Critiq Docs
Get started
security.authorization

Missing ownership validation

Resource identifiers from request input should be checked against the caller before sensitive actions run.

#Metadata

Rule ID
ts.security.missing-ownership-validation
Severity
high
Confidence
0.75
Languages
javascript, typescript
Presets
security, strict
Stability
stable
Applies to
function
Tags
authorization, crq-sec-022, rules-catalog, security

#Why it matters

Authorization alone is not enough when handlers act on caller-provided resource ids that may belong to someone else.

#Remediation

Compare the request-derived resource id to the authenticated caller or load the resource through an ownership-enforcing query.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.missing-ownership-validation.rule.yaml.

Back to registryOpen rule in repository