← all rules

code/privilege-from-client-py

Privilege escalation: privileged user flag assigned from request

highBusiness logicaccess-controlCWE-269python

What it detects

A privileged attribute (is_staff, is_superuser, is_admin, role) is assigned from `request.data`/`request.POST`. Authorization state must come from the authenticated user, not from client-supplied data.

How it runs

Applied line-by-line on JS/TS and Python files (comments skipped). Flags input flowing into a trust decision — an ORM write, a privilege attribute, a charge amount, or a primary-key lookup — where an authorization/ownership check should exist. Conservative by design: confirm whether the check is present nearby.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.