# Typescript (Node.js) Security

Security vulnerabilities and detection rules for typescript framework. 5 rules across 3 CWE categories.

- Total rules: 5
- CWE categories: 3

## CWEs

- **CWE-704**: Incorrect Type Conversion or Cast
- **CWE-94**: Improper Control of Generation of Code ('Code Injection')
- **CWE-668**: Exposure of Resource to Wrong Sphere

## Rules

- **TypeScript Access Modifier Bypass** [HIGH]: TypeScript private/protected modifiers are compile-time only. Bracket notation and
type assertions bypass them at runtime, exposing sensitive data like passwords and tokens.
- **TypeScript Unconstrained Generic Type Parameters** [MEDIUM]: Unconstrained generics (<T> or <T extends any>) allow any type to pass through,
causing runtime errors and type confusion when accessing properties that do not exist.
- **TypeScript Strict Mode Disabled** [HIGH]: Disabled TypeScript strict mode flags weaken type safety and allow null/undefined errors,
implicit any types, and unsafe function parameters that lead to runtime vulnerabilities.
- **TypeScript Unsafe Decorator Usage** [HIGH]: Decorators that use eval(), modify global state, or accept user input as parameters
enable code injection, prototype pollution, and authorization bypass.
- **TypeScript Unsafe Type Guard** [HIGH]: Type guards that always return true or use assertions without validation create
type confusion, allowing untrusted data to bypass security checks.