[Javascript] Prompt Injection queries by BazookaMusic · Pull Request #21953 · github/codeql
added 12 commits
…and Google GenAI SDKs Add experimental CodeQL query detecting prompt injection vulnerabilities in JavaScript/TypeScript applications using AI SDK libraries. Modeled frameworks: - openai (OpenAI, AzureOpenAI): responses, chat.completions, completions, images, embeddings, beta.assistants, beta.threads, audio APIs - @openai/agents: Agent instructions, handoffDescription, run/Runner.run, asTool, tool() - @anthropic-ai/sdk: messages.create, beta.messages.create, beta.agents.create/update - @google/genai (GoogleGenAI): generateContent, generateContentStream, generateImages, editImage, chats, live.connect Includes role-based filtering (system/developer/assistant/model roles) and constant-comparison sanitizer guard.
Move OpenAI, Anthropic, Google GenAI, and LangChain sinks that are structurally typed (identified by API name alone) into MaD YAML files. Role-filtered sinks that require inspecting a sibling 'role' property remain in QL code since MaD cannot express conditional logic. Use two distinct sink kinds: - user-prompt-injection: picked up by UserPromptInjection.ql - system-prompt-injection: picked up by SystemPromptInjection.ql New files: - javascript/ql/lib/ext/openai.model.yml - javascript/ql/lib/ext/anthropic.model.yml - javascript/ql/lib/ext/google-genai.model.yml - javascript/ql/lib/ext/langchain.model.yml
…ction, remove embeddings from user prompt injection query
…fying it as a system prompt injection
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
2. Remove redundant constant comparison barriers. This is already happening by default by the taint tracking library.
Move UserPromptInjection out of experimental into stable JavaScript security locations. Set js/user-prompt-injection precision to low and remove experimental tagging. Move supporting dataflow libraries, qhelp/examples, and tests to stable paths and update references.
Update the alert message to "This system prompt depends on a $@." matching the SQL injection query style, and move the test out of experimental into Security/CWE-1427 to mirror the stable query location.
…ries UserPromptInjection moved from experimental to stable (precision low, so not in any well-known suite); the old experimental path no longer exists.
Copilot AI review requested due to automatic review settings
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters