Exposure of Resource to Wrong Sphere (CWE-668)

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Resources should only be accessible to actors that are intended to use them. When resources are exposed to the wrong sphere (e.g., public instead of private), unauthorized actors can access sensitive data or functionality.

普遍性

高

频繁被利用

影响

关键

1 条严重级别为关键的规则

预防

已记录

3 个修复示例

2 预防

如何修复此漏洞

☸️ Kubernetes 查看全部 Kubernetes 详情 →

HostPath Volume Mounted CRITICAL

Use PersistentVolumeClaim or emptyDir instead of hostPath volumes

+2 -2 yaml

  apiVersion: v1
  kind: Pod
  spec:
    volumes:
    - name: data
-     hostPath:
-       path: /data
+     persistentVolumeClaim:
+       claimName: app-data-pvc
    containers:
    - name: app
      image: nginx:1.25
      volumeMounts:
      - name: data
        mountPath: /app/data

NodePort Service Exposes Application MEDIUM

Use ClusterIP with Ingress or LoadBalancer instead of NodePort for production services

+4 -4 yaml

  apiVersion: v1
  kind: Service
  spec:
-   type: NodePort
-   ports:
-     - port: 80
-       nodePort: 30080
+   type: ClusterIP
+   ports:
+     - port: 80
+       targetPort: 8080

🟨 JavaScript 查看全部 JavaScript 详情 →

TypeScript Access Modifier Bypass HIGH

Use ECMAScript private fields (#) for true runtime encapsulation instead of TypeScript's compile-time-only modifiers

+16 -12 javascript

  class UserSession {
-   private token: string;
-   private _refreshToken: string;
- 
-   constructor(token: string, refresh: string) {
-     this.token = token;
-     this._refreshToken = refresh;
-   }
- }
- 
- const session = new UserSession('abc', 'xyz');
- const leaked = (session as any).token;
- const alsoLeaked = session['_refreshToken'];
+   #token: string;
+   #refreshToken: string;
+ 
+   constructor(token: string, refresh: string) {
+     this.#token = token;
+     this.#refreshToken = refresh;
+   }
+ 
+   validateToken(input: string): boolean {
+     return this.#token === input;
+   }
+ }
+ 
+ const session = new UserSession('abc', 'xyz');
+ // session.#token -> SyntaxError at runtime
+ // session['#token'] -> undefined

3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Exposure of Resource to Wrong Sphere模式。 3 规则.

终端

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=668

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (3)

📄 Yaml 2 rules

HostPath Volume Mounted CRITICAL

Detects HostPath volumes that mount directories from the host filesystem into pods.

NodePort Service Exposes Application MEDIUM

Detects services using NodePort type which exposes the application on all cluster nodes.

🔷 Typescript 1 rules

TypeScript Access Modifier Bypass HIGH

TypeScript private/protected modifiers are compile-time only. Bracket notation and type assertions bypass them at runtime, exposing sensitive data like passwords and tokens.

4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Exposure of Resource to Wrong Sphere漏洞。在代码审查和安全审计中注意查找。

🟠

Access modifier bypass detected using .... Private/protected fields accessed through runtime mechanisms. typescript-access-modifier-bypass

🟡

Service uses NodePort type which exposes the application on all cluster nodes. kubernetes-nodeport-service

🟡

services using NodePort type which exposes the application on all cluster nodes kubernetes-nodeport-service

🔴

HostPath volumes mount directories from the host filesystem into the pod. kubernetes-hostpath-volume

🔴

HostPath volumes that mount directories from the host filesystem into pods kubernetes-hostpath-volume

🔍

扫描你的代码库: Exposure of Resource to Wrong Sphere

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则