Skip to content

Detect model output passed to dynamic execution or shell sinks #2

Description

@Synvoya

Problem

Model output is untrusted. Passing it into eval, Function, shell commands, or dynamically selected tool calls can turn prompt injection into code execution. CodeInspectus does not currently have a dedicated model-output-to-execution rule.

Scope

Start with high-signal, intrafile JavaScript/TypeScript flows from the model-output sources already recognized by the prompt-injection and dangerous-HTML analyzers into:

  • eval(value)
  • new Function(value) / Function(value)
  • child_process.exec(value) and equivalent shell-string APIs

Unsafe tool-call dispatch may be proposed separately if it cannot meet the same precision bar.

Acceptance criteria

  • Freeze a corpus with true positives and near misses before implementing the rule.
  • Detect direct and split-variable intrafile flows from recognized model SDK output.
  • Stay silent for constant strings, allow-listed dispatch, non-shell argument arrays, and validated/sanitized values where support is explicit.
  • Emit a new ci-ai-* rule ID with remediation and OWASP/CWE mappings justified from primary sources.
  • Document supported sources, sinks, and false negatives.
  • npm run build && npm test && npm run eval pass.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions