# LLM Sensitive Information Disclosure

- ID: javascript-llm-sensitive-info-disclosure
- Severity: HIGH
- CWE: Information Exposure (CWE-200)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nodejs

## Description

Detects potential sensitive information disclosure in AI/LLM implementations.
OWASP LLM06 - Sensitive Information Disclosure.

Sensitive information can be leaked through:
- PII (Personal Identifiable Information) in prompts
- Credentials or secrets in prompts or system messages
- Sensitive business data sent to third-party LLM APIs
- Logging LLM conversations containing sensitive data
- LLM responses exposed without filtering

This rule detects:
- Sensitive data patterns in LLM prompts
- Credentials passed to AI APIs
- Logging of LLM conversations
- Database queries in prompts
- PII patterns in messages

## Detection Message

Potential sensitive information disclosure: {issue_type}

## Remediation

Mask or redact PII and credentials before sending data to LLM APIs.

```javascript
const masked = maskPII(userInput);
const response = await openai.chat.completions.create({
  messages: [{ role: 'user', content: masked }]
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-200/llm-sensitive-info-disclosure

## Documentation

[object Object]

## Related Rules

- **Environment Variable Secret Exposure** [HIGH]: 
- **LLM Model Theft** [HIGH]: 
- **LLM Sensitive Information Disclosure** [HIGH]: 
- **Sensitive Field Exposure in API Response** [CRITICAL]: 
- **Environment Variable Secret Exposure** [HIGH]: