require-request-timeout
This rule identifies AI SDK calls that don't have timeout or abort signal configuration.
Requires timeout configuration for AI SDK calls to prevent DoS.
📊 Rule Details
| Property | Value |
|---|---|
| Type | suggestion |
| Severity | 🟡 MEDIUM |
| OWASP LLM | LLM04: Model Denial of Service |
| CWE | CWE-400: Uncontrolled Resource Consumption |
| CVSS | 5.0 |
| Config Default | warn (recommended), error (strict) |
🔍 What This Rule Detects
This rule identifies AI SDK calls that don't have timeout or abort signal configuration.
❌ Incorrect Code
// No timeout
await generateText({
model: openai('gpt-4'),
prompt: 'Hello',
});
// Missing timeout in stream
await streamText({
model: openai('gpt-4'),
prompt: userInput,
maxTokens: 4096,
});✅ Correct Code
// With abort signal timeout
const controller = new AbortController();
setTimeout(() => controller.abort(), 30000);
await generateText({
model: openai('gpt-4'),
prompt: 'Hello',
abortSignal: controller.signal,
});
// With timeout property
await streamText({
model: openai('gpt-4'),
prompt: userInput,
timeout: 30000,
});⚙️ Options
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | true | Skip in test files |
🛡️ Why This Matters
Missing timeouts can cause:
- Denial of service - Requests hang indefinitely
- Resource exhaustion - Threads/connections blocked
- Cost explosion - Long-running requests accumulate costs
- Poor UX - Users wait forever
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Options from Variable
Why: Options stored in variables are not analyzed.
// ❌ NOT DETECTED - Options from variable
const opts = { model: openai('gpt-4'), prompt: 'Hello' }; // No timeout
await generateText(opts);Mitigation: Use inline options. Always specify timeout.
Wrapper Functions
Why: Custom wrappers may include timeout internally.
// ❌ NOT DETECTED - Wrapper adds timeout
await myGenerateText(prompt); // Wrapper sets timeoutMitigation: Apply rule to wrapper implementations.
External Timeout Management
Why: Timeout managed outside the call is not visible.
// ❌ NOT DETECTED - Promise.race timeout
await Promise.race([
generateText({ ... }),
timeout(30000)
]);Mitigation: Use built-in timeout/abort signal properties.
Framework-Level Timeouts
Why: Framework request timeouts are not linked.
// ❌ NOT DETECTED (correctly) - Express timeout middleware
app.use(timeout(30000));Mitigation: Document framework timeout handling.
📚 References
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-400 OWASP:A06 CVSS:7.5 | Uncontrolled Resource Consumption (ReDoS) detected | HIGH
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A06_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-400 OWASP:A06 CVSS:7.5 |
| Issue Description | Specific vulnerability | Uncontrolled Resource Consumption (ReDoS) detected |
| Severity & Compliance | Impact assessment | HIGH |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
require-rag-content-validation
This rule identifies code patterns where content retrieved from vector stores or document retrieval systems is used directly in AI prompts without validation.
require-tool-confirmation
This rule identifies destructive tools (delete, transfer, execute, etc.) that don't require human confirmation before execution.