@oculum/scanner 1.0.12 → 1.0.13

package/dist/detect/ai-code/execution-sinks.js

@@ -0,0 +1,1158 @@
+"use strict";
+/**
+ * Layer 2: AI Execution Sink Detection
+ * Detects patterns where LLM output is fed into dangerous execution sinks
+ *
+ * Covers B2: Unsafe execution of model output (LLM02)
+ *
+ * Sinks include:
+ * - Code execution: eval(), Function(), vm.runInContext()
+ * - Shell execution: exec(), spawn(), child_process
+ * - SQL builders: .query(), .execute(), .raw()
+ * - Template rendering: innerHTML, dangerouslySetInnerHTML
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectAIExecutionSinks = detectAIExecutionSinks;
+const file_classifier_1 = require("../../parse/file-classifier");
+const prompt_hygiene_1 = require("./prompt-hygiene");
+const BASE_CONFIDENCE = 0.55;
+// ============================================================================
+// LLM Output Variable Detection
+// ============================================================================
+/**
+ * Check if line contains LLM API response context
+ */
+function hasLLMResponseContext(lineContent, surroundingContext) {
+    const llmResponsePatterns = [
+        /\.choices\[0\]\.message\.content/i, // OpenAI response
+        /\.content\[0\]\.text/i, // Anthropic response
+        /completion\.text/i, // Generic completion
+        /\.data\.choices/i, // API response
+        /await\s+\w+\.(?:chat|messages|completions)\.create/i, // API call
+        /response\.text\s*\(/i, // Response text method
+    ];
+    const fullContext = lineContent + '\n' + surroundingContext;
+    return llmResponsePatterns.some(p => p.test(fullContext));
+}
+// ============================================================================
+// UI Suggestion / Template Pattern Detection (False Positive Filters)
+// ============================================================================
+/**
+ * Check if this is a UI suggestion/template pattern rather than execution sink
+ * These patterns create display strings for command palettes, autocomplete, etc.
+ */
+function isUITemplateSuggestion(lineContent, surroundingContext) {
+    const fullContext = lineContent + '\n' + surroundingContext;
+    // UI suggestion object patterns (command palette, autocomplete suggestions)
+    // Note: Be careful not to match variable declarations like `const completion =`
+    const uiSuggestionPatterns = [
+        // Object property patterns for suggestion items (key: value in objects)
+        /(?:id|key|label|title|name|description|display|text|value|placeholder):\s*`[^`]*\$\{/i,
+        // Common suggestion UI patterns (arrays or objects, not variable declarations)
+        /(?:set)?suggestions\s*[=:]\s*\[/i, // suggestions: [...] or setSuggestions([])
+        /autocomplete/i,
+        /command\s*palette/i,
+        /fuzzy\s*search/i,
+        /search\s*result/i,
+        // React/UI state patterns
+        /useState.*suggestions|setSuggestions/i,
+        /setItems|setResults/i,
+        // Template ID generation for UI
+        /id:\s*`[a-z]+-\$\{/i, // id: `delete-${...}`, id: `edit-${...}`
+    ];
+    // These patterns should NOT be considered UI suggestions
+    const notUISuggestionPatterns = [
+        /\.query\s*\(/i,
+        /\.execute\s*\(/i,
+        /\.raw\s*\(/i,
+        /await\s+db\./i,
+        /prisma\./i,
+        /supabase\./i,
+        /knex\./i,
+        /sequelize\./i,
+        /child_process/i,
+        /exec\s*\(/i,
+        /spawn\s*\(/i,
+        /eval\s*\(/i,
+        /fetch\s*\(/i,
+        /axios\./i,
+        /\.redirect\s*\(/i,
+        /\.setHeader\s*\(/i,
+        /\.cookie\s*\(/i,
+        /location\./i,
+    ];
+    // Check if context matches UI pattern but NOT execution pattern
+    const matchesUIPattern = uiSuggestionPatterns.some(p => p.test(fullContext));
+    const matchesExecutionPattern = notUISuggestionPatterns.some(p => p.test(lineContent));
+    return matchesUIPattern && !matchesExecutionPattern;
+}
+/**
+ * Check if this is a static template string (no actual LLM output interpolation)
+ * e.g., `delete ${node.title}` where node is app data, not LLM output
+ */
+function isAppDataInterpolation(lineContent, surroundingContext) {
+    const fullContext = lineContent + '\n' + surroundingContext;
+    // Patterns indicating the interpolated variable is app data, not LLM output
+    const appDataPatterns = [
+        // Database result/record properties
+        /\$\{(?:result|item|record|row|entry|node)\.(?:id|title|name|slug|key|label)\}/i,
+        // UI state properties
+        /\$\{(?:selected|current|active|item|node)\.(?:id|title|name|value)\}/i,
+        // Form/input data
+        /\$\{(?:data|values|form|input)\.(?:id|name|value)\}/i,
+        // Array iteration context
+        /\.map\s*\(\s*\(?(?:item|node|row|entry|result)/i,
+        /\.forEach\s*\(\s*\(?(?:item|node|row|entry|result)/i,
+    ];
+    // Patterns that suggest LLM output (should not skip)
+    const llmOutputPatterns = [
+        /\$\{(?:response|completion|generated|output|answer|reply|message)\.?/i,
+        /\$\{(?:ai|llm|gpt|claude|chat)(?:Response|Output|Result)/i,
+        /\.choices\[0\]/i,
+        /\.content\[0\]\.text/i,
+    ];
+    const isAppData = appDataPatterns.some(p => p.test(fullContext));
+    const isLLMOutput = llmOutputPatterns.some(p => p.test(fullContext));
+    return isAppData && !isLLMOutput;
+}
+// ============================================================================
+// Sandbox and Validation Detection
+// ============================================================================
+/**
+ * Check if execution is sandboxed
+ */
+function isSandboxedExecution(content, lineNumber, lines) {
+    const _lines = lines ?? content.split('\n');
+    const contextStart = Math.max(0, lineNumber - 25);
+    const contextEnd = Math.min(_lines.length, lineNumber + 10);
+    const context = _lines.slice(contextStart, contextEnd).join('\n');
+    const sandboxPatterns = [
+        /vm2/i,
+        /isolated-vm/i,
+        /safeeval/i,
+        /safe-eval/i,
+        /sandbox/i,
+        /runInNewContext.*\{.*timeout/i,
+        /runInContext.*\{.*timeout/i,
+        /allowedGlobals/i,
+        /allowedModules/i,
+        /quickjs/i,
+        /webworker/i,
+        /iframe.*sandbox/i,
+    ];
+    return sandboxPatterns.some(p => p.test(context));
+}
+/**
+ * Check if output has validation before execution
+ */
+function hasOutputValidation(content, lineNumber, lines) {
+    const _lines = lines ?? content.split('\n');
+    const contextStart = Math.max(0, lineNumber - 15);
+    const contextEnd = Math.min(_lines.length, lineNumber + 5);
+    const context = _lines.slice(contextStart, contextEnd).join('\n');
+    const validationPatterns = [
+        /validate/i,
+        /sanitize/i,
+        /escape/i,
+        /\.filter\s*\([^)]*(?:allowed|safe|valid)/i, // .filter(x => allowed.includes(x))
+        /parse.*catch/i,
+        /schema\./i,
+        /\.parse\s*\(/i,
+        /allowlist/i,
+        /whitelist/i,
+        /blocklist/i,
+        /blacklist/i,
+        /allowed(?:Columns|Tables|Hosts|Domains|Extensions|Types|Args|Paths)/i, // Allowlist variable names
+        /JSON\.parse.*catch/i,
+        /DOMPurify/i,
+        /xss/i,
+        /encodeURIComponent/i,
+        /\.replace\s*\(\s*\/\[.*\]\/[gi]*/i, // Regex sanitization like .replace(/[^a-z0-9]/gi, '')
+        /textContent\s*=/i, // Using textContent (safe) instead of innerHTML
+        /ReactMarkdown/i, // React Markdown sanitizes by default
+        /ast\.literal_eval/i, // Python safe eval
+        /yaml\.(?:safe_load|SafeLoader)/i, // Safe YAML parsing
+        /\.startsWith\s*\(\s*['"]\/['"]?\)/i, // Relative URL check
+        /new\s+URL\s*\(.*\).*origin/i, // URL origin check
+        /path\.resolve.*startsWith/i, // Path validation
+    ];
+    return validationPatterns.some(p => p.test(context));
+}
+/**
+ * Check if this appears to be display-only usage (not execution)
+ */
+function isDisplayOnly(lineContent, surroundingContext) {
+    const displayPatterns = [
+        /console\.(log|info|debug|warn)/i,
+        /textContent\s*=/i,
+        /innerText\s*=/i,
+        /\.text\s*=/i,
+        /setState.*display/i,
+        /render.*\{/i,
+        /<p>|<div>|<span>/i,
+        /\.send\s*\(/i,
+        /\.json\s*\(/i,
+        /return\s+.*response/i,
+    ];
+    const fullContext = lineContent + '\n' + surroundingContext;
+    return displayPatterns.some(p => p.test(fullContext));
+}
+const EXECUTION_SINK_PATTERNS = [
+    // ========== Code Execution Sinks ==========
+    {
+        name: 'LLM output to eval()',
+        pattern: /eval\s*\(\s*(?:response|result|output|completion|message|content|answer|generated|text)(?:\.|\.data\.|\.text|\.content)?/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'critical',
+        description: 'LLM output is passed directly to eval(). This allows arbitrary code execution if the model is manipulated via prompt injection.',
+        suggestedFix: 'Never eval() LLM output. Use structured output (JSON schema) and validate before processing. Consider using a sandboxed environment like vm2 if code execution is required.',
+    },
+    {
+        name: 'LLM output to Function constructor',
+        pattern: /new\s+Function\s*\([^)]*(?:response|result|output|completion|message|content|answer|generated)/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'critical',
+        description: 'LLM output is passed to Function constructor, which is equivalent to eval().',
+        suggestedFix: 'Use JSON schemas to define expected output structure. Validate output before any processing.',
+    },
+    {
+        name: 'LLM output to vm.runInContext',
+        pattern: /vm\.run(?:InContext|InNewContext|InThisContext)\s*\(\s*(?:response|result|output|completion|content)/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'high',
+        description: 'LLM output executed in Node.js VM context. While isolated, VM can still be escaped in some versions.',
+        suggestedFix: 'Use vm2 or isolated-vm for proper sandboxing. Add timeout and memory limits. Validate output structure before execution.',
+    },
+    // Generic pattern for code from LLM
+    {
+        name: 'Dynamic code execution from AI',
+        pattern: /(?:eval|exec|execute)\s*\(\s*(?:ai|llm|gpt|claude|chat)(?:Response|Output|Result|Code)/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'critical',
+        description: 'AI-generated code is being executed dynamically.',
+        suggestedFix: 'Use a sandboxed code execution environment. Validate and restrict the allowed operations.',
+    },
+    // ========== Shell Command Sinks ==========
+    {
+        name: 'LLM output to exec()',
+        pattern: /(?:exec|execSync)\s*\(\s*(?:response|result|output|completion|command|content)(?:\.|\.data\.|\.text)?/gi,
+        sinkType: 'shell_command',
+        baseSeverity: 'critical',
+        description: 'LLM output is passed to shell exec(). Attackers can execute arbitrary system commands via prompt injection.',
+        suggestedFix: 'Never pass LLM output directly to shell. Use allowlists for permitted commands. Parse structured output and use execFile() with fixed command and arguments.',
+    },
+    {
+        name: 'LLM output to spawn()',
+        pattern: /spawn\s*\(\s*(?:response|result|output|completion|command|content)(?:\.|\.data\.|\.text)?/gi,
+        sinkType: 'shell_command',
+        baseSeverity: 'critical',
+        description: 'LLM output is passed to spawn(), allowing command execution.',
+        suggestedFix: 'Use a predefined list of allowed commands. Parse LLM output to extract only arguments, not command names.',
+    },
+    {
+        name: 'LLM output in shell template',
+        pattern: /`[^`]*\$\{(?:response|result|output|completion|command|content)[^}]*\}[^`]*`\s*(?:,|\))\s*(?:exec|spawn|child_process)/gi,
+        sinkType: 'shell_command',
+        baseSeverity: 'critical',
+        description: 'LLM output is interpolated into a shell command template.',
+        suggestedFix: 'Use execFile() with separate command and arguments array. Never interpolate AI output into shell strings.',
+    },
+    {
+        name: 'child_process with AI output',
+        pattern: /child_process\.\w+\s*\([^)]*(?:ai|llm|gpt|claude|chat)(?:Response|Output|Result)/gi,
+        sinkType: 'shell_command',
+        baseSeverity: 'critical',
+        description: 'AI-generated content passed to child_process module.',
+        suggestedFix: 'Implement strict allowlisting of commands. Parse structured output from LLM.',
+    },
+    // ========== SQL Builder Sinks ==========
+    {
+        name: 'LLM output in raw SQL',
+        pattern: /\.(?:query|execute|raw)\s*\(\s*(?:response|result|output|generated|sql|completion)(?:\.|\.data\.|\.text)?/gi,
+        sinkType: 'sql_builder',
+        baseSeverity: 'critical',
+        description: 'LLM-generated SQL is executed directly. This enables SQL injection via prompt manipulation.',
+        suggestedFix: 'Use parameterized queries. Have LLM generate query parameters, not raw SQL. Validate generated SQL against an allowlist of patterns.',
+    },
+    {
+        name: 'LLM output in SQL template',
+        pattern: /`(?:SELECT|INSERT|UPDATE|DELETE)[^`]*\$\{(?:response|result|output|generated|completion)/gi,
+        sinkType: 'sql_builder',
+        baseSeverity: 'critical',
+        description: 'LLM output interpolated into SQL query template.',
+        suggestedFix: 'Use parameterized queries. Have LLM output structured data (table names, conditions) that you validate against allowlists.',
+    },
+    {
+        name: 'Dynamic SQL from AI',
+        pattern: /(?:query|execute|sql)\s*\(\s*(?:ai|llm|gpt|claude)(?:Query|Sql|Response)/gi,
+        sinkType: 'sql_builder',
+        baseSeverity: 'critical',
+        description: 'AI-generated SQL query being executed.',
+        suggestedFix: 'Validate SQL structure. Use read-only database connections. Implement query allowlisting.',
+    },
+    // ========== Template/DOM Sinks ==========
+    {
+        name: 'LLM output to innerHTML',
+        pattern: /\.innerHTML\s*=\s*(?:response|result|output|completion|message|content|generated)(?:\.|\.data\.|\.text|\.content)?/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'LLM output assigned to innerHTML. If the model outputs malicious HTML/JS, it will execute (XSS).',
+        suggestedFix: 'Use textContent for plain text. Sanitize HTML with DOMPurify before rendering. Use React/Vue which auto-escape by default.',
+    },
+    {
+        name: 'LLM output to outerHTML',
+        pattern: /\.outerHTML\s*=\s*(?:response|result|output|completion|message|content|generated)(?:\.|\.data\.|\.text|\.content)?/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'LLM output assigned to outerHTML. This replaces the entire element and allows XSS.',
+        suggestedFix: 'Use textContent for plain text. Sanitize HTML with DOMPurify before rendering.',
+    },
+    {
+        name: 'LLM output to insertAdjacentHTML',
+        pattern: /\.insertAdjacentHTML\s*\([^,]+,\s*(?:response|result|output|completion|message|content|generated)/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'LLM output passed to insertAdjacentHTML. This allows XSS via injected HTML/JS.',
+        suggestedFix: 'Use insertAdjacentText for plain text. Sanitize HTML with DOMPurify: el.insertAdjacentHTML("beforeend", DOMPurify.sanitize(content))',
+    },
+    {
+        name: 'LLM output to dangerouslySetInnerHTML',
+        pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html:\s*(?:response|result|output|completion|message|content)/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'LLM output used in React dangerouslySetInnerHTML without sanitization.',
+        suggestedFix: 'Sanitize with DOMPurify: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}',
+    },
+    {
+        name: 'LLM output to document.write',
+        pattern: /document\.write\s*\(\s*(?:response|result|output|completion|message|content)/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'LLM output passed to document.write, allowing script injection.',
+        suggestedFix: 'Use DOM manipulation methods with proper escaping. Never use document.write with dynamic content.',
+    },
+    // ========== M5: File System Sinks ==========
+    {
+        name: 'LLM output in file path',
+        pattern: /(?:readFile|writeFile|readFileSync|writeFileSync|unlink|unlinkSync|mkdir|mkdirSync|rmdir|rmSync)\s*\(\s*(?:response|result|output|completion|message|content|path)(?:\.|\.data\.|\.path)?/gi,
+        sinkType: 'code_execution', // Path traversal is code-level risk
+        baseSeverity: 'critical',
+        description: 'LLM-generated value used as file path. Path traversal attack possible - model could access or modify arbitrary files.',
+        suggestedFix: 'Validate AI output against allowed paths: if (!allowedPaths.some(p => path.resolve(output).startsWith(p))) throw. Use path.resolve() and check the result is within allowed directory.',
+    },
+    {
+        name: 'LLM output in fs operation',
+        pattern: /fs\.(?:read|write|append|unlink|mkdir|rm|stat|access)\w*\s*\(\s*(?:response|result|output|completion|aiPath|generatedPath)/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'critical',
+        description: 'AI-generated path passed to filesystem operation. Model could traverse to sensitive directories.',
+        suggestedFix: 'Create allowlist of permitted paths/directories. Use path.resolve() and validate result is within allowed boundaries.',
+    },
+    {
+        name: 'LLM output in path.join',
+        pattern: /path\.(?:join|resolve)\s*\([^)]*(?:response|result|output|completion|content|aiPath)[^)]*\).*(?:fs\.|readFile|writeFile)/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'high',
+        description: 'AI output used in path construction before file operation. Validate the final path.',
+        suggestedFix: 'After path.join/resolve, check result is within allowed directory: const resolved = path.resolve(base, aiPath); if (!resolved.startsWith(allowedRoot)) throw',
+    },
+    // ========== M5: Dynamic Import Sinks ==========
+    {
+        name: 'LLM output in dynamic import',
+        pattern: /import\s*\(\s*(?:response|result|output|completion|message|content|moduleName|aiModule)/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'critical',
+        description: 'AI-generated value used in dynamic import(). Arbitrary module loading enables code execution.',
+        suggestedFix: 'Use allowlist for permitted modules: const allowed = ["lodash", "moment"]; if (!allowed.includes(moduleName)) throw. Never dynamically import AI-generated module paths.',
+    },
+    {
+        name: 'LLM output in require()',
+        pattern: /require\s*\(\s*(?:response|result|output|completion|message|content|moduleName|aiModule)/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'critical',
+        description: 'AI-generated value used in require(). Can load arbitrary modules including native code.',
+        suggestedFix: 'Use allowlist for permitted modules. Consider using import maps or module aliases instead of dynamic require.',
+    },
+    {
+        name: 'LLM output in module resolution',
+        pattern: /(?:require\.resolve|import\.meta\.resolve)\s*\(\s*(?:response|result|output|completion|moduleName)/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'high',
+        description: 'AI output used in module path resolution. Could leak information about file system or enable module confusion attacks.',
+        suggestedFix: 'Validate module name against allowlist before resolution.',
+    },
+    // ========== Phase 2: Network/SSRF Sinks ==========
+    {
+        name: 'LLM output in fetch URL',
+        pattern: /fetch\s*\(\s*(?:response|result|output|completion|aiUrl|generatedUrl|urlFromAi)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+        sinkType: 'code_execution', // SSRF is code-level risk
+        baseSeverity: 'critical',
+        description: 'AI-generated URL passed to fetch(). Attackers can manipulate the model to make requests to internal services (SSRF), exfiltrate data, or access localhost services.',
+        suggestedFix: 'Validate URL against allowlist: const allowed = ["api.example.com"]; if (!allowed.includes(new URL(url).host)) throw. Block private IP ranges.',
+    },
+    {
+        name: 'LLM output in axios request',
+        pattern: /axios\.(?:get|post|put|delete|patch|request)\s*\(\s*(?:response|result|output|completion|aiUrl|generatedUrl)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'critical',
+        description: 'AI-generated URL passed to axios. This enables SSRF attacks where the model is manipulated to make requests to internal services.',
+        suggestedFix: 'Validate URL host against allowlist. Use axios interceptors to block private IPs and internal hosts.',
+    },
+    {
+        name: 'LLM output in axios config',
+        pattern: /axios\s*\(\s*\{[^}]*url:\s*(?:response|result|output|completion|aiUrl|generatedUrl)/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'critical',
+        description: 'AI-generated URL passed to axios via config object. SSRF risk.',
+        suggestedFix: 'Validate URL host against allowlist before passing to axios.',
+    },
+    {
+        name: 'LLM output in HTTP client',
+        pattern: /(?:got|request|superagent|ky|undici\.fetch)\s*\(\s*(?:response|result|output|completion|aiUrl)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'critical',
+        description: 'AI-generated URL passed to HTTP client. Server-Side Request Forgery (SSRF) risk.',
+        suggestedFix: 'Validate URLs against allowlist of permitted hosts. Block internal IP ranges (10.x, 172.16-31.x, 192.168.x, 127.x, localhost).',
+    },
+    // ========== Phase 2: Redirect Sinks ==========
+    {
+        name: 'LLM output in server redirect',
+        pattern: /(?:res|response)\.redirect\s*\(\s*(?:response|result|output|completion|aiUrl|generatedUrl)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+        sinkType: 'template_render', // Open redirect is similar to XSS
+        baseSeverity: 'high',
+        description: 'AI-generated URL used in HTTP redirect. Attackers can craft prompts to redirect users to phishing sites or malicious pages.',
+        suggestedFix: 'Validate redirect URL against allowlist. Only allow redirects to same-origin or known safe domains. Use relative URLs where possible.',
+    },
+    {
+        name: 'LLM output in client redirect assignment',
+        pattern: /(?:window\.)?location\.href\s*=\s*(?:response|result|output|completion|aiUrl|generatedUrl)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'AI-generated URL assigned to location.href. Enables open redirect attacks.',
+        suggestedFix: 'Validate URL before assignment. Prefer relative URLs or validate against allowlist: if (!url.startsWith("/") && !allowedHosts.includes(new URL(url).host)) throw',
+    },
+    {
+        name: 'LLM output in location.assign',
+        pattern: /location\.assign\s*\(\s*(?:response|result|output|completion|aiUrl|generatedUrl)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'AI-generated URL passed to location.assign(). Enables open redirect attacks.',
+        suggestedFix: 'Validate URL before assignment. Only allow same-origin or allowlisted domains.',
+    },
+    {
+        name: 'LLM output in location.replace',
+        pattern: /location\.replace\s*\(\s*(?:response|result|output|completion|aiUrl|generatedUrl)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'AI-generated URL passed to location.replace(). Enables open redirect attacks.',
+        suggestedFix: 'Validate URL before assignment. Only allow same-origin or allowlisted domains.',
+    },
+    {
+        name: 'LLM output in Next.js redirect',
+        pattern: /redirect\s*\(\s*(?:response|result|output|completion|aiUrl|generatedUrl)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'AI-generated URL passed to Next.js redirect(). Enables open redirect attacks.',
+        suggestedFix: 'Validate URL before redirect. Only allow relative URLs or allowlisted domains.',
+    },
+    {
+        name: 'LLM output in meta refresh',
+        pattern: /<meta[^>]*http-equiv\s*=\s*['"`]refresh['"`][^>]*content\s*=\s*['"`][^'"]*url\s*=\s*(?:\$\{|<%=).*(?:response|output|completion)/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'AI-generated URL in meta refresh tag. Open redirect vulnerability.',
+        suggestedFix: 'Avoid meta refresh with dynamic URLs. Use server-side redirects with URL validation instead.',
+    },
+    // ========== Phase 2: Header Injection Sinks ==========
+    {
+        name: 'LLM output in response header',
+        pattern: /(?:res|response)\.(?:setHeader|set|header)\s*\(\s*['"][^'"]+['"]\s*,\s*(?:response|result|output|completion|aiValue)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'AI-generated value used in HTTP response header. Enables header injection attacks (CRLF injection, cache poisoning).',
+        suggestedFix: 'Sanitize header values: remove CR/LF characters. Validate against expected format. Never use AI output directly in security-sensitive headers (Set-Cookie, Authorization).',
+    },
+    {
+        name: 'LLM output in cookie',
+        pattern: /(?:res|response)\.(?:cookie|setCookie)\s*\(\s*['"][^'"]+['"]\s*,\s*(?:response|result|output|completion)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'AI-generated value set as cookie. Could enable session fixation or cookie injection attacks.',
+        suggestedFix: 'Never use AI output for cookie values. Generate tokens server-side with crypto.randomBytes(). Validate any user-facing values.',
+    },
+    {
+        name: 'LLM output in res.type',
+        pattern: /(?:res|response)\.type\s*\(\s*(?:response|result|output|completion)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'AI-generated value used to set Content-Type. Could enable MIME confusion attacks.',
+        suggestedFix: 'Use allowlist for content types: const allowed = ["json", "html", "text"]; if (!allowed.includes(type)) throw',
+    },
+    // ========== Phase 3: Additional Code Execution Sinks ==========
+    {
+        name: 'LLM output to setTimeout/setInterval string',
+        pattern: /(?:setTimeout|setInterval)\s*\(\s*(?:response|result|output|completion)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'high',
+        description: 'AI-generated string passed to setTimeout/setInterval. When passed a string, these functions act like eval().',
+        suggestedFix: 'Never pass strings to setTimeout/setInterval. Use arrow functions: setTimeout(() => doSomething(), 1000)',
+    },
+    {
+        name: 'LLM output to globalThis.eval',
+        pattern: /(?:globalThis|window)\[?['"]?eval['"]?\]?\s*\(\s*(?:response|result|output|completion)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'critical',
+        description: 'AI-generated code passed to eval via globalThis/window. This is indirect eval() that enables arbitrary code execution.',
+        suggestedFix: 'Never eval() LLM output. Use structured output and validation.',
+    },
+    {
+        name: 'LLM output to execa',
+        pattern: /execa\s*\(\s*(?:response|result|output|completion)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+        sinkType: 'shell_command',
+        baseSeverity: 'critical',
+        description: 'AI-generated command passed to execa. This enables command injection attacks.',
+        suggestedFix: 'Never pass LLM output directly to shell. Use allowlists for permitted commands.',
+    },
+    // ========== Phase 3: Python-Specific Sinks ==========
+    {
+        name: 'LLM output to Python eval',
+        pattern: /eval\s*\(\s*(?:response|result|output|completion|code)(?:\[['"]?choices['"]?\]\[0\]\[['"]?message['"]?\]\[['"]?content['"]?\]|\.content|\.text)?/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'critical',
+        description: 'AI-generated code passed to Python eval(). Enables arbitrary code execution.',
+        suggestedFix: 'Never eval() LLM output. Use ast.literal_eval() for safe literal evaluation, or JSON parsing with schema validation.',
+    },
+    {
+        name: 'LLM output to Python exec',
+        pattern: /exec\s*\(\s*(?:response|result|output|completion)(?:\[['"]?choices['"]?\]\[0\]\[['"]?message['"]?\]\[['"]?content['"]?\]|\.content|\.text)?/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'critical',
+        description: 'AI-generated code passed to Python exec(). Enables arbitrary code execution.',
+        suggestedFix: 'Never exec() LLM output. Use structured output and validation instead.',
+    },
+    {
+        name: 'LLM output to pickle.loads',
+        pattern: /pickle\.loads?\s*\(\s*(?:response|result|output|completion|serialized)(?:\.encode\(\)|\.content|\.text)?/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'critical',
+        description: 'AI-generated data passed to pickle.loads(). Pickle deserialization can execute arbitrary code.',
+        suggestedFix: 'Never unpickle untrusted data. Use JSON or other safe serialization formats.',
+    },
+    {
+        name: 'LLM output to subprocess with shell=True',
+        pattern: /subprocess\.(?:run|call|Popen)\s*\(\s*(?:response|result|output|completion|ai_command|generated_cmd)(?:\.content|\.text)?[^)]*shell\s*=\s*True/gi,
+        sinkType: 'shell_command',
+        baseSeverity: 'critical',
+        description: 'AI-generated command passed to subprocess with shell=True. Enables command injection.',
+        suggestedFix: 'Never use shell=True with user/AI input. Use subprocess.run(["cmd", "arg1", "arg2"]) without shell.',
+    },
+    {
+        name: 'LLM output to os.system',
+        pattern: /os\.system\s*\(\s*(?:response|result|output|completion|generated_cmd|ai_command)(?:\.content|\.text)?/gi,
+        sinkType: 'shell_command',
+        baseSeverity: 'critical',
+        description: 'AI-generated command passed to os.system(). Enables command injection.',
+        suggestedFix: 'Use subprocess.run() with list arguments instead of os.system(). Never pass AI output to shell.',
+    },
+    {
+        name: 'Python SQL f-string injection',
+        pattern: /cursor\.execute\s*\(\s*f["'].*\{.*(?:response|result|output|completion)/gi,
+        sinkType: 'sql_builder',
+        baseSeverity: 'critical',
+        description: 'AI-generated value interpolated into SQL query via f-string. Enables SQL injection.',
+        suggestedFix: 'Use parameterized queries: cursor.execute("SELECT * FROM users WHERE id = ?", [user_id])',
+    },
+    // ========== Sprint 6: Template Engine Injection Sinks ==========
+    {
+        name: 'LLM output to EJS template',
+        pattern: /\bejs\.(?:render|renderFile|compile)\s*\([^)]*(?:response|result|output|completion|content|message|text|answer)(?:\.|\.data\.|\.text|\.content)?/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'LLM output passed to EJS template engine. Server-side template injection (SSTI) can lead to remote code execution.',
+        suggestedFix: 'Sanitize LLM output before passing to templates. Use autoescaping and never pass AI output as template source.',
+    },
+    {
+        name: 'LLM output to Handlebars template',
+        pattern: /\b(?:handlebars|hbs)\.(?:compile|render)\s*\([^)]*(?:response|result|output|completion|content)(?:\.|\.data\.|\.text|\.content)?/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'LLM output passed to Handlebars template. If used with SafeString, SSTI is possible.',
+        suggestedFix: 'Never pass LLM output to Handlebars SafeString. Use default escaping and sanitize AI output.',
+    },
+    {
+        name: 'LLM output to Pug/Jade template',
+        pattern: /\bpug\.(?:render|compile|renderFile)\s*\([^)]*(?:response|result|output|completion|content)(?:\.|\.data\.|\.text|\.content)?/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'LLM output passed to Pug template engine. Unescaped interpolation (!{}) enables SSTI.',
+        suggestedFix: 'Use escaped interpolation (#{}) and sanitize LLM output before rendering.',
+    },
+    {
+        name: 'LLM output to Nunjucks template',
+        pattern: /\bnunjucks\.(?:render|renderString)\s*\([^)]*(?:response|result|output|completion|content)(?:\.|\.data\.|\.text|\.content)?/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'LLM output passed to Nunjucks template. SSTI risk if autoescape is disabled.',
+        suggestedFix: 'Enable autoescape and sanitize LLM output before rendering.',
+    },
+    {
+        name: 'LLM output to Jinja2 template (Python)',
+        pattern: /\b(?:jinja2\.)?Template\s*\([^)]*(?:response|result|output|completion|content)(?:\.|\.content|\.text)?/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'high',
+        description: 'LLM output used as Jinja2 template source. SSTI can lead to RCE in Python.',
+        suggestedFix: 'Never use LLM output as template source. Use it only as template variables with autoescaping enabled.',
+    },
+    {
+        name: 'LLM output in Mustache template',
+        pattern: /\bMustache\.render\s*\([^)]*(?:response|result|output|completion|content)(?:\.|\.data\.|\.text|\.content)?/gi,
+        sinkType: 'template_render',
+        baseSeverity: 'medium',
+        description: 'LLM output passed to Mustache template. While Mustache auto-escapes HTML, triple braces {{{...}}} bypass this.',
+        suggestedFix: 'Ensure LLM output is never used with triple braces. Validate template structure.',
+    },
+    // ========== Sprint 6: NoSQL Injection Sinks ==========
+    {
+        name: 'NoSQL injection via JSON.parse',
+        pattern: /\.(?:find|findOne|findOneAndUpdate|updateOne|updateMany|deleteOne|deleteMany|aggregate)\s*\(\s*JSON\.parse\s*\(\s*(?:response|result|output|completion|content)(?:\.|\.text|\.content)?/gi,
+        sinkType: 'sql_builder',
+        baseSeverity: 'high',
+        description: 'LLM output parsed as MongoDB query via JSON.parse. NoSQL injection can bypass authentication or leak data.',
+        suggestedFix: 'Use parameterized queries or validate/sanitize LLM output against a schema before using in queries.',
+    },
+    {
+        name: 'MongoDB $where injection',
+        pattern: /\$where\s*:\s*[^}]*(?:response|result|output|completion|content|message)(?:\.|\.text|\.content)?/gi,
+        sinkType: 'sql_builder',
+        baseSeverity: 'critical',
+        description: 'LLM output in MongoDB $where operator. $where executes JavaScript, enabling arbitrary code execution.',
+        suggestedFix: 'Avoid $where operator entirely. Use standard MongoDB query operators instead.',
+    },
+    {
+        name: 'Dynamic MongoDB query from LLM',
+        pattern: /(?:db|collection|mongoose)\.(?:find|findOne|aggregate)\s*\(\s*(?:response|result|output|completion|aiQuery)(?:\.|\.query|\.filter)?/gi,
+        sinkType: 'sql_builder',
+        baseSeverity: 'high',
+        description: 'LLM output used directly as MongoDB query. Query operators could be injected.',
+        suggestedFix: 'Validate query structure. Only allow specific operators. Use schema validation before query execution.',
+    },
+    // ========== Sprint 6: GraphQL Injection Sinks ==========
+    {
+        name: 'GraphQL query injection',
+        pattern: /\b(?:gql|graphql)\s*`[^`]*\$\{[^}]*(?:response|result|output|completion|content|message)[^}]*\}/gi,
+        sinkType: 'sql_builder',
+        baseSeverity: 'high',
+        description: 'LLM output interpolated into GraphQL query string. Can lead to query manipulation or unauthorized data access.',
+        suggestedFix: 'Use GraphQL variables instead of string interpolation for dynamic values.',
+    },
+    {
+        name: 'GraphQL query from LLM output',
+        pattern: /(?:apolloClient|urqlClient|client)\.query\s*\(\s*\{[^}]*query\s*:\s*(?:response|result|output|completion|aiQuery)(?:\.|\.query)?/gi,
+        sinkType: 'sql_builder',
+        baseSeverity: 'high',
+        description: 'LLM output used as GraphQL query. Malicious queries could access unauthorized data or cause DoS.',
+        suggestedFix: 'Use predefined queries with variables. Validate query structure and depth before execution.',
+    },
+    // ========== Sprint 6: ReDoS (Regular Expression DoS) Sinks ==========
+    {
+        name: 'Dynamic regex from LLM output',
+        pattern: /new\s+RegExp\s*\(\s*(?:response|result|output|completion|content|message|answer)(?:\.|\.text|\.content|\.pattern)?/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'medium',
+        description: 'LLM-generated regex pattern. Malicious patterns can cause catastrophic backtracking (ReDoS), hanging the server.',
+        suggestedFix: 'Validate regex complexity before compilation. Use safe-regex library or set timeout for regex execution.',
+    },
+    {
+        name: 'Python regex from LLM output',
+        pattern: /re\.compile\s*\(\s*(?:response|result|output|completion|content|pattern)(?:\.|\.text|\.content)?/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'medium',
+        description: 'LLM-generated regex compiled in Python. ReDoS attacks can cause denial of service.',
+        suggestedFix: 'Use regex_timeout or validate pattern complexity before compilation.',
+    },
+    {
+        name: 'Dynamic regex replacement',
+        pattern: /\.replace\s*\(\s*new\s+RegExp\s*\(\s*(?:response|result|output|completion|content)/gi,
+        sinkType: 'code_execution',
+        baseSeverity: 'medium',
+        description: 'LLM output used as regex pattern in replace operation. ReDoS risk.',
+        suggestedFix: 'Use string replace or validate regex pattern complexity.',
+    },
+];
+// ============================================================================
+// Phase 2: URL/Network Validation Detection
+// ============================================================================
+/**
+ * Check if URL validation is present (returns 'strong', 'weak', or 'none')
+ * Strong validation = skip finding entirely
+ * Weak validation = downgrade severity
+ */
+function getURLValidationLevel(content, lineNumber, lines) {
+    const _lines = lines ?? content.split('\n');
+    const contextStart = Math.max(0, lineNumber - 15);
+    const contextEnd = Math.min(_lines.length, lineNumber + 5);
+    const context = _lines.slice(contextStart, contextEnd).join('\n');
+    // Strong validation - skip entirely
+    const strongValidationPatterns = [
+        /allowedHosts\.includes\s*\(\s*(?:new\s+URL)?/i, // Explicit allowlist check
+        /safeDomains\.includes\s*\(/i, // Safe domain allowlist
+        /allowedDomains\.includes\s*\(/i, // Allowed domain check
+        /if\s*\(\s*allowedHosts/i, // Conditional on allowlist
+        /if\s*\(\s*safeDomains/i, // Conditional on safe domains
+        /url\.origin\s*===\s*(?:window\.)?(?:location\.)?origin/i, // Same-origin check
+        /\.origin\s*===\s*origin/i, // Same-origin check
+        /\.startsWith\s*\(\s*['"]\/['"]?\s*\)\s*&&\s*!\s*\w+\.startsWith\s*\(\s*['"]\/\//i, // Relative URL with protocol-relative check
+        /if\s*\(\s*\w+\.startsWith\s*\(\s*['"]\/['"]?\s*\)\s*&&\s*!/i, // Relative URL validation
+        /blockedHosts\.includes\s*\(/i, // Block list check
+        /privateIpPatterns\.some\s*\(/i, // Private IP blocking
+    ];
+    if (strongValidationPatterns.some(p => p.test(context))) {
+        return 'strong';
+    }
+    // Weak validation - downgrade severity
+    const weakValidationPatterns = [
+        /isValidUrl|validateUrl|isAllowedUrl/i,
+        /new\s+URL\s*\(.*\).*(?:host|hostname|origin)/i,
+        /allowedUrls|allowedHosts|allowedDomains|safeDomains/i,
+        /url\.startsWith\s*\(\s*['"`](?:https?:\/\/|\/[^\/])/i,
+        /sanitizeUrl|encodeURIComponent/i,
+        /blockedHosts|blockedDomains|privateIp/i,
+        /\.includes\s*\(\s*(?:new\s+URL\s*\()?.*\.host/i,
+    ];
+    if (weakValidationPatterns.some(p => p.test(context))) {
+        return 'weak';
+    }
+    return 'none';
+}
+/**
+ * Legacy function for backward compatibility
+ */
+function hasURLValidation(content, lineNumber) {
+    return getURLValidationLevel(content, lineNumber) !== 'none';
+}
+/**
+ * Check if DOM content is sanitized (e.g., DOMPurify)
+ */
+function isDOMSanitized(lineContent, surroundingContext) {
+    const fullContext = lineContent + '\n' + surroundingContext;
+    const sanitizationPatterns = [
+        /DOMPurify\.sanitize\s*\(/i,
+        /sanitizeHtml\s*\(/i,
+        /xss\s*\(/i,
+        /escapeHtml\s*\(/i,
+        /textContent\s*=/i, // textContent is safe
+        /innerText\s*=/i, // innerText is safe
+        /ReactMarkdown/i, // ReactMarkdown sanitizes by default
+        /<ReactMarkdown>/i, // JSX ReactMarkdown
+    ];
+    return sanitizationPatterns.some(p => p.test(fullContext));
+}
+/**
+ * Check if file path is properly validated
+ */
+function isPathValidated(content, lineNumber, lines) {
+    const _lines = lines ?? content.split('\n');
+    const contextStart = Math.max(0, lineNumber - 15);
+    const contextEnd = Math.min(_lines.length, lineNumber + 5);
+    const context = _lines.slice(contextStart, contextEnd).join('\n');
+    const pathValidationPatterns = [
+        /path\.resolve\s*\([^)]*\).*startsWith/i, // Resolved path + startsWith check
+        /resolved\.startsWith\s*\(/i, // Common pattern: resolved.startsWith(baseDir)
+        /!.*startsWith.*throw/i, // Validation with throw on failure
+        /if\s*\(\s*!?\s*resolved\.startsWith/i, // Conditional path check
+        /allowedExtensions\.includes\s*\(/i, // Extension allowlist
+        /allowedPaths/i, // Path allowlist
+        /SAFE_BASE_DIR/i, // Common safe directory constant
+        /baseDir|safeDir|allowedDir/i, // Directory restriction variables
+        /path\.basename\s*\(/i, // Only using basename (no traversal)
+        /\.replace\s*\(/i, // Generic replace (likely sanitization)
+    ];
+    return pathValidationPatterns.some(p => p.test(context));
+}
+/**
+ * Check if header value is sanitized
+ */
+function isHeaderSanitized(content, lineNumber, lines) {
+    const _lines = lines ?? content.split('\n');
+    const contextStart = Math.max(0, lineNumber - 15);
+    const contextEnd = Math.min(_lines.length, lineNumber + 5);
+    const context = _lines.slice(contextStart, contextEnd).join('\n');
+    const headerSanitizationPatterns = [
+        /\.replace\s*\(\s*\/\[\\r\\n\]/i, // CRLF removal
+        /\.replace\s*\(\s*\/\[\\\\r\\\\n\]/i, // CRLF removal (escaped)
+        /allowedTypes\.includes\s*\(/i, // Content-type allowlist
+        /allowed(?:Headers|Types|Values)\.includes\s*\(/i, // Generic allowlist
+        /if\s*\(\s*allowed\w*\.includes\s*\(/i, // Conditional allowlist
+        /crypto\.random/i, // Server-generated value (not AI)
+        /randomUUID/i, // UUID generation
+        /safeValue|sanitized/i, // Variable indicating sanitization
+        /\/\^?\[a-zA-Z0-9\-_\.\s\]\+\$?\/.*\.test\s*\(/i, // Regex validation (alphanumeric chars only)
+        /if\s*\(\/\^?\[a-zA-Z0-9/i, // Conditional with alphanumeric regex
+    ];
+    return headerSanitizationPatterns.some(p => p.test(context));
+}
+/**
+ * Check for Python-specific safe patterns
+ */
+function isPythonSafe(lineContent, surroundingContext) {
+    const fullContext = lineContent + '\n' + surroundingContext;
+    const pythonSafePatterns = [
+        /ast\.literal_eval\s*\(/i, // Safe literal evaluation
+        /yaml\.(?:safe_load|SafeLoader)/i, // Safe YAML
+        /yaml\.load\s*\([^)]*Loader\s*=\s*yaml\.SafeLoader/i, // Explicit SafeLoader
+        /cursor\.execute\s*\([^,]+,\s*\[/i, // Parameterized query with list
+        /\?\s*,\s*\[/i, // SQL placeholder with params
+        /%s.*,\s*\[/i, // Python %s placeholder with list
+        /subprocess\.run\s*\(\s*\[/i, // subprocess with list (no shell)
+        /shell\s*=\s*False/i, // Explicit shell=False
+    ];
+    return pythonSafePatterns.some(p => p.test(fullContext));
+}
+/**
+ * Check if SQL is using parameterized queries or ORM
+ */
+function isSQLParameterized(lineContent, surroundingContext) {
+    const fullContext = lineContent + '\n' + surroundingContext;
+    const parameterizedPatterns = [
+        /allowedColumns\.filter\s*\(/i, // Column allowlist
+        /safeColumns/i, // Safe column variable
+        /allowedColumns\.includes\s*\(/i, // Column allowlist check
+        /\.filter\s*\(\s*\w+\s*=>\s*allowed\w*\.includes/i, // Filter with allowlist
+        /schema\.parse\s*\(/i, // Zod schema validation
+        /z\.enum\s*\(\s*\[/i, // Zod enum (allowlist)
+        /prisma\.\w+\.(?:findMany|findUnique|create|update)/i, // Prisma ORM methods (not raw)
+        /\$\{.*\}.*WHERE.*=\s*\$\d/i, // Dynamic column but parameterized value
+    ];
+    return parameterizedPatterns.some(p => p.test(fullContext));
+}
+/**
+ * Check if shell execution uses allowlist
+ */
+function isShellAllowlisted(content, lineNumber, lines) {
+    const _lines = lines ?? content.split('\n');
+    const contextStart = Math.max(0, lineNumber - 15);
+    const contextEnd = Math.min(_lines.length, lineNumber + 5);
+    const context = _lines.slice(contextStart, contextEnd).join('\n');
+    const shellAllowlistPatterns = [
+        /allowedArgs\.includes\s*\(/i, // Argument allowlist
+        /if\s*\(\s*allowedArgs\.includes/i, // Conditional on allowlist
+        /allowedCommands\.includes\s*\(/i, // Command allowlist
+        /execFile\s*\(\s*['"][^'"]+['"]/i, // execFile with hardcoded command (safe)
+        /\.replace\s*\(\s*\/\[^a-z0-9\]/gi, // Strict sanitization
+        /sanitized\s*=/i, // Sanitization variable
+    ];
+    return shellAllowlistPatterns.some(p => p.test(context));
+}
+/**
+ * Check if template engine has autoescape enabled or uses safe rendering
+ */
+function isTemplateSafe(content, lineNumber, lines) {
+    const _lines = lines ?? content.split('\n');
+    const contextStart = Math.max(0, lineNumber - 15);
+    const contextEnd = Math.min(_lines.length, lineNumber + 5);
+    const context = _lines.slice(contextStart, contextEnd).join('\n');
+    const templateSafePatterns = [
+        /autoescape\s*[=:]\s*true/i, // Autoescape enabled
+        /autoescaping\s*[=:]\s*true/i, // Alternative naming
+        /escape\s*[=:]\s*true/i, // Escape option
+        /\.escapeHtml\s*\(/i, // Manual escaping
+        /sanitize(?:Html|Output)?\s*\(/i, // Sanitization function
+        /DOMPurify\.sanitize/i, // DOMPurify sanitization
+        /#{[^}]+}/i, // Pug escaped interpolation (safe)
+        /\{\{[^}]+\}\}/i, // Handlebars/Mustache double-brace (escaped by default)
+    ];
+    // Patterns that indicate unsafe usage
+    const unsafePatterns = [
+        /autoescape\s*[=:]\s*false/i, // Autoescape disabled
+        /!{[^}]+}/i, // Pug unescaped interpolation
+        /{{{[^}]+}}}/i, // Handlebars/Mustache triple-brace (unescaped)
+        /SafeString/i, // Handlebars SafeString (bypasses escaping)
+        /\|safe\b/i, // Jinja2/Nunjucks safe filter
+    ];
+    const isSafe = templateSafePatterns.some(p => p.test(context));
+    const isUnsafe = unsafePatterns.some(p => p.test(context));
+    return isSafe && !isUnsafe;
+}
+/**
+ * Check if NoSQL query uses schema validation or allowlist
+ */
+function isNoSQLSafe(content, lineNumber, lines) {
+    const _lines = lines ?? content.split('\n');
+    const contextStart = Math.max(0, lineNumber - 15);
+    const contextEnd = Math.min(_lines.length, lineNumber + 5);
+    const context = _lines.slice(contextStart, contextEnd).join('\n');
+    const safePatterns = [
+        /schema\.parse\s*\(/i, // Zod schema validation
+        /\.validate\s*\(/i, // Joi/Yup validation
+        /allowedOperators/i, // Operator allowlist
+        /allowedFields/i, // Field allowlist
+        /sanitizeQuery/i, // Query sanitization function
+        /mongo-sanitize/i, // mongo-sanitize library
+        /mongoose\.(?:Schema|model)/i, // Using Mongoose models (safer)
+    ];
+    return safePatterns.some(p => p.test(context));
+}
+/**
+ * Check if regex has complexity validation or timeout
+ */
+function isRegexSafe(content, lineNumber, lines) {
+    const _lines = lines ?? content.split('\n');
+    const contextStart = Math.max(0, lineNumber - 15);
+    const contextEnd = Math.min(_lines.length, lineNumber + 5);
+    const context = _lines.slice(contextStart, contextEnd).join('\n');
+    const safePatterns = [
+        /safe-regex/i, // safe-regex library
+        /recheck/i, // recheck library
+        /regex-timeout/i, // Timeout wrapper
+        /RE2/i, // RE2 library (safe by design)
+        /validateRegex/i, // Custom validation
+        /maxLength|maxPatternLength/i, // Length limits
+        /try\s*\{[^}]*new\s+RegExp[^}]*\}\s*catch/i, // Try-catch around regex
+    ];
+    return safePatterns.some(p => p.test(context));
+}
+/**
+ * Check if dynamic import uses allowlist
+ */
+function isImportAllowlisted(content, lineNumber, lines) {
+    const _lines = lines ?? content.split('\n');
+    const contextStart = Math.max(0, lineNumber - 15);
+    const contextEnd = Math.min(_lines.length, lineNumber + 5);
+    const context = _lines.slice(contextStart, contextEnd).join('\n');
+    const importAllowlistPatterns = [
+        /ALLOWED_PLUGINS\s*[=:]/i, // Plugin allowlist
+        /importMap\s*[=:]/i, // Import map object
+        /allowedModules/i, // Module allowlist
+        /if\s*\(\s*\w+\s+in\s+importMap\)/i, // Key in import map
+        /if\s*\(\s*loader\)/i, // Loader function check (from allowlist)
+        /\[aiModule\]\s*$/i, // Array access into known object (allowlist lookup)
+    ];
+    return importAllowlistPatterns.some(p => p.test(context));
+}
+// ============================================================================
+// Main Detection Function
+// ============================================================================
+/**
+ * Get surrounding context for analysis
+ */
+function getSurroundingContext(content, lineIndex, windowSize = 15, lines) {
+    const _lines = lines ?? content.split('\n');
+    const start = Math.max(0, lineIndex - windowSize);
+    const end = Math.min(_lines.length, lineIndex + windowSize);
+    return _lines.slice(start, end).join('\n');
+}
+/**
+ * Calculate severity based on sandbox and validation status
+ */
+function calculateSeverity(baseSeverity, sinkType, isSandboxed, hasValidation, isTestFile, isExample = false, isLibrary = false) {
+    let severity = baseSeverity;
+    // Test files get significant downgrade
+    if (isTestFile) {
+        return 'info';
+    }
+    // Example/demo code - not production, for tutorials
+    if (isExample) {
+        return 'info';
+    }
+    // Library code - base utilities, consumers add restrictions
+    if (isLibrary) {
+        return 'info';
+    }
+    // Sandboxing provides major protection for code execution
+    if (isSandboxed) {
+        if (sinkType === 'code_execution') {
+            severity = hasValidation ? 'low' : 'medium';
+        }
+        else {
+            // Sandboxing less relevant for SQL/shell
+            severity = hasValidation ? 'medium' : 'high';
+        }
+    }
+    else if (hasValidation) {
+        // Validation alone helps but doesn't eliminate risk
+        if (baseSeverity === 'critical') {
+            severity = 'high';
+        }
+        else if (baseSeverity === 'high') {
+            severity = 'medium';
+        }
+    }
+    return severity;
+}
+/**
+ * Main detection function for LLM output execution sinks
+ */
+function detectAIExecutionSinks(content, filePath, options) {
+    const vulnerabilities = [];
+    // Skip non-applicable files
+    if ((0, file_classifier_1.isScannerOrFixtureFile)(filePath))
+        return vulnerabilities;
+    // Only deeply scan files that appear to be in LLM context
+    // But still do basic scanning on all files for obvious patterns
+    const isLLMFile = (0, prompt_hygiene_1.isLLMContextFile)(filePath, content);
+    const lines = options?.parsed?.lines ?? content.split('\n');
+    const isTestFile = (0, file_classifier_1.isTestOrMockFile)(filePath);
+    const isExample = (0, file_classifier_1.isExampleDirectory)(filePath);
+    const isLibrary = (0, file_classifier_1.isLibraryCode)(filePath);
+    for (const pattern of EXECUTION_SINK_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, file_classifier_1.isComment)(lineContent))
+                continue;
+            const surroundingContext = getSurroundingContext(content, lineNumber - 1, 15, lines);
+            // Check if this is actually in an LLM context
+            const hasLLMContext = isLLMFile || hasLLMResponseContext(lineContent, surroundingContext);
+            // ===== FALSE POSITIVE FILTERS =====
+            // Skip UI suggestion/template patterns (command palettes, autocomplete, etc.)
+            // These are display strings, not execution sinks
+            if (isUITemplateSuggestion(lineContent, surroundingContext)) {
+                continue;
+            }
+            // Skip app data interpolation (e.g., ${node.title}, ${item.id})
+            // where the interpolated data is from the app, not LLM output
+            if (isAppDataInterpolation(lineContent, surroundingContext)) {
+                continue;
+            }
+            // For non-LLM files, require stronger signal
+            if (!hasLLMContext) {
+                // Check if the matched variable looks like LLM output
+                const matchText = match[0];
+                const variableMatch = matchText.match(/(?:response|result|output|completion|message|content|answer|generated|text)/i);
+                if (!variableMatch)
+                    continue;
+                // Skip if this looks like display-only usage
+                if (isDisplayOnly(lineContent, surroundingContext))
+                    continue;
+            }
+            // Check for sandboxing and validation
+            const isSandboxed = isSandboxedExecution(content, lineNumber, lines);
+            const hasValidation = hasOutputValidation(content, lineNumber, lines);
+            // ===== SINK-SPECIFIC VALIDATION CHECKS =====
+            // Phase 2: Check for URL validation on network/redirect sinks (SSRF, Open Redirect)
+            const isNetworkSink = pattern.name.includes('fetch') || pattern.name.includes('axios') ||
+                pattern.name.includes('HTTP') || pattern.name.includes('redirect') ||
+                pattern.name.includes('location') || pattern.name.includes('got');
+            if (isNetworkSink) {
+                const urlValidLevel = getURLValidationLevel(content, lineNumber, lines);
+                if (urlValidLevel === 'strong') {
+                    continue; // Skip - strong URL validation present
+                }
+            }
+            // Phase 3: Check for DOM sanitization on template_render sinks
+            const hasDOMSanitization = pattern.sinkType === 'template_render'
+                ? isDOMSanitized(lineContent, surroundingContext)
+                : false;
+            // Skip DOM findings if sanitized
+            if (hasDOMSanitization && pattern.sinkType === 'template_render') {
+                continue;
+            }
+            // Check for header sanitization
+            const isHeaderSink = pattern.name.includes('header') || pattern.name.includes('cookie') ||
+                pattern.name.includes('res.type');
+            if (isHeaderSink && isHeaderSanitized(content, lineNumber, lines)) {
+                continue; // Skip - header value is sanitized
+            }
+            // Check for path validation on file system sinks
+            const isFileSink = pattern.name.includes('file path') || pattern.name.includes('fs operation') ||
+                pattern.name.includes('path.join');
+            if (isFileSink && isPathValidated(content, lineNumber, lines)) {
+                continue; // Skip - path is validated
+            }
+            // Check for SQL parameterization
+            const isSQLSink = pattern.sinkType === 'sql_builder';
+            if (isSQLSink && isSQLParameterized(lineContent, surroundingContext)) {
+                continue; // Skip - SQL is parameterized or uses allowlist
+            }
+            // Check for shell allowlist
+            const isShellSink = pattern.sinkType === 'shell_command';
+            if (isShellSink && isShellAllowlisted(content, lineNumber, lines)) {
+                continue; // Skip - shell command uses allowlist
+            }
+            // Check for import allowlist
+            const isImportSink = pattern.name.includes('import') || pattern.name.includes('require');
+            if (isImportSink && isImportAllowlisted(content, lineNumber, lines)) {
+                continue; // Skip - import uses allowlist
+            }
+            // Check for template engine safety (autoescape, sanitization)
+            const isTemplateEngineSink = pattern.name.includes('EJS') || pattern.name.includes('Handlebars') ||
+                pattern.name.includes('Pug') || pattern.name.includes('Nunjucks') || pattern.name.includes('Jinja2') ||
+                pattern.name.includes('Mustache');
+            if (isTemplateEngineSink && isTemplateSafe(content, lineNumber, lines)) {
+                continue; // Skip - template engine has safe configuration
+            }
+            // Check for NoSQL query safety
+            const isNoSQLSink = pattern.name.includes('NoSQL') || pattern.name.includes('MongoDB') ||
+                pattern.name.includes('$where');
+            if (isNoSQLSink && isNoSQLSafe(content, lineNumber, lines)) {
+                continue; // Skip - NoSQL query is validated
+            }
+            // Check for regex safety (ReDoS protection)
+            const isRegexSink = pattern.name.includes('regex') || pattern.name.includes('RegExp');
+            if (isRegexSink && isRegexSafe(content, lineNumber, lines)) {
+                continue; // Skip - regex has safety measures
+            }
+            // Check for Python-specific safe patterns
+            const isPythonSink = pattern.name.includes('Python') || pattern.name.includes('pickle') ||
+                pattern.name.includes('subprocess') || pattern.name.includes('os.system');
+            if (isPythonSink && isPythonSafe(lineContent, surroundingContext)) {
+                continue; // Skip - Python code uses safe patterns
+            }
+            // Check for ast.literal_eval (Python safe eval) - this is a safe alternative to eval()
+            // It matches the eval pattern because literal_eval contains "eval("
+            if (pattern.name.includes('eval') && /ast\.literal_eval\s*\(/i.test(lineContent)) {
+                continue; // Skip - ast.literal_eval is safe, only evaluates literals
+            }
+            // Check URL validation level for severity adjustment
+            const hasURLValid = isNetworkSink ? getURLValidationLevel(content, lineNumber, lines) !== 'none' : false;
+            // Combine validation checks (URL validation counts as validation for network sinks)
+            const effectiveValidation = hasValidation || hasURLValid;
+            // Calculate final severity
+            const severity = calculateSeverity(pattern.baseSeverity, pattern.sinkType, isSandboxed, effectiveValidation, isTestFile, isExample, isLibrary);
+            // Build description with context
+            let description = pattern.description;
+            if (isSandboxed) {
+                description += ' (Sandbox detected - risk somewhat mitigated.)';
+            }
+            if (hasValidation) {
+                description += ' (Some validation detected nearby.)';
+            }
+            if (hasURLValid && !hasValidation) {
+                description += ' (URL validation detected nearby.)';
+            }
+            if (isTestFile) {
+                description += ' (In test file.)';
+            }
+            else if (isExample) {
+                description += ' (In example/demo directory - tutorial code.)';
+            }
+            else if (isLibrary) {
+                description += ' (Library code - consumers add restrictions.)';
+            }
+            // Skip info-level in non-LLM files to reduce noise
+            if (severity === 'info' && !isLLMFile)
+                continue;
+            vulnerabilities.push({
+                id: `ai-exec-${filePath}-${lineNumber}-${pattern.sinkType}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_unsafe_execution',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: hasLLMContext ? 'high' : 'medium',
+                layer: 2,
+                source: 'ai_code',
+                requiresAIValidation: severity !== 'info' && severity !== 'low',
+                baseConfidence: BASE_CONFIDENCE,
+            });
+        }
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=execution-sinks.js.map