no-privilege-escalation
Detects potential privilege escalation vulnerabilities where user input is used to assign roles or permissions without proper validation. This rule is part of [
Keywords: privilege escalation, CWE-269, security, ESLint rule, role assignment, permission bypass, access control, user input, role checks, LLM-optimized, code security
Detects potential privilege escalation vulnerabilities where user input is used to assign roles or permissions without proper validation. This rule is part of eslint-plugin-secure-coding and provides LLM-optimized error messages that AI assistants can automatically fix.
⚠️ This rule warns by default in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-269 (Improper Privilege Management) |
| Severity | High (security vulnerability) |
| Auto-Fix | ❌ No (requires manual role check implementation) |
| Category | Security |
| ESLint MCP | ✅ Optimized for ESLint MCP integration |
| Best For | All applications with role-based access control, user management systems |
Vulnerability and Risk
Vulnerability: Privilege escalation (specifically vertical privilege escalation) occurs when an attacker can access resources or functions reserved for higher-privileged users (like admins) by manipulating inputs used in role assignment or authorization checks.
Risk: Attackers can grant themselves administrative privileges, accessing unauthorized data, deleting critical resources, or taking full control of the application.
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-269 OWASP:A01 CVSS:8.8 | Improper Privilege Management detected | HIGH [SOC2,PCI-DSS,HIPAA,GDPR,ISO27001]
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A01_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-269 OWASP:A01 CVSS:8.8 |
| Issue Description | Specific vulnerability | Improper Privilege Management detected |
| Severity & Compliance | Impact assessment | HIGH [SOC2,PCI-DSS,HIPAA,GDPR,ISO27001] |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Rule Details
Privilege escalation occurs when user input is used to assign roles or permissions without proper authorization checks. This rule detects assignments and operations that modify user privileges using unvalidated user input.
Why This Matters
| Issue | Impact | Solution |
|---|---|---|
| 🔒 Security | Users can escalate their privileges | Add role validation checks |
| 🐛 Unauthorized Access | Bypass access controls | Verify permissions before assignment |
| 🔐 Data Breach | Access to sensitive data | Enforce role-based access |
| 📊 Compliance | Violates security standards | Validate all privilege changes |
Detection Patterns
The rule detects:
- Role assignments from user input:
user.role = req.body.role - Permission assignments:
user.permission = req.query.permission - Privilege operations with user input:
grant(user, req.body.permission),setRole(user, req.query.role) - Common privilege properties:
role,permission,privilege,access,level - Common privilege operations:
setRole,grant,revoke,elevate,promote,updateRole
Examples
❌ Incorrect
// Role assignment from user input without validation
app.put('/api/users/:id', (req, res) => {
user.role = req.body.role; // ❌ No role check
// User can set themselves as admin
});
// Permission assignment from query params
app.post('/api/permissions', (req, res) => {
user.permission = req.query.permission; // ❌ No validation
// User can grant themselves permissions
});
// Privilege operation with user input
app.post('/api/grant', (req, res) => {
grant(user, req.body.permission); // ❌ No authorization check
// User can grant themselves privileges
});✅ Correct
// Role assignment with validation
app.put('/api/users/:id', (req, res) => {
if (!hasRole(currentUser, 'admin')) {
// ✅ Role check
throw new Error('Unauthorized');
}
user.role = req.body.role; // ✅ Safe after validation
});
// Permission assignment with authorization
app.post('/api/permissions', (req, res) => {
if (!isAuthorized(currentUser, 'grant_permissions')) {
// ✅ Authorization check
throw new Error('Unauthorized');
}
user.permission = req.query.permission; // ✅ Safe after check
});
// Privilege operation with role validation
app.post('/api/grant', (req, res) => {
if (!checkRole(currentUser, requiredRole)) {
// ✅ Role validation
throw new Error('Unauthorized');
}
grant(user, req.body.permission); // ✅ Safe after validation
});Configuration
Default Configuration
{
"secure-coding/no-privilege-escalation": "warn"
}Options
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | false | Allow privilege escalation in tests |
testFilePattern | string | '\\.(test|spec)\\.(ts|tsx|js|jsx)$' | Test file pattern regex |
roleCheckPatterns | string[] | ['hasRole', 'checkRole', ...] | Role check patterns to recognize |
userInputPatterns | string[] | [] | Additional user input patterns |
ignorePatterns | string[] | [] | Additional patterns to ignore |
Example Configuration
{
"secure-coding/no-privilege-escalation": [
"error",
{
"allowInTests": true,
"roleCheckPatterns": ["hasRole", "checkRole", "myCustomCheck"],
"userInputPatterns": ["customInput"],
"ignorePatterns": ["user.role"]
}
]
}Best Practices
- Always validate roles before assigning privileges from user input
- Use role checks: Implement
hasRole(),checkRole(), or similar functions - Principle of least privilege: Only allow necessary privilege changes
- Audit logs: Log all privilege changes for security auditing
- Separate concerns: Keep role assignment logic separate from user input handling
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Values from Variables
Why: Values stored in variables are not traced.
// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);Mitigation: Validate all user inputs.
Wrapper Functions
Why: Custom wrappers not recognized.
// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internallyMitigation: Apply rule to wrapper implementations.
Dynamic Invocation
Why: Dynamic calls not analyzed.
// ❌ NOT DETECTED - Dynamic
obj[method](userInput);Mitigation: Avoid dynamic method invocation.
Related Rules
no-missing-authentication- Detects missing authentication checksno-unvalidated-user-input- Detects unvalidated user input
Resources
no-pii-in-logs
The rule provides **LLM-optimized error messages** (Compact 2-line format) with actionable security guidance:
no-redos-vulnerable-regex
ESLint Rule: no-redos-vulnerable-regex. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-secure-coding).