# Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

**Stack:** Go

- Prevalence: Élevée Fréquemment exploitée
- Impact: Élevé 3 règles de sévérité élevée
- Prevention: Documentée 3 exemples de correctifs

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Software has certain assumptions about what constitutes data and control. Injection problems occur when these assumptions are violated. Attackers exploit this by inserting special characters or instructions that modify the intended interpretation.

## Prevention

Stratégies de prévention pour Injection basées sur 1 règles de détection Shoulder.

### Go

Use structured prompts with clear system/user boundaries and sanitize user input

## Warning Signs

- [HIGH] User input flows to ... without sanitization
- [HIGH] user input flowing to LLM prompts without sanitization

## Consequences

- Exécuter du code non autorisé
- Lecture des données de l'application
- Modification des données de l'application
- Contourner le mécanisme de protection

## Mitigations

- Utilisez des interfaces paramétrées qui séparent le code des données
- Validez et encodez toute entrée avant son utilisation dans les composants en aval
- Utilisez des listes d'autorisation pour la validation des entrées chaque fois que possible

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **AI Prompt Injection** [HIGH]: Detects user input flowing to LLM prompts without sanitization.
  - Remediation: Sanitize user input and use structured prompts with clear system/user boundaries.

```go
sanitized := sanitize(userInput)
messages := []openai.ChatCompletionMessage{
    {Role: "system", Content: systemPrompt},
    {Role: "user", Content: sanitized},
}
```

Learn more: https://shoulder.dev/learn/go/cwe-74/prompt-injection