← all rules

code/idor-direct-lookup-py

Possible IDOR: object fetched by client id with no ownership scope

mediumBusiness logicaccess-controlCWE-639python

What it detects

An object is fetched by pk/id taken from `request` (`.objects.get(pk=request...)` / `get_object_or_404(..., pk=request...)`) with no owner filter. Scope the lookup by the authenticated user (`.filter(owner=request.user)`) or verify ownership after fetch.

How it runs

Applied line-by-line on JS/TS and Python files (comments skipped). Flags input flowing into a trust decision — an ORM write, a privilege attribute, a charge amount, or a primary-key lookup — where an authorization/ownership check should exist. Conservative by design: confirm whether the check is present nearby.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.