October 2025 change log

Python

LLM Security Vulnerabilities

Added comprehensive protection for AI-powered applications by implementing new detection rules for Python applications integrating large language models:

• Python-prompt-injection-vulnerability
  Detects malicious prompt injection attacks that attempt to manipulate AI model behavior, bypass safety controls, or extract unauthorized information through crafted user inputs.

• Python-llm-improper-output-handling
  Identifies insufficient validation and sanitization of LLM-generated content before processing or display, preventing execution of malicious code or scripts embedded in model responses.

• Python-system-prompt-leakage-vulnerability
  Detects potential exposure of internal system prompts, instructions, or configuration details that could compromise AI system security and reveal proprietary information.

• Python-llm-unbounded-consumption
  Identifies patterns that could lead to resource exhaustion through excessive token consumption, API calls, or processing time, preventing denial-of-service attacks and cost escalation.

Enhanced Coverage

Improved precision and recall performance by reducing false positives through better recognition of safe coding patterns:

• python-cross-site-scripting-ide
  Enhanced to properly recognize framework auto-escaping in Django/Flask template rendering and plain text responses with non-HTML content types.

• python-path-traversal-ide
  Enhanced to properly recognize path sanitization using os.path.basename() to strip directory components and static path configuration with hardcoded directory and file names.

• python-incorrect-authorization
  Enhanced to properly recognize static configuration variables and constant declarations, and input validation without authorization logic.

Java

S3 Security Enhancement

Added java-s3-putobject-contentlength-mismatch rule to detect hardcoded content length when uploading files to S3. The rule helps avoid silent data truncation and ensure data integrity during file uploads.

Enhanced Coverage

Improved precision and recall performance by reducing false positives through better recognition of safe coding patterns:

• java-log-injection-ide
  Enhanced to properly recognize SLF4J parameterized logging with {} placeholders that automatically escape parameters and system-controlled values like HTTP status codes.

• java-path-traversal-ide
  Enhanced to properly recognize File.getName() usage that strips directory components and framework-provided path validation methods.

• java-cross-site-scripting-ide
  Enhanced to properly recognize JSON API responses with automatic Spring serialization and type-safe operations using parseInt() validation.

• java-avoid-string-formatting-in-logging
  Enhanced to properly recognize simple string concatenation without format specifiers and system-controlled values like configuration properties.

C#

Enhanced Coverage

Improved precision and recall performance by reducing false positives through better recognition of safe coding patterns:

• csharp-sql-injection
  Enhanced to properly recognize parameterized queries using MySqlParameter objects with proper @ placeholders and static SQL queries with no user input or dynamic content.

• csharp-mvc-missing-antiforgery
  Enhanced to properly recognize controllers using AutoValidateAntiforgeryToken attribute for CSRF protection and authentication-only endpoints that don't modify application state.

JavaScript

Enhanced Coverage

Improved precision and recall performance by reducing false positives through better recognition of safe coding patterns:

• javascript-cross-site-scripting-ide
  Enhanced to properly recognize hardcoded string literals with no user input, DOM attribute manipulation using trusted values, and non-HTML contexts like RegExp constructor.

• javascript-code-injection-ide
  Enhanced to properly recognize framework template compilation with sanitized expressions, setTimeout with function references, and static content assignment in controlled environments.

• javascript-jsx-not-internationalized
  Enhanced to properly recognize mixed dynamic and static content where dynamic portions predominate and technical content with code examples.

TypeScript

Enhanced Coverage

Improved precision and recall performance by reducing false positives through better recognition of safe coding patterns:

• typescript-no-sql-injection-ide
  Enhanced to properly recognize parameterized DynamoDB queries with expression attribute names and values, and type-safe object construction with validated inputs.

• ts-log-injection-ide
  Enhanced to properly recognize structured logging frameworks with built-in JSON serialization protections and system-generated values like environment variables.

• typescript-cross-site-scripting-ide
  Enhanced to properly recognize framework auto-escaping in React/Angular templates and test code with hardcoded values not rendered in browser.

PHP

Enhanced Coverage

Improved precision and recall performance by reducing false positives through better recognition of safe coding patterns:

• php-cross-site-scripting-ide
  Enhanced to properly recognize JSON API responses with proper Content-Type headers and file operations that don't output to browser.

• php-codeigniter-sql-injection-ide
  Enhanced to properly recognize CodeIgniter Query Builder methods with automatic parameter escaping and parameterized queries with proper placeholder binding.

• php-avoid-exit-die
  Enhanced to properly recognize HTTP redirect patterns with proper header termination and authentication guards with controlled response termination.