Lines 446-486javascript
446 - Process spawning, shell execution
447 - Script evaluation, macro execution
448 - ANY operation that interprets data as system commands
449 - KEY QUESTION: Can external data influence what command runs?
450 - SAFE: Fixed commands with data passed only as arguments (no shell interpretation)
452**3. Output Rendering** (CWE-79) - Operations that render content to users:
453 - HTML response generation, template rendering
454 - JavaScript output, DOM manipulation
455 - ANY operation that sends data to be rendered by clients
456 - KEY QUESTION: Can external data inject executable content?
457 - SAFE: Properly escaped output, JSON responses, auto-escaping templates
459**4. File System Operations** (CWE-22) - Operations that access file paths:
460 - File read/write, directory creation
461 - Path construction, file inclusion
462 - ANY operation that uses paths from external data
463 - KEY QUESTION: Can external data escape intended directories?
464 - SAFE: Validated paths, canonicalization with prefix checks
466**5. Code Evaluation** (CWE-94) - Operations that interpret data as code:
467 - Dynamic code execution, eval(), script engines
468 - Reflection with external class names
LowEval
Package source references a known benign dynamic code generation pattern.
dist/llm/language-context.jsView on unpkg · L466 469 - ANY operation that compiles/interprets data
470 - KEY QUESTION: Can external data become executable code?
472**6. Deserialization** (CWE-502) - Operations that reconstruct objects from data:
473 - Object deserialization, unmarshalling
474 - ANY operation that creates objects from serialized data
475 - KEY QUESTION: Can external data instantiate arbitrary classes?
477**7. Directory/Query Injection** (CWE-90, CWE-643) - Operations on hierarchical data:
478 - LDAP queries, XPath expressions
479 - ANY operation that queries tree/directory structures
480 - KEY QUESTION: Can external data modify query structure?
482**8. Network Requests** (CWE-918) - Operations that make outbound requests:
483 - HTTP clients, URL fetching, API calls
484 - ANY operation where URL/host is from external data
485 - KEY QUESTION: Can external data control request destination?