# Inclusion of Functionality from Untrusted Control Sphere (CWE-829)

The product imports, requires, or includes executable functionality from a source that is outside of the intended control sphere.

- Prevalence: High Frequently exploited
- Impact: High 3 high-severity rules
- Prevention: Documented 4 fix examples

**OWASP:** Vulnerable and Outdated Components (A06:2021-Vulnerable and Outdated Components) - #6

## Description

When software includes functionality from untrusted sources (such as third-party scripts, external modules, or code from untrusted URLs), attackers can inject malicious code that will be executed with the same privileges as the application.

## Prevention

Prevention strategies for Inclusion of Untrusted Functionality based on 4 Shoulder detection rules.

### Go

Use an allowlist for permitted models, verify integrity with checksums, and load models over HTTPS only

### Node.js

Use allowlists for permitted models and verify integrity with checksums

### Kubernetes

Pin container images to specific version tags or SHA digests for reproducible deployments

### Python

Use weights_only=True with torch.load, avoid trust_remote_code=True, and maintain a model allowlist

## Warning Signs

- [HIGH] Potential supply chain vulnerability: ...
- [HIGH] supply chain vulnerabilities in AI/LLM implementations such as untrusted model sources or dynamic mo
- [HIGH] potential supply chain vulnerabilities in AI/LLM implementations
- [MEDIUM] Container image uses 'latest' tag or no tag.
- [MEDIUM] container images using 'latest' tag or no tag

## Consequences

- Execute Unauthorized Code
- Read Application Data
- Modify Application Data

## Mitigations

- Only include code from trusted, verified sources
- Use Subresource Integrity (SRI) for external scripts
- Implement Content Security Policy (CSP) to restrict sources of executable code

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, yaml, python

## Rules by Language

### Go (1 rules)

- **LLM Supply Chain Vulnerabilities** [HIGH]: Detects supply chain vulnerabilities in AI/LLM implementations such as untrusted model sources or dynamic model loading.
  - Remediation: Use an allowlist for permitted models and verify integrity with checksums.

```go
if _, ok := allowedModels[modelID]; !ok {
    return errors.New("model not in allowlist")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-829/llm-supply-chain

### Javascript (1 rules)

- **LLM Supply Chain Vulnerabilities** [HIGH]: Detects potential supply chain vulnerabilities in AI/LLM implementations.
OWASP LLM05 - Supply Chain Vulnerabilities.

Supply chain attacks in AI can occur through:
- Loading models from untrusted sources
- Using unverified model weights or configurations
- Third-party plugins/tools without integrity verification
- Compromised training data sources
- Insecure model serialization formats

This rule detects:
- Dynamic model loading from user input
- Models loaded from HTTP (not HTTPS)
- Missing integrity verification for model files
- Pickle/unsafe deserialization of model data
  - Remediation: Use allowlists for permitted models and verify integrity with checksums.

```javascript
if (!ALLOWED_MODELS[modelId]) {
  throw new Error('Model not in allowlist');
}
const model = await loadVerifiedModel(modelId);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-829/llm-supply-chain

### Typescript (1 rules)

- **LLM Supply Chain Vulnerabilities** [HIGH]: Detects potential supply chain vulnerabilities in AI/LLM implementations.
OWASP LLM05 - Supply Chain Vulnerabilities.

Supply chain attacks in AI can occur through:
- Loading models from untrusted sources
- Using unverified model weights or configurations
- Third-party plugins/tools without integrity verification
- Compromised training data sources
- Insecure model serialization formats

This rule detects:
- Dynamic model loading from user input
- Models loaded from HTTP (not HTTPS)
- Missing integrity verification for model files
- Pickle/unsafe deserialization of model data
  - Remediation: Use allowlists for permitted models and verify integrity with checksums.

```javascript
if (!ALLOWED_MODELS[modelId]) {
  throw new Error('Model not in allowlist');
}
const model = await loadVerifiedModel(modelId);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-829/llm-supply-chain

### Yaml (1 rules)

- **Container Using Latest Tag** [MEDIUM]: Detects container images using 'latest' tag or no tag.
  - Remediation: Use specific image tags for production.

```yaml
containers:
  - name: app
    image: nginx:1.21.6-alpine
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-829/image-latest-tag

### Python (1 rules)

- **LLM Supply Chain Vulnerabilities** [HIGH]: Detects potential supply chain vulnerabilities in AI/LLM implementations.
OWASP LLM05 - Supply Chain Vulnerabilities.

Supply chain attacks in AI can occur through:
- Loading models from untrusted sources
- Using pickle for model serialization (RCE risk)
- trust_remote_code=True in HuggingFace
- Compromised training data sources
- Third-party plugins without verification
  - Remediation: Use weights_only=True with torch.load() or SafeTensors format.

```python
import torch

# Safe: weights_only prevents arbitrary code execution
model = torch.load('model.pt', weights_only=True)

# Even safer: use SafeTensors format
from safetensors.torch import load_model
load_model(model, 'model.safetensors')
```

Learn more: https://shoulder.dev/learn/python/cwe-829/llm-supply-chain