# Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

**Stack:** JavaScript

- Prevalence: Wysoka Często wykorzystywana
- Impact: Wysoki 3 reguł o wysokim poziomie
- Prevention: Udokumentowane 3 przykładów poprawek

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Software has certain assumptions about what constitutes data and control. Injection problems occur when these assumptions are violated. Attackers exploit this by inserting special characters or instructions that modify the intended interpretation.

## Prevention

Strategie zapobiegania dla Injection oparte na 1 regułach detekcji Shoulder.

### JavaScript

Use system prompts with strict boundaries, sanitize and limit user input before including in AI prompts

## Warning Signs

- [HIGH] user input flowing directly into AI/LLM prompts without sanitization

## Consequences

- Wykonanie nieautoryzowanego kodu
- Odczyt danych aplikacji
- Modyfikacja danych aplikacji
- Obejście mechanizmu ochrony

## Mitigations

- Stosuj sparametryzowane interfejsy oddzielające kod od danych
- Waliduj i koduj wszystkie wejścia przed użyciem ich w komponentach docelowych
- Tam, gdzie to możliwe, stosuj listy dozwolone do walidacji wejścia

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **Prompt Injection via Untrusted Input** [HIGH]: Detects user input flowing directly into AI/LLM prompts without sanitization.
  - Remediation: Use system prompts and sanitize user input with length limits before including in prompts.

```javascript
const sanitized = userInput.substring(0, 500);
const messages = [
  { role: 'system', content: 'Answer only about products.' },
  { role: 'user', content: sanitized }
];
```

Learn more: https://shoulder.dev/learn/javascript/cwe-74/prompt-injection

### Typescript (1 rules)

- **Prompt Injection via Untrusted Input** [HIGH]: Detects user input flowing directly into AI/LLM prompts without sanitization.
  - Remediation: Use system prompts and sanitize user input with length limits before including in prompts.

```javascript
const sanitized = userInput.substring(0, 500);
const messages = [
  { role: 'system', content: 'Answer only about products.' },
  { role: 'user', content: sanitized }
];
```

Learn more: https://shoulder.dev/learn/javascript/cwe-74/prompt-injection