测试版 Shoulder 目前处于测试阶段 — 结果有时可能不正确。您的反馈塑造我们接下来要修复的内容。 分享反馈
Shoulder.dev

开发者威胁情报
🚪

Missing Authorization

🛡️ 3 条规则检测到此问题

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource. When authorization checks are completely missing, any authenticated user can access protected resources.

普遍性
频繁被利用
影响
3 条严重级别为高的规则
预防
已记录
3 个修复示例
2 预防
2 预防

如何修复此漏洞

基于 3 条 Shoulder 检测规则的 Missing Authorization 预防策略。

🐹 Go 查看全部 Go 详情 →
LLM Excessive Agency HIGH

Require human approval for sensitive operations and limit agent loop iterations

+12 -1 go 
- for _, toolCall := range resp.Choices[0].Message.ToolCalls {
+ var sensitiveOps = map[string]bool{
+     "deleteUser": true, "transferFunds": true, "sendEmail": true,
+ }
+ 
+ for i, toolCall := range resp.Choices[0].Message.ToolCalls {
+     if i >= maxIterations {
+         break
+     }
+     if sensitiveOps[toolCall.Function.Name] {
+         queueForApproval(toolCall)
+         continue
+     }
      result, _ := tools[toolCall.Function.Name](toolCall.Function.Arguments)
      results = append(results, result)
  }
3 检测
3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Missing Authorization模式。 3 规则.

终端
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=862

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (3)

4 警告信号
4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Missing Authorization漏洞。在代码审查和安全审计中注意查找。

🟠
Excessive LLM agency detected: ... go-llm-excessive-agency
🟠
LLM implementations with excessive autonomy allowing destructive operations without human approval go-llm-excessive-agency
🔍

扫描你的代码库: Missing Authorization

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则