JIT and Dynamic Code Rules

Detects unsafe just-in-time compilation, dynamic evaluation, and cache poisoning patterns in AI workloads.

Definition

The JIT rule family turns findings on this surface into actionable records with rule ID, severity, CWE, OWASP LLM mapping, owner, release decision, and retest command.

JIT features improve performance, but prompt-controlled or data-controlled code generation can turn model pipelines into execution surfaces.

Canonical help URL

Supported inputs

Python
JavaScript
CUDA
Triton
Numba
Torch compile caches

Typical attack scenarios

A prompt-controlled template reaches eval or compile.
A JIT cache is writable by untrusted users.
A dynamic kernel string is built from request data.

Detection logic

Sentinel ties JIT evidence to reproducible signals such as file path, metadata, opcode, AST node, manifest field, dependency, or archive entry. The same signal should disappear when the finding is closed.

Triage

Do not read JIT findings as scanner noise. Verify the evidence first, map the finding to a severity-based release decision, and then produce closure evidence with the same Sentinel command.

Operational checklist

Source: where did the file, manifest, prompt, archive, or dependency come from?
Impact: code execution, data leakage, supply chain, or resource consumption?
Control: allowlist, hash, sandbox, egress policy, or secret rotation?
Evidence: does the same rule category return clean after the fix?

Remediation

Remediation should change the risk boundary, not merely silence the finding: remove executable formats, pin source or hash, narrow tool permissions, rotate secrets, or add runtime sandboxing.

CI policy

sentinel-policy.yml

category: JIT
fail_on:
  - CRITICAL
  - HIGH
ticket_on:
  - MEDIUM
retest: "sentinel sast ./src/ --rule JIT"

Rule index

Rule ID	Severity	Title	CWE	Fix Hint
JIT-EVAL-COMPILE	HIGH	Dynamic eval or compile	CWE-95	Do not compile user-controlled strings.
JIT-DYNAMIC-KERNEL	HIGH	Dynamic Kernel Generation	CWE-94	Separate kernel code from runtime data.
JIT-CACHE-POISONING	MEDIUM	Writable JIT Cache	CWE-345	Protect compiled caches from untrusted writes.

JIT-EVAL-COMPILE — Dynamic eval or compile

HIGH

Rule ID	JIT-EVAL-COMPILE
Category	JIT
Severity	HIGH
CWE	CWE-95
OWASP LLM	LLM01 — Prompt Injection
FP Risk	MEDIUM
Owner	Application security and backend/agent owner
Release decision	Treat as a release gate; remediation or explicit risk acceptance is required.

Description

Detects eval, exec, Function, compile, or similar dynamic-code APIs reachable from model, prompt, or dataset inputs.

Why it matters

JIT features improve performance, but prompt-controlled or data-controlled code generation can turn model pipelines into execution surfaces.

When it fires

Sentinel fires this rule in the JIT category when it sees ast call nodes for dynamic execution apis with non-literal or externally derived arguments.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

AST call nodes for dynamic execution APIs with non-literal or externally derived arguments.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: Application security and backend/agent owner.
Decision: Treat as a release gate; remediation or explicit risk acceptance is required.
Evidence: AST call nodes for dynamic execution APIs with non-literal or externally derived arguments.
Closure: sentinel sast ./src/ --rule JIT must return clean output.

How to fix

Replace dynamic code with explicit operator maps and schema validation.

CLI

sentinel sast ./src/ --rule JIT

Policy example

sentinel-policy.yml

rules:
  JIT-EVAL-COMPILE:
    owner: "Application security and backend/agent owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel sast ./src/ --rule JIT"

Expected output

JIT-EVAL-COMPILE HIGH
Dynamic eval or compile
Do not compile user-controlled strings.

Example

Bad

kernel = f"def run(x): return {user_expression}"
compiled = compile(kernel, "<jit>", "exec")

Good

allowed_ops = {"sum": torch.sum, "mean": torch.mean}
result = allowed_ops[op](tensor)

Related rules

JIT-DYNAMIC-KERNEL: Dynamic Kernel Generation
JIT-CACHE-POISONING: Writable JIT Cache

JIT-DYNAMIC-KERNEL — Dynamic Kernel Generation

HIGH

Rule ID	JIT-DYNAMIC-KERNEL
Category	JIT
Severity	HIGH
CWE	CWE-94
OWASP LLM	LLM03 — Supply Chain
FP Risk	MEDIUM
Owner	Application security and backend/agent owner
Release decision	Treat as a release gate; remediation or explicit risk acceptance is required.

Description

Flags CUDA, Triton, or Numba kernel strings assembled from untrusted values.

Why it matters

JIT features improve performance, but prompt-controlled or data-controlled code generation can turn model pipelines into execution surfaces.

When it fires

Sentinel fires this rule in the JIT category when it sees kernel source templates containing interpolated request, prompt, config, or notebook variables.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Kernel source templates containing interpolated request, prompt, config, or notebook variables.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: Application security and backend/agent owner.
Decision: Treat as a release gate; remediation or explicit risk acceptance is required.
Evidence: Kernel source templates containing interpolated request, prompt, config, or notebook variables.
Closure: sentinel sast ./src/ --rule JIT must return clean output.

How to fix

Use precompiled kernels or strictly validate every kernel parameter with allowlists.

CLI

sentinel sast ./src/ --rule JIT

Policy example

sentinel-policy.yml

rules:
  JIT-DYNAMIC-KERNEL:
    owner: "Application security and backend/agent owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel sast ./src/ --rule JIT"

Expected output

JIT-DYNAMIC-KERNEL HIGH
Dynamic Kernel Generation
Separate kernel code from runtime data.

Example

Bad

kernel = f"def run(x): return {user_expression}"
compiled = compile(kernel, "<jit>", "exec")

Good

allowed_ops = {"sum": torch.sum, "mean": torch.mean}
result = allowed_ops[op](tensor)

Related rules

JIT-EVAL-COMPILE: Dynamic eval or compile
JIT-CACHE-POISONING: Writable JIT Cache

JIT-CACHE-POISONING — Writable JIT Cache

MEDIUM

Rule ID	JIT-CACHE-POISONING
Category	JIT
Severity	MEDIUM
CWE	CWE-345
OWASP LLM	LLM03 — Supply Chain
FP Risk	MEDIUM
Owner	Application security and backend/agent owner
Release decision	Assign an owner, fix within the sprint, and attach the retest command to the issue.

Description

Reports JIT cache directories that are shared, world-writable, or outside trusted build paths.

Why it matters

JIT features improve performance, but prompt-controlled or data-controlled code generation can turn model pipelines into execution surfaces.

When it fires

Sentinel fires this rule in the JIT category when it sees cache path permissions, environment variables, or config values point to writable temp or project directories.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Cache path permissions, environment variables, or config values point to writable temp or project directories.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: Application security and backend/agent owner.
Decision: Assign an owner, fix within the sprint, and attach the retest command to the issue.
Evidence: Cache path permissions, environment variables, or config values point to writable temp or project directories.
Closure: sentinel sast ./src/ --rule JIT must return clean output.

How to fix

Use per-user cache directories with strict permissions and clear caches during deployment.

CLI

sentinel sast ./src/ --rule JIT

Policy example

sentinel-policy.yml

rules:
  JIT-CACHE-POISONING:
    owner: "Application security and backend/agent owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel sast ./src/ --rule JIT"

Expected output

JIT-CACHE-POISONING MEDIUM
Writable JIT Cache
Protect compiled caches from untrusted writes.

Example

Bad

kernel = f"def run(x): return {user_expression}"
compiled = compile(kernel, "<jit>", "exec")

Good

allowed_ops = {"sum": torch.sum, "mean": torch.mean}
result = allowed_ops[op](tensor)

Related rules

JIT-EVAL-COMPILE: Dynamic eval or compile
JIT-DYNAMIC-KERNEL: Dynamic Kernel Generation

References

PreviousSymbols NextCVE