.Name]
+     if !ok {
+         return nil, fmt.Errorf("unknown tool: %s", toolCall.Name)
+     }
+     if !userPerms[config.Permission] {
+         return nil, fmt.Errorf("permission denied for tool: %s", toolCall.Name)
+     }
+     args, err := config.Validator(toolCall.Arguments)
+     if err != nil {
+         return nil, fmt.Errorf("invalid arguments: %w", err)
+     }
+     return config.Handler(args)
  }

🟨 JavaScript 查看全部 JavaScript 详情 →

LLM Insecure Plugin Design HIGH

Validate tool inputs against schemas and use allowlists for permitted tools

+10 -3 javascript

- for (const toolCall of response.tool_calls) {
-   const fn = tools[toolCall.function.name];
-   const result = await fn(JSON.parse(toolCall.function.arguments));
+ const allowedTools = new Set(['search', 'calculate', 'getWeather']);
+ 
+ for (const toolCall of response.tool_calls) {
+   if (!allowedTools.has(toolCall.function.name)) {
+     throw new Error('Unknown tool');
+   }
+   const validate = ajv.compile(toolSchemas[toolCall.function.name]);
+   const args = JSON.parse(toolCall.function.arguments);
+   if (!validate(args)) throw new Error('Invalid arguments');
+   await tools[toolCall.function.name](args);
  }

☸️ Kubernetes 查看全部 Kubernetes 详情 →

Missing Network Policy MEDIUM

Define NetworkPolicy resources to restrict pod-to-pod traffic and enforce network segmentation

+17 -11 yaml

- apiVersion: apps/v1
- kind: Deployment
- metadata:
-   name: web
- spec:
-   replicas: 3
-   template:
-     spec:
-       containers:
-       - name: web
-         image: nginx:1.25
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+   name: web-policy
+ spec:
+   podSelector:
+     matchLabels:
+       app: web
+   policyTypes:
+   - Ingress
+   ingress:
+   - from:
+     - podSelector:
+         matchLabels:
+           role: frontend
+     ports:
+     - port: 80

🐍 Python 查看全部 Python 详情 →

LLM Insecure Plugin Design HIGH

Use Pydantic for tool input validation and maintain a strict allowlist for permitted tools

+14 -4 python

- def handle_tool_call(tool_call):
-     name = tool_call.function.name
-     args = json.loads(tool_call.function.arguments)
-     return tools[name](args)
+ from pydantic import BaseModel, Field
+ 
+ class SearchArgs(BaseModel):
+     query: str = Field(max_length=100, pattern=r'^[a-zA-Z0-9\s]+$')
+ 
+ ALLOWED_TOOLS = {'search_products': SearchArgs, 'get_weather': WeatherArgs}
+ 
+ def handle_tool_call(tool_call):
+     name = tool_call.function.name
+     if name not in ALLOWED_TOOLS:
+         raise ValueError(f'Unknown tool: {name}')
+     schema = ALLOWED_TOOLS[name]
+     args = schema.parse_raw(tool_call.function.arguments)
+     return handlers[name](args)

3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Improper Access Control模式。 4 规则.

终端

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=284

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (4)

🐹 Go 1 rules

LLM Insecure Plugin Design HIGH

Detects insecure plugin/function calling implementations in AI/LLM systems without proper validation.

🟨 Javascript 1 rules

LLM Insecure Plugin Design HIGH

Detects insecure plugin/function calling implementations in AI/LLM systems. OWASP LLM07 - Insecure Plugin Design. Insecure plugin design can lead to: - Remote code execution via tool/function calls - Unauthorized data access through plugins - Privilege escalation via overly permissive tools - SSRF through URL-handling plugins - Command injection through shell plugins This rule detects: - Function calling without input validation - Dynamic function execution from LLM output - Plugin execution w

🔷 Typescript 1 rules

LLM Insecure Plugin Design HIGH

☸️ Kubernetes 1 rules

Missing Network Policy MEDIUM

Detects Kubernetes deployments without associated NetworkPolicy resources.

📄 Yaml 1 rules

Missing Network Policy MEDIUM

Detects Kubernetes deployments without associated NetworkPolicy resources.

🐍 Python 1 rules

LLM Insecure Plugin Design HIGH

4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Improper Access Control漏洞。在代码审查和安全审计中注意查找。

🟠

Insecure plugin implementation: ... go-llm-insecure-plugin

🟠

insecure plugin/function calling implementations in AI/LLM systems without proper validation go-llm-insecure-plugin

🟡

Workload has no NetworkPolicy for network segmentation kubernetes-missing-network-policy

🟡

Kubernetes deployments without associated NetworkPolicy resources kubernetes-missing-network-policy

🔍

扫描你的代码库: Improper Access Control

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则