# Inclusion of Functionality from Untrusted Control Sphere (CWE-829)

The product imports, requires, or includes executable functionality from a source that is outside of the intended control sphere.

**Stack:** Go

- Prevalence: उच्च बार-बार शोषित
- Impact: उच्च 3 उच्च गंभीरता वाले नियम
- Prevention: प्रलेखित 4 फिक्स उदाहरण

**OWASP:** Vulnerable and Outdated Components (A06:2021-Vulnerable and Outdated Components) - #6

## Description

When software includes functionality from untrusted sources (such as third-party scripts, external modules, or code from untrusted URLs), attackers can inject malicious code that will be executed with the same privileges as the application.

## Prevention

1 Shoulder डिटेक्शन नियमों पर आधारित Inclusion of Untrusted Functionality के लिए रोकथाम रणनीतियाँ।

### Go

Use an allowlist for permitted models, verify integrity with checksums, and load models over HTTPS only

## Warning Signs

- [HIGH] Potential supply chain vulnerability: ...
- [HIGH] supply chain vulnerabilities in AI/LLM implementations such as untrusted model sources or dynamic mo

## Consequences

- अनधिकृत कोड निष्पादित करना
- एप्लिकेशन डेटा पढ़ना
- एप्लिकेशन डेटा संशोधित करना

## Mitigations

- केवल विश्वसनीय, सत्यापित स्रोतों से कोड शामिल करें
- बाहरी स्क्रिप्ट्स के लिए Subresource Integrity (SRI) का उपयोग करें
- निष्पादन योग्य कोड के स्रोतों को सीमित करने के लिए Content Security Policy (CSP) लागू करें

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, yaml, python

## Rules by Language

### Go (1 rules)

- **LLM Supply Chain Vulnerabilities** [HIGH]: Detects supply chain vulnerabilities in AI/LLM implementations such as untrusted model sources or dynamic model loading.
  - Remediation: Use an allowlist for permitted models and verify integrity with checksums.

```go
if _, ok := allowedModels[modelID]; !ok {
    return errors.New("model not in allowlist")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-829/llm-supply-chain