Problem
Model output is untrusted. Passing it into eval, Function, shell commands, or dynamically selected tool calls can turn prompt injection into code execution. CodeInspectus does not currently have a dedicated model-output-to-execution rule.
Scope
Start with high-signal, intrafile JavaScript/TypeScript flows from the model-output sources already recognized by the prompt-injection and dangerous-HTML analyzers into:
eval(value)
new Function(value) / Function(value)
child_process.exec(value) and equivalent shell-string APIs
Unsafe tool-call dispatch may be proposed separately if it cannot meet the same precision bar.
Acceptance criteria
- Freeze a corpus with true positives and near misses before implementing the rule.
- Detect direct and split-variable intrafile flows from recognized model SDK output.
- Stay silent for constant strings, allow-listed dispatch, non-shell argument arrays, and validated/sanitized values where support is explicit.
- Emit a new
ci-ai-* rule ID with remediation and OWASP/CWE mappings justified from primary sources.
- Document supported sources, sinks, and false negatives.
npm run build && npm test && npm run eval pass.
Problem
Model output is untrusted. Passing it into
eval,Function, shell commands, or dynamically selected tool calls can turn prompt injection into code execution. CodeInspectus does not currently have a dedicated model-output-to-execution rule.Scope
Start with high-signal, intrafile JavaScript/TypeScript flows from the model-output sources already recognized by the prompt-injection and dangerous-HTML analyzers into:
eval(value)new Function(value)/Function(value)child_process.exec(value)and equivalent shell-string APIsUnsafe tool-call dispatch may be proposed separately if it cannot meet the same precision bar.
Acceptance criteria
ci-ai-*rule ID with remediation and OWASP/CWE mappings justified from primary sources.npm run build && npm test && npm run evalpass.