code/idor-direct-lookup-js
Possible IDOR: record fetched by client id with no ownership scope
What it detects
An entity is loaded by primary key taken straight from `req.params`/`req.query`/`req.body` (findById/findByPk/getById). If the handler doesn't then check the record belongs to the authenticated user, any user can read/modify another's data. Verify ownership, or scope the query by the session user id.
How it runs
Applied line-by-line on JS/TS and Python files (comments skipped). Flags input flowing into a trust decision — an ORM write, a privilege attribute, a charge amount, or a primary-key lookup — where an authorization/ownership check should exist. Conservative by design: confirm whether the check is present nearby.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.