CWE-501 Trust Boundary Violation
What this means
SiteShadow flagged data crossing a trust boundary without validation. "Trust boundary" means moving from an untrusted domain (client, webhook, third-party, env) into trusted logic (authz, pricing, filesystem, admin actions).
Why it matters
Trust boundary violations allow unsafe data to influence privileged logic.
- Business logic abuse (client controls price/status).
- Authorization bypass (client controls
isAdmin,userId,role). - Injection chains when untrusted strings reach interpreters (SQL/shell/HTML).
Safer examples
1) Validate at the boundary (schema + allowlists)
Validate request bodies, query params, headers, and webhook payloads as they enter the system.
2) Recompute sensitive values server-side
Treat client input as suggestions; compute pricing/state transitions on the server (see B01 / API01).
3) Add defense-in-depth controls
Rate limits, authz policies, and safe-by-default APIs reduce impact if one boundary check fails.
How SiteShadow detects it (high level)
- Looks for untrusted sources influencing sensitive decisions (auth, permissions, pricing, filesystem, execution).
- Flags missing validation/allowlists around boundary-crossing data flows.
References
- CWE-501: https://cwe.mitre.org/data/definitions/501.html
---