# LLM Insecure Output Handling

- ID: python-llm-insecure-output-handling
- Severity: HIGH
- CWE: Code Injection (CWE-94)
- Languages: Python
- Frameworks: flask, django, fastapi

## Description

Detects LLM/AI outputs being used directly in dangerous operations without proper
validation or sanitization. OWASP LLM02 - Insecure Output Handling.

LLM outputs should be treated as untrusted input since:
- Prompt injection attacks can manipulate AI responses
- LLMs can hallucinate and produce unexpected outputs
- Model behavior may change between versions

Dangerous operations include:
- Code execution (eval, exec, compile)
- Command execution (os.system, subprocess)
- SQL queries (cursor.execute, raw queries)
- Template rendering (Jinja2, Django templates)
- File operations (open, write, unlink)
- Deserialization (pickle, yaml.load)

## Detection Message

LLM output flows directly to {sink} without validation.
This allows prompt injection attacks to execute arbitrary operations.

## Remediation

Validate LLM outputs with Pydantic before using in sensitive operations.

```python
from pydantic import BaseModel, validator
import re

class SearchResponse(BaseModel):
    terms: list[str]

    @validator('terms', each_item=True)
    def validate_term(cls, v):
        if not re.match(r'^[a-zA-Z0-9\s]+$', v):
            raise ValueError('Invalid search term')
        return v

validated = SearchResponse.parse_raw(response.choices[0].message.content)
```

Learn more: https://shoulder.dev/learn/python/cwe-94/llm-insecure-output-handling

## Documentation

[object Object]

## Related Rules

- **Code Injection via os/exec** [CRITICAL]: 
- **LLM Insecure Output Handling** [HIGH]: 
- **Server-Side Template Injection** [CRITICAL]: 
- **Code Injection via eval() and Function constructor** [CRITICAL]: 
- **LLM Insecure Output Handling** [HIGH]: