← all rules

code/idor-direct-lookup-js

Possible IDOR: record fetched by client id with no ownership scope

mediumBusiness logicaccess-controlCWE-639js

What it detects

An entity is loaded by primary key taken straight from `req.params`/`req.query`/`req.body` (findById/findByPk/getById). If the handler doesn't then check the record belongs to the authenticated user, any user can read/modify another's data. Verify ownership, or scope the query by the session user id.

How it runs

Applied line-by-line on JS/TS and Python files (comments skipped). Flags input flowing into a trust decision — an ORM write, a privilege attribute, a charge amount, or a primary-key lookup — where an authorization/ownership check should exist. Conservative by design: confirm whether the check is present nearby.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.