require-output-validation
This rule identifies code patterns where AI-generated output is displayed to users without validation or fact-checking.
Requires validation of AI output before displaying to users.
📊 Rule Details
| Property | Value |
|---|---|
| Type | suggestion |
| Severity | 🟡 MEDIUM |
| OWASP LLM | LLM09: Misinformation |
| CWE | CWE-707: Improper Neutralization |
| CVSS | 5.0 |
| Config Default | off (recommended), error (strict) |
🔍 What This Rule Detects
This rule identifies code patterns where AI-generated output is displayed to users without validation or fact-checking.
❌ Incorrect Code
// Direct AI output display
display(result.text);
// Unvalidated response content
render(response.content);
// AI output in object
respond({ message: result.text });✅ Correct Code
// Validated output
display(validateOutput(result.text));
// Fact-checked output
render(factCheck(response.content));
// Sanitized in object
respond({ message: sanitize(result.text) });⚙️ Options
| Option | Type | Default | Description |
|---|---|---|---|
displayPatterns | string[] | ['render', 'display', 'show', 'send'] | Patterns suggesting display operations |
validatorFunctions | string[] | ['validate', 'verify', 'factCheck', 'sanitize'] | Functions that validate output |
🛡️ Why This Matters
Unvalidated AI output can:
- Spread misinformation - AI hallucinations presented as fact
- Cause harm - Medical, legal, financial misinformation
- Damage reputation - Incorrect information attributed to your brand
- Violate regulations - False claims in regulated industries
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Validation in Separate Module
Why: Validation logic in other files is not linked.
// ❌ NOT DETECTED - Validation elsewhere
import { processOutput } from './output-handler'; // Has validation
display(processOutput(result.text));Mitigation: Document validation requirements. Review output handlers.
Custom Display Functions
Why: Non-standard display functions may not be recognized.
// ❌ NOT DETECTED - Custom display function
customRenderer.showContent(result.text); // Not in displayPatternsMitigation: Configure displayPatterns with custom function names.
Implicit Validation
Why: Validation logic that doesn't match pattern is not recognized.
// ❌ NOT DETECTED - Custom validation
display(checkContent(result.text)); // checkContent not in validatorFunctionsMitigation: Configure validatorFunctions with custom names.
Streaming Output
Why: Streamed content is displayed incrementally.
// ❌ NOT DETECTED - Streaming without validation
for await (const chunk of streamText({ ... })) {
display(chunk.text); // Each chunk unvalidated
}Mitigation: Validate streamed content before display.
📚 References
require-output-filtering
This rule identifies tool execute functions that return raw data from data sources (databases, APIs, file systems) without filtering potentially sensitive infor
require-rag-content-validation
This rule identifies code patterns where content retrieved from vector stores or document retrieval systems is used directly in AI prompts without validation.