require-output-filtering
This rule identifies tool execute functions that return raw data from data sources (databases, APIs, file systems) without filtering potentially sensitive infor
Requires filtering of sensitive data returned by AI tools.
📊 Rule Details
| Property | Value |
|---|---|
| Type | suggestion |
| Severity | 🟡 HIGH |
| OWASP Agentic | ASI04: Data Exfiltration |
| CWE | CWE-200: Information Exposure |
| CVSS | 6.5 |
| Config Default | warn (recommended), error (strict) |
🔍 What This Rule Detects
This rule identifies tool execute functions that return raw data from data sources (databases, APIs, file systems) without filtering potentially sensitive information.
❌ Incorrect Code
// Direct database query return
const tools = {
search: {
execute: async ({ sql }) => db.query(sql),
},
};
// Direct find operation
const tools = {
getUser: {
execute: async ({ id }) => users.findById(id),
},
};
// Raw fetch result
const tools = {
loadData: {
execute: async ({ url }) => fetchData(url),
},
};✅ Correct Code
// Filtered database results
const tools = {
search: {
execute: async ({ sql }) => filterSensitive(db.query(sql)),
},
};
// Sanitized user data
const tools = {
getUser: {
execute: async ({ id }) => sanitizeUserData(users.findById(id)),
},
};
// Filtered fetch result
const tools = {
loadData: {
execute: async ({ url }) => {
const data = await fetchData(url);
return removePII(data);
},
},
};⚙️ Options
| Option | Type | Default | Description |
|---|---|---|---|
dataSourcePatterns | string[] | ['query', 'find', 'select', 'fetch', 'get', 'read', 'load'] | Patterns suggesting data sources |
filterFunctions | string[] | ['filter', 'sanitize', 'redact', 'mask', 'clean'] | Functions considered safe filters |
🛡️ Why This Matters
Unfiltered tool output can expose:
- PII - Names, emails, addresses, SSNs
- Credentials - Passwords, tokens, API keys
- Internal data - Database IDs, internal URLs
- Business data - Financial records, contracts
🔗 Related Rules
no-sensitive-in-prompt- Prevent sensitive inputrequire-tool-schema- Validate tool inputs
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Filtering in Separate Function
Why: Filtering in called functions is not recognized.
// ❌ NOT DETECTED - Filtering in getData
const tools = {
getUser: {
execute: async ({ id }) => getUserSafe(id), // Filters internally
},
};Mitigation: Document filtering. Apply rule to data access functions.
Custom Data Source Methods
Why: Non-standard data methods may not be detected.
// ❌ NOT DETECTED - Custom method name
const tools = {
data: {
execute: async () => myCustomDb.retrieve(id), // Not in patterns
},
};Mitigation: Configure dataSourcePatterns with custom method names.
Chained Method Filtering
Why: Method chaining may hide filtering status.
// ❌ NOT DETECTED - Filter in chain
const tools = {
search: {
execute: async () => db.query(sql).sanitize().toJSON(),
},
};Mitigation: Use explicit filter function calls.
Dynamic Tool Execution
Why: Dynamic execute functions are not analyzed.
// ❌ NOT DETECTED - Dynamic execute
const tools = {
[name]: { execute: handlers[name] }, // Handler may not filter
};Mitigation: Review all dynamic handlers for filtering.
📚 References
require-max-tokens
This rule identifies AI SDK calls that don't specify a `maxTokens` limit. Without limits, AI responses can consume excessive tokens, leading to high costs and p
require-output-validation
This rule identifies code patterns where AI-generated output is displayed to users without validation or fact-checking.