Fix google genai models

This commit is contained in:
Sotiris Dragonas
2026-07-02 15:42:18 +02:00
parent 018ba92b1e
commit 27d2a2b16e
9 changed files with 615 additions and 47 deletions

321
prompt-injection-summary.md Normal file
View File

@@ -0,0 +1,321 @@
# Prompt Injection Alert Validation Summary
Validation of the DCA alert-comparison report for the Python queries
`py/system-prompt-injection` (`SystemPromptInjection.ql`) and
`py/user-prompt-injection` (`UserPromptInjection.ql`).
Source report:
`github/codeql-dca-main` @ `data/prompt-injection-llm-sdks-single``reports/alert-comparison.md`
## Methodology
Each alert was validated by fetching and reading the actual source code of the target
repository (at the exact commit referenced in the report), inspecting both the reported
**source** (the "user-provided value") and the reported **sink** (the prompt construction),
and confirming the flow.
Classification rules applied:
- **TP (true positive):** the source is genuinely untrusted/remote input and the flow really
reaches a prompt of the claimed role (user-role message for `user-prompt-injection`;
system/developer/tool-description for `system-prompt-injection`). By-design / admin flows into a
system prompt count as TP. If only a *convention* (not code) prevents injection, it is a TP.
- **Concern:** the flow is real, but there **is** input validation/sanitization that CodeQL does
not model. Reported as a concern rather than an FP (it is still essentially a true flow).
- **FP (false positive):** static analysis was imprecise — either the flagged flow is implausible
to ever carry attacker input (spurious path / not-really-untrusted source), or, for system-prompt
alerts, the taint did not actually end in a system prompt (sink mis-attribution).
## Headline metrics
| Metric | Value |
| --- | --- |
| Total detections | **86** |
| True positives (TP) | **84** |
| Concerns (real flow, unmodeled sanitizer) | **1** |
| False positives (FP) | **1** |
| Precision (TP+Concern treated as real) = 85/86 | **98.8%** |
| False-positive rate = 1/86 | **1.2%** |
### By query
| Query | Total | TP | Concern | FP | Precision* |
| --- | :---: | :---: | :---: | :---: | :---: |
| `py/system-prompt-injection` | 3 | 2 | 1 | 0 | 100% |
| `py/user-prompt-injection` | 83 | 82 | 0 | 1 | 98.8% |
| **Total** | **86** | **84** | **1** | **1** | **98.8%** |
\* Precision counts genuine flows (TP + Concern) as correct; the single Concern is a real flow whose
only mitigation (a Pydantic validator + allowlist) is not modeled by CodeQL.
### Overall assessment
Both queries are **highly precise** on this corpus. The `user-prompt-injection` query is marked
`@precision low` in its metadata, yet on real-world LLM-SDK apps essentially every flow it reports is
a genuine, unmediated path from untrusted input (Flask/FastAPI/Django request bodies, webhook
payloads, Gradio/Streamlit widgets) into a user-role LLM message. The `system-prompt-injection`
query (`@precision high`) had no false positives. The only true FP was caused by inter-procedural
conflation of two identically-named `GPT` classes.
---
## System prompt injection (3)
| # | Sink | Source | Verdict |
| --- | --- | --- | --- |
| S1 | FireBird-Technologies/blog2video `template_studio_llm.py:70` (`system=`) | `template_studio.py:2030,2187` | **Concern** |
| S2 | samuelclay/NewsBlur `utils/ai_functions.py:116` (`system=`) | `apps/analyzer/views.py:377` | **TP** |
| S3 | samuelclay/NewsBlur `utils/ai_functions.py:365` (`system=`) | `apps/analyzer/views.py:377` | **TP** |
- **S1 — Concern.** The sink is genuinely the Anthropic `system=` parameter. The only user-derived
content reaching it is `layout_id`, embedded as a markdown heading `f"## {layout_id}\n"`. That value
comes from request models where it is either validated by a Pydantic regex `^[a-z][a-z0-9_]*$` or
checked against an allowlist of known layouts (`meta.json`). The free-form `design_doc` / `instruction`
fields do **not** reach `system=` (they flow only to `user=`). The flow is real and correctly points
at a system prompt, but the character-class/allowlist restriction on `layout_id` (which makes practical
injection implausible) is not modeled by CodeQL — hence a **Concern**, not an FP.
- **S2 / S3 — TP.** `prompt = request.POST.get("prompt", "").strip()` (a raw Django POST field) is
interpolated into `system_message = f"""...classification criteria is: {prompt_classifier.prompt}..."""`
and passed as `system=` to `client.messages.create(...)` (text classifier at line 116, vision classifier
at line 365). Only a 500-character length check is applied — no content sanitization. Arbitrary
instructions land directly in the Anthropic system prompt.
---
## User prompt injection (83)
### FireBird-Technologies/blog2video (2) — both TP
| # | Sink | Source | Verdict |
| --- | --- | --- | --- |
| U1 | `services/image_gen.py:36` (`images.generate(prompt=…)`) | `routers/projects.py:3392` | **TP** |
| U2 | `services/template_studio_llm.py:71` (`{"role":"user","content":user}`) | `routers/template_studio.py:1048,1111,2030,2187,2679,2738` | **TP** |
- **U1 — TP.** User-supplied scene-description text flows into the OpenAI image-generation `prompt=`
argument with no content-level sanitization.
- **U2 — TP.** Free-form request-body fields (`instruction` min 5 / max 6000 chars, `design_doc` max
40000 chars, etc.) flow through helper functions into the Anthropic user-role message. Length caps
only; no content validation.
### LearningCircuit/local-deep-research (17) — all TP
All 17 share source `web/api.py:11` col 3946 = the Flask **`request`** object. Every authenticated POST
endpoint does `query = request.json.get("query")` (only a `isinstance(str)` type-check — no content
sanitization) and passes `query` unchanged through the research pipeline into LLM prompts.
| # | Sink | Verdict |
| --- | --- | --- |
| U3 | `filters/cross_engine_filter.py:167``Query: "{query}"``model.invoke(prompt)` | **TP** |
| U4 | `filters/followup_relevance_filter.py:160``Follow-up question: "{query}"` | **TP** |
| U5 | `questions/atomic_fact_question.py:79``Query: {query}` | **TP** |
| U6 | `questions/atomic_fact_question.py:149``Original Query: {original_query}` | **TP** |
| U7 | `questions/browsecomp_question.py:96``Query: {query}` | **TP** |
| U8 | `questions/browsecomp_question.py:282``Original Query: {query}` | **TP** |
| U9 | `questions/flexible_browsecomp_question.py:61``…for: {query}` | **TP** |
| U10 | `questions/standard_question.py:41``…answer: {query}` | **TP** |
| U11 | `strategies/langgraph_agent_strategy.py:1146``{"role":"user","content":query}` (explicit user role) | **TP** |
| U12 | `strategies/topic_organization_strategy.py:274``For the research query: "{query}"` | **TP** |
| U13 | `strategies/topic_organization_strategy.py:909` — refinement prompt w/ original query | **TP** |
| U14 | `strategies/topic_organization_strategy.py:1658``RESEARCH QUESTION TO ANSWER: {query}` | **TP** |
| U15 | `strategies/topic_organization_strategy.py:1706` — same `topic_prompt` loop | **TP** |
| U16 | `citation_handlers/base_citation_handler.py:41``self.llm.stream(prompt)` | **TP** |
| U17 | `citation_handlers/base_citation_handler.py:83``self.llm.invoke(prompt)` | **TP** |
| U18 | `citation_handlers/base_citation_handler.py:91``self.llm.invoke(prompt)` | **TP** |
| U19 | `report_generator.py:166``Analyze this research content about: {query}` | **TP** |
### PostHog/posthog (2) — both TP
| # | Sink | Source | Verdict |
| --- | --- | --- | --- |
| U20 | `user_interviews/backend/max_tools.py:61` | `presentation/webhooks.py:363` | **TP** |
| U21 | `user_interviews/backend/max_tools.py:71` | `presentation/webhooks.py:363` | **TP** |
Untrusted Vapi `end-of-call-report` webhook fields (`transcript` / `summary`, i.e. the interviewee's
speech) are stored via the ORM and later joined into `interview_summaries_text`, which is placed in the
user-role message of a `gpt-4.1-mini` call. DB-mediated but a genuine indirect-injection vector.
### Significant-Gravitas/AutoGPT (1) — TP
| # | Sink | Source | Verdict |
| --- | --- | --- | --- |
| U22 | `backend/data/tally.py:411``{"role":"user","content":f"{_EXTRACTION_PROMPT}{formatted_text}…"}` | `api/features/v1.py:388` (`OnboardingProfileRequest`) | **TP** |
User-controlled onboarding-profile fields (`user_name`, `user_role`, `pain_points`) from a FastAPI POST
body are formatted verbatim into the user-role extraction prompt.
### SocialAI-tianji/Tianji (1) — TP
| # | Sink | Source | Verdict |
| --- | --- | --- | --- |
| U23 | `agents/metagpt_agents/utils/agent_llm.py:106``{"role":"user","content":prompt}` | `run/demo_agent_metagpt.py:100` (`st.chat_input()`) | **TP** |
### aliasrobotics/cai (1) — TP
| # | Sink | Source | Verdict |
| --- | --- | --- | --- |
| U24 | `sdk/agents/items.py:220``[{"content":input,"role":"user"}]` | `api/app.py:567,655,709,830` (FastAPI `payload.input`/`payload.prompt`) | **TP** |
### egolife-ai/Ego-R1 (6) — 5 TP, 1 FP
| # | Sink | Source | Verdict |
| --- | --- | --- | --- |
| U25 | `api/rag/r1rag/utils.py:49` (`"content"` user array) | 8 FastAPI `/query` endpoints (`request.keywords`) | **TP** |
| U26 | `api/rag/r1rag/utils.py:52` (`"text": prompt`) | same 8 endpoints | **TP** |
| U27 | `api/visual_tools/egor1_vlm/utils.py:61` (`{"role":"user","content":message}`) | 3 `/vlm` endpoints (`request.question`) | **TP** |
| U28 | `api/visual_tools/egoschema_vlm/utils.py:92` | same 3 `/vlm` endpoints | **TP** |
| U29 | `api/visual_tools/videomme_vlm/utils.py:62` | same 3 `/vlm` endpoints | **TP** |
| U30 | `cott_gen/utils.py:100` | 3 `visual_tools` `/vlm` endpoints | **FP** |
- **U30 — FP (the only false positive).** The reported taint path is spurious. The `visual_tools` API
handlers only ever instantiate their *own* local `GPT` class (in `api/visual_tools/*/utils.py`).
`cott_gen/` is a separate offline chain-of-thought pipeline with an independently-defined `GPT` class
that is never imported or invoked by any API endpoint. CodeQL conflated the two identically-named
`GPT` classes with matching `chat(self, message, …)` signatures (duck-typed dispatch), producing an
inter-procedural path that has no concrete call chain. **Imprecision — sink not actually reachable
from the source.**
### ezgisubasi/youtube-rag-assistant (3) — all TP
Source for all three: `app.py:224` `st.chat_input("Ask about leadership or business...")`.
| # | Sink | Verdict |
| --- | --- | --- |
| U31 | `src/services/rag_service.py:213` — user query in eval prompt → `llm.invoke` | **TP** |
| U32 | `src/services/rag_service.py:307``.format(..., question=question)``llm.invoke` | **TP** |
| U33 | `src/services/rag_service.py:323` — web-fallback prompt → `llm.invoke` | **TP** |
### llnl/open-ai-co-scientist (1) — TP
| # | Sink | Source | Verdict |
| --- | --- | --- | --- |
| U34 | `app/utils.py:57``{"role":"user","content":prompt}` | `app.py:492-496,508-511` (Gradio `gr.Textbox` "Research Goal") | **TP** |
### openai/openai-agents-python (1) — TP
| # | Sink | Source | Verdict |
| --- | --- | --- | --- |
| U35 | `examples/mcp/manager_example/app.py:107``Runner.run(..., input=req.input)` | same file:93 (FastAPI `RunRequest.input`) | **TP** |
Example/demo code, but the flow (HTTP body → agent user turn) is technically a valid injection path.
### samuelclay/NewsBlur — archive_extension (1) — TP
| # | Sink | Source | Verdict |
| --- | --- | --- | --- |
| U36 | `apps/archive_extension/views.py:1134``{"role":"user","content":prompt}` | same file:1063 (`request.POST.get("category")`) | **TP** |
The `category` POST field (only `.strip()` applied) is interpolated into the user-role Claude message.
### showlab/computer_use_ootb (2) — both TP
Sources: Gradio inputs `app.py:248` / `app.py:598`.
| # | Sink | Verdict |
| --- | --- | --- |
| U37 | `computer_use_demo/gui_agent/actor/uitars_agent.py:59``{"type":"text","text":task}` in user role | **TP** |
| U38 | `computer_use_demo/gui_agent/actor/uitars_agent.py:60` — same user-role content array | **TP** |
### suki0dayo/AI_film_studio (3) — all TP
Source for all three: `app.py:6` (`from flask import ... request`) — the standard CodeQL Flask taint
origin node; the concrete untrusted value is `request.json['user_prompt']` in the `/api/llm` POST
handler. (Line 6 is the request import node, **not** a constant — not an FP.)
| # | Sink | Verdict |
| --- | --- | --- |
| U39 | `app.py:488``{'role':'user','parts':[{'text':user_prompt}]}` (Gemini) | **TP** |
| U40 | `app.py:540``{'role':'user','content':user_prompt}` (OpenAI-compat) | **TP** |
| U41 | `app.py:546` — outbound `/chat/completions` POST carrying that user-role message | **TP** |
### truera/trulens (1) — TP
| # | Sink | Source | Verdict |
| --- | --- | --- | --- |
| U42 | `examples/.../openai_agent_sdk_snowflake_tools/src/agent/app.py:155``Runner.run_sync(support_agent, question)` | `.../server.py:78` (FastAPI `ChatRequest.message`) | **TP** |
Example/expositional code, but the HTTP-body → agent user-turn flow is a valid injection path.
### xusenlinzy/api-for-open-llm (2) — both TP
Source for both: `streamlit_app.py:36` `st.chat_input("What is up?")`.
| # | Sink | Verdict |
| --- | --- | --- |
| U43 | `streamlit-demo/.../multimodal_chat/streamlit_app.py:44``{"role":"user","content":[{"type":"text","text":prompt}]}` | **TP** |
| U44 | `streamlit-demo/.../multimodal_chat/streamlit_app.py:47``"text": prompt` in same user-role array | **TP** |
### mdbabumiamssm/LLMs-Universal-Life-Science-and-Clinical-Skills- (38) — all TP
Vendored `awesome-llm-apps` demos under
`Skills/External_Collections/awesome-llm-apps/`. Every alert is a Streamlit widget
(`st.text_input` / `st.text_area` / `st.chat_input`) flowing unmodified into a user-role LLM message
(`{"role":"user",...}`, `HumanMessage(...)`, `('human', ...)`, or `Runner.run(agent, user_input)`).
No sanitization or allowlisting exists in any of these files.
| # | Sink file:line | Source | Verdict |
| --- | --- | --- | --- |
| U45 | `.../ai_3dpygame_r1/ai_3dpygame_r1.py:91` | `st.text_area` :58 | **TP** |
| U46 | `.../ai_customer_support_agent/customer_support_agent.py:67` | `st.chat_input` :192 | **TP** |
| U47 | `.../ai_deep_research_agent/deep_research_openai.py:140` | `st.text_input` :57 | **TP** |
| U48 | `.../ai_deep_research_agent/deep_research_openai.py:159` | `st.text_input` :57 | **TP** |
| U49 | `.../ai_system_architect_r1/ai_system_architect_r1.py:201` | `st.chat_input` :302 | **TP** |
| U50 | `.../ai_travel_agent_memory/travel_agent_memory.py:95` | `st.chat_input` :71 | **TP** |
| U51 | `.../llm_app_personalized_memory/llm_app_memory.py:61` | `st.text_input` :42 | **TP** |
| U52 | `.../multi_llm_memory/multi_llm_memory.py:75` | `st.text_input` :57 | **TP** |
| U53 | `.../1_starter_agent/app.py:110` | `st.chat_input` :99 | **TP** |
| U54 | `.../1_starter_agent/app.py:117` | `st.chat_input` :99 | **TP** |
| U55 | `.../1_starter_agent/app.py:129` | `st.chat_input` :99 | **TP** |
| U56 | `.../4_running_agents/agent_runner.py:173` | `st.text_input` :165 | **TP** |
| U57 | `.../4_running_agents/agent_runner.py:196` | `st.text_input` :188 | **TP** |
| U58 | `.../4_running_agents/agent_runner.py:227` | `st.text_input` :211 | **TP** |
| U59 | `.../4_running_agents/agent_runner.py:266` | `st.text_input` :256 | **TP** |
| U60 | `.../4_running_agents/agent_runner.py:309` | `st.text_input` :298 | **TP** |
| U61 | `.../4_running_agents/agent_runner.py:378` | `st.text_input` :361 | **TP** |
| U62 | `.../4_running_agents/agent_runner.py:427` | `st.text_input` :407 | **TP** |
| U63 | `.../4_running_agents/agent_runner.py:480` | `st.text_input` :459 | **TP** |
| U64 | `.../4_running_agents/agent_runner.py:536` | `st.text_input` :512 | **TP** |
| U65 | `.../4_running_agents/agent_runner.py:613` | `st.text_input` :604 | **TP** |
| U66 | `.../4_running_agents/agent_runner.py:635` | `st.text_input` :629 | **TP** |
| U67 | `.../7_sessions/streamlit_sessions_app.py:158` | `st.text_input` :152 | **TP** |
| U68 | `.../7_sessions/streamlit_sessions_app.py:187` | `st.text_input` :181 | **TP** |
| U69 | `.../7_sessions/streamlit_sessions_app.py:219` | `st.text_input` :213 | **TP** |
| U70 | `.../7_sessions/streamlit_sessions_app.py:307` | `st.text_input` :301 | **TP** |
| U71 | `.../7_sessions/streamlit_sessions_app.py:327` | `st.text_input` :321 | **TP** |
| U72 | `.../7_sessions/streamlit_sessions_app.py:352` | `st.text_input` :346 | **TP** |
| U73 | `.../7_sessions/streamlit_sessions_app.py:366` | `st.text_input` :360 | **TP** |
| U74 | `.../7_sessions/streamlit_sessions_app.py:391` | `st.text_input` :385 | **TP** |
| U75 | `.../hybrid_search_rag/main.py:123` | `st.chat_input` :190 | **TP** |
| U76 | `.../llama3.1_local_rag/llama3.1_local_rag.py:53` | `st.text_input` :85 | **TP** |
| U77 | `.../rag_agent_cohere/rag_agent_cohere.py:237` | `st.chat_input` :279 | **TP** |
| U78 | `.../rag_database_routing/rag_database_routing.py:292` | `st.text_input` :376 | **TP** |
| U79 | `.../rag-as-a-service/rag_app.py:102` | `st.text_input` :185 | **TP** |
| U80 | `.../opeani_research_agent/research_agent.py:196` | `st.text_input` :143 | **TP** |
| U81 | `.../customer_support_voice_agent/customer_support_voice_agent.py:290` | `st.text_input` :349 | **TP** |
| U82 | `.../voice_rag_openaisdk/rag_voice.py:248` | `st.text_input` :359 | **TP** |
---
## Concerns (unmodeled mitigations)
- **S1 (FireBird blog2video, `system=` at `template_studio_llm.py:70`).** Real flow into a system
prompt, but the only user-derived component (`layout_id`) is constrained by a Pydantic regex
`^[a-z][a-z0-9_]*$` and/or an allowlist of known layout ids, which CodeQL does not model. Practical
injection is unlikely, but the query is technically correct to flag the flow. If desired, such regex
allowlist validators could be added as barriers to the `SystemPromptInjection` sanitizer set.
Additional observations that are **not** downgraded (still TP):
- Several NewsBlur / AutoGPT flows apply only a *length* check (e.g. `len(prompt) > 500`) — this is not
content sanitization and does not neutralize injection.
- PostHog (U20/U21) is a DB-mediated indirect-injection flow (voice transcript persisted, then re-read
into a prompt) — a legitimate, if less obvious, injection vector.
- `openai/openai-agents-python` (U35) and `truera/trulens` (U42) are example/demo apps; classification
reflects the technical validity of the flow, independent of the code's demo status.
## False positives (1)
- **U30 (egolife-ai/Ego-R1, `cott_gen/utils.py:100`).** Spurious inter-procedural path caused by
conflating two distinct classes both named `GPT` with identical `chat(self, message, …)` signatures.
The `visual_tools` API endpoints never call the `cott_gen` `GPT`; no concrete call chain exists, so
the sink is not actually reachable from the reported source. This is a genuine static-analysis
precision issue (duck-typed method-name/signature conflation).

View File

@@ -16,7 +16,7 @@ private import semmle.python.ApiGraphs
module GoogleGenAI {
/** Gets a reference to a `google.genai.Client` instance. */
private API::Node clientRef() {
result = API::moduleImport("google.genai").getMember("Client").getReturn()
result = API::moduleImport("google").getMember("genai").getMember("Client").getReturn()
}
/** Gets the content dictionaries passed to `models.generate_content`/`generate_content_stream`. */

View File

@@ -4,10 +4,12 @@ extensions:
extensible: sinkModel
data:
# `system_instruction` on the generation config is a system-level prompt
- ['google.genai', 'Member[types].Member[GenerateContentConfig].Argument[system_instruction:]', 'system-prompt-injection']
- ['google', 'Member[genai].Member[types].Member[GenerateContentConfig].Argument[system_instruction:]', 'system-prompt-injection']
# The Live API connect config carries a system instruction
- ['google', 'Member[genai].Member[types].Member[LiveConnectConfig].Argument[system_instruction:]', 'system-prompt-injection']
# Cached content carries a system instruction and user content
- ['google.genai', 'Member[types].Member[CreateCachedContentConfig].Argument[system_instruction:]', 'system-prompt-injection']
- ['google.genai', 'Member[types].Member[CreateCachedContentConfig].Argument[contents:]', 'user-prompt-injection']
- ['google', 'Member[genai].Member[types].Member[CreateCachedContentConfig].Argument[system_instruction:]', 'system-prompt-injection']
- ['google', 'Member[genai].Member[types].Member[CreateCachedContentConfig].Argument[contents:]', 'user-prompt-injection']
# User-level content
- ['GoogleGenAI', 'Member[models].Member[generate_content,generate_content_stream].Argument[contents:]', 'user-prompt-injection']
- ['GoogleGenAI', 'Member[models].Member[generate_images,generate_videos,edit_image].Argument[prompt:]', 'user-prompt-injection']
@@ -18,4 +20,4 @@ extensions:
pack: codeql/python-all
extensible: typeModel
data:
- ['GoogleGenAI', 'google.genai', 'Member[Client].ReturnValue']
- ['GoogleGenAI', 'google', 'Member[genai].Member[Client].ReturnValue']

View File

@@ -5,17 +5,28 @@ extensions:
data:
# Message constructors. The first positional argument or the `content` keyword
# carries the message text.
- ['langchain_core.messages', 'Member[SystemMessage].Argument[0]', 'system-prompt-injection']
- ['langchain_core.messages', 'Member[SystemMessage].Argument[content:]', 'system-prompt-injection']
- ['langchain.schema', 'Member[SystemMessage].Argument[0]', 'system-prompt-injection']
- ['langchain.schema', 'Member[SystemMessage].Argument[content:]', 'system-prompt-injection']
- ['langchain_core.messages', 'Member[HumanMessage].Argument[0]', 'user-prompt-injection']
- ['langchain_core.messages', 'Member[HumanMessage].Argument[content:]', 'user-prompt-injection']
- ['langchain.schema', 'Member[HumanMessage].Argument[0]', 'user-prompt-injection']
- ['langchain.schema', 'Member[HumanMessage].Argument[content:]', 'user-prompt-injection']
- ['langchain_core', 'Member[messages].Member[SystemMessage].Argument[0]', 'system-prompt-injection']
- ['langchain_core', 'Member[messages].Member[SystemMessage].Argument[content:]', 'system-prompt-injection']
- ['langchain', 'Member[schema].Member[SystemMessage].Argument[0]', 'system-prompt-injection']
- ['langchain', 'Member[schema].Member[SystemMessage].Argument[content:]', 'system-prompt-injection']
- ['langchain_core', 'Member[messages].Member[HumanMessage].Argument[0]', 'user-prompt-injection']
- ['langchain_core', 'Member[messages].Member[HumanMessage].Argument[content:]', 'user-prompt-injection']
- ['langchain', 'Member[schema].Member[HumanMessage].Argument[0]', 'user-prompt-injection']
- ['langchain', 'Member[schema].Member[HumanMessage].Argument[content:]', 'user-prompt-injection']
# Invoking a chat model with user input.
- ['LangChainChatModel', 'Member[invoke,stream,predict,call].Argument[0]', 'user-prompt-injection']
- ['LangChainChatModel', 'Member[batch].Argument[0].ListElement', 'user-prompt-injection']
- ['LangChainChatModel', 'Member[generate].Argument[0].ListElement.ListElement', 'user-prompt-injection']
# Prompt templates. User input embedded directly into a template.
- ['langchain_core', 'Member[prompts].Member[PromptTemplate].Instance.Member[format].Argument[any-named]', 'user-prompt-injection']
# Legacy `LLMChain` and `AgentExecutor` take the user input in the `input` field.
- ['LangChainLLMChain', 'Member[invoke].Argument[0].DictionaryElement[input]', 'user-prompt-injection']
- ['LangChainLLMChain', 'Member[run].Argument[0]', 'user-prompt-injection']
- ['LangChainAgentExecutor', 'Member[invoke].Argument[0].DictionaryElement[input]', 'user-prompt-injection']
# The `system_prompt` passed to `create_agent` is a system-level prompt.
- ['langchain', 'Member[agents].Member[create_agent].Argument[system_prompt:]', 'system-prompt-injection']
# The messages passed to a `create_agent` graph are user-level content.
- ['LangChainAgent', 'Member[invoke,stream].Argument[0].DictionaryElement[messages].ListElement.DictionaryElement[content]', 'user-prompt-injection']
- addsTo:
pack: codeql/python-all
@@ -29,3 +40,14 @@ extensions:
- ['LangChainChatModel', 'langchain_cohere', 'Member[ChatCohere].ReturnValue']
- ['LangChainChatModel', 'langchain_ollama', 'Member[ChatOllama].ReturnValue']
- ['LangChainChatModel', 'langchain_aws', 'Member[ChatBedrock,ChatBedrockConverse].ReturnValue']
- ['LangChainChatModel', 'langchain_fireworks', 'Member[ChatFireworks].ReturnValue']
- ['LangChainChatModel', 'langchain_together', 'Member[ChatTogether].ReturnValue']
- ['LangChainChatModel', 'langchain_xai', 'Member[ChatXAI].ReturnValue']
- ['LangChainChatModel', 'langchain', 'Member[chat_models].Member[init_chat_model].ReturnValue']
- ['LangChainLLMChain', 'langchain', 'Member[chains].Member[LLMChain].ReturnValue']
- ['LangChainLLMChain', 'langchain_classic', 'Member[chains].Member[LLMChain].ReturnValue']
- ['LangChainAgentExecutor', 'langchain', 'Member[agents].Member[AgentExecutor].ReturnValue']
- ['LangChainAgentExecutor', 'langchain_classic', 'Member[agents].Member[AgentExecutor].ReturnValue']
- ['LangChainAgentExecutor', 'langchain', 'Member[agents].Member[AgentExecutor].Member[from_agent_and_tools].ReturnValue']
- ['LangChainAgentExecutor', 'langchain_classic', 'Member[agents].Member[AgentExecutor].Member[from_agent_and_tools].ReturnValue']
- ['LangChainAgent', 'langchain', 'Member[agents].Member[create_agent].ReturnValue']

View File

@@ -10,6 +10,12 @@
| anthropic_test.py:45:16:45:37 | ControlFlowNode for BinaryExpr | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | anthropic_test.py:45:16:45:37 | ControlFlowNode for BinaryExpr | This system prompt depends on a $@. | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
| anthropic_test.py:57:16:57:37 | ControlFlowNode for BinaryExpr | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | anthropic_test.py:57:16:57:37 | ControlFlowNode for BinaryExpr | This system prompt depends on a $@. | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
| anthropic_test.py:63:16:63:37 | ControlFlowNode for BinaryExpr | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | anthropic_test.py:63:16:63:37 | ControlFlowNode for BinaryExpr | This system prompt depends on a $@. | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
| gemini_test.py:21:33:21:49 | ControlFlowNode for BinaryExpr | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | gemini_test.py:21:33:21:49 | ControlFlowNode for BinaryExpr | This system prompt depends on a $@. | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| gemini_test.py:35:32:35:53 | ControlFlowNode for BinaryExpr | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | gemini_test.py:35:32:35:53 | ControlFlowNode for BinaryExpr | This system prompt depends on a $@. | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| gemini_test.py:43:32:43:53 | ControlFlowNode for BinaryExpr | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | gemini_test.py:43:32:43:53 | ControlFlowNode for BinaryExpr | This system prompt depends on a $@. | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| gemini_test.py:56:32:56:53 | ControlFlowNode for BinaryExpr | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | gemini_test.py:56:32:56:53 | ControlFlowNode for BinaryExpr | This system prompt depends on a $@. | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| langchain_test.py:17:35:17:58 | ControlFlowNode for BinaryExpr | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | langchain_test.py:17:35:17:58 | ControlFlowNode for BinaryExpr | This system prompt depends on a $@. | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| langchain_test.py:30:43:30:66 | ControlFlowNode for BinaryExpr | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | langchain_test.py:30:43:30:66 | ControlFlowNode for BinaryExpr | This system prompt depends on a $@. | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| openai_test.py:17:22:17:46 | ControlFlowNode for BinaryExpr | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:17:22:17:46 | ControlFlowNode for BinaryExpr | This system prompt depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
| openai_test.py:22:22:22:46 | ControlFlowNode for BinaryExpr | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:22:22:22:46 | ControlFlowNode for BinaryExpr | This system prompt depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
| openai_test.py:26:28:26:51 | ControlFlowNode for BinaryExpr | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:26:28:26:51 | ControlFlowNode for BinaryExpr | This system prompt depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
@@ -47,6 +53,30 @@ edges
| anthropic_test.py:11:15:11:21 | ControlFlowNode for request | anthropic_test.py:11:15:11:26 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
| anthropic_test.py:11:15:11:26 | ControlFlowNode for Attribute | anthropic_test.py:11:15:11:41 | ControlFlowNode for Attribute() | provenance | dict.get |
| anthropic_test.py:11:15:11:41 | ControlFlowNode for Attribute() | anthropic_test.py:11:5:11:11 | ControlFlowNode for persona | provenance | |
| gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | gemini_test.py:3:26:3:32 | ControlFlowNode for request | provenance | |
| gemini_test.py:3:26:3:32 | ControlFlowNode for request | gemini_test.py:11:15:11:21 | ControlFlowNode for request | provenance | |
| gemini_test.py:3:26:3:32 | ControlFlowNode for request | gemini_test.py:51:15:51:21 | ControlFlowNode for request | provenance | |
| gemini_test.py:11:5:11:11 | ControlFlowNode for persona | gemini_test.py:21:33:21:49 | ControlFlowNode for BinaryExpr | provenance | |
| gemini_test.py:11:5:11:11 | ControlFlowNode for persona | gemini_test.py:35:32:35:53 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:13 |
| gemini_test.py:11:5:11:11 | ControlFlowNode for persona | gemini_test.py:43:32:43:53 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:12 |
| gemini_test.py:11:15:11:21 | ControlFlowNode for request | gemini_test.py:11:15:11:26 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
| gemini_test.py:11:15:11:26 | ControlFlowNode for Attribute | gemini_test.py:11:15:11:41 | ControlFlowNode for Attribute() | provenance | dict.get |
| gemini_test.py:11:15:11:41 | ControlFlowNode for Attribute() | gemini_test.py:11:5:11:11 | ControlFlowNode for persona | provenance | |
| gemini_test.py:51:5:51:11 | ControlFlowNode for persona | gemini_test.py:56:32:56:53 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:14 |
| gemini_test.py:51:15:51:21 | ControlFlowNode for request | gemini_test.py:51:15:51:26 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
| gemini_test.py:51:15:51:26 | ControlFlowNode for Attribute | gemini_test.py:51:15:51:41 | ControlFlowNode for Attribute() | provenance | dict.get |
| gemini_test.py:51:15:51:41 | ControlFlowNode for Attribute() | gemini_test.py:51:5:51:11 | ControlFlowNode for persona | provenance | |
| langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | langchain_test.py:3:26:3:32 | ControlFlowNode for request | provenance | |
| langchain_test.py:3:26:3:32 | ControlFlowNode for request | langchain_test.py:10:15:10:21 | ControlFlowNode for request | provenance | |
| langchain_test.py:3:26:3:32 | ControlFlowNode for request | langchain_test.py:28:15:28:21 | ControlFlowNode for request | provenance | |
| langchain_test.py:10:5:10:11 | ControlFlowNode for persona | langchain_test.py:17:35:17:58 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:16 |
| langchain_test.py:10:15:10:21 | ControlFlowNode for request | langchain_test.py:10:15:10:26 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
| langchain_test.py:10:15:10:26 | ControlFlowNode for Attribute | langchain_test.py:10:15:10:41 | ControlFlowNode for Attribute() | provenance | dict.get |
| langchain_test.py:10:15:10:41 | ControlFlowNode for Attribute() | langchain_test.py:10:5:10:11 | ControlFlowNode for persona | provenance | |
| langchain_test.py:28:5:28:11 | ControlFlowNode for persona | langchain_test.py:30:43:30:66 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:15 |
| langchain_test.py:28:15:28:21 | ControlFlowNode for request | langchain_test.py:28:15:28:26 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
| langchain_test.py:28:15:28:26 | ControlFlowNode for Attribute | langchain_test.py:28:15:28:41 | ControlFlowNode for Attribute() | provenance | dict.get |
| langchain_test.py:28:15:28:41 | ControlFlowNode for Attribute() | langchain_test.py:28:5:28:11 | ControlFlowNode for persona | provenance | |
| openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:2:26:2:32 | ControlFlowNode for request | provenance | |
| openai_test.py:2:26:2:32 | ControlFlowNode for request | openai_test.py:12:15:12:21 | ControlFlowNode for request | provenance | |
| openai_test.py:12:5:12:11 | ControlFlowNode for persona | openai_test.py:17:22:17:46 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:6 |
@@ -79,6 +109,11 @@ models
| 9 | Sink: agents; Member[Agent].Argument[instructions:]; system-prompt-injection |
| 10 | Sink: agents; Member[Agent].ReturnValue.Member[as_tool].Argument[1,tool_description:]; system-prompt-injection |
| 11 | Sink: agents; Member[FunctionTool].Argument[description:]; system-prompt-injection |
| 12 | Sink: google; Member[genai].Member[types].Member[CreateCachedContentConfig].Argument[system_instruction:]; system-prompt-injection |
| 13 | Sink: google; Member[genai].Member[types].Member[GenerateContentConfig].Argument[system_instruction:]; system-prompt-injection |
| 14 | Sink: google; Member[genai].Member[types].Member[LiveConnectConfig].Argument[system_instruction:]; system-prompt-injection |
| 15 | Sink: langchain; Member[agents].Member[create_agent].Argument[system_prompt:]; system-prompt-injection |
| 16 | Sink: langchain_core; Member[messages].Member[SystemMessage].Argument[content:]; system-prompt-injection |
nodes
| agent_test.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
| agent_test.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
@@ -107,6 +142,32 @@ nodes
| anthropic_test.py:45:16:45:37 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
| anthropic_test.py:57:16:57:37 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
| anthropic_test.py:63:16:63:37 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
| gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
| gemini_test.py:3:26:3:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| gemini_test.py:11:5:11:11 | ControlFlowNode for persona | semmle.label | ControlFlowNode for persona |
| gemini_test.py:11:15:11:21 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| gemini_test.py:11:15:11:26 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| gemini_test.py:11:15:11:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| gemini_test.py:21:33:21:49 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
| gemini_test.py:35:32:35:53 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
| gemini_test.py:43:32:43:53 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
| gemini_test.py:51:5:51:11 | ControlFlowNode for persona | semmle.label | ControlFlowNode for persona |
| gemini_test.py:51:15:51:21 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| gemini_test.py:51:15:51:26 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| gemini_test.py:51:15:51:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| gemini_test.py:56:32:56:53 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
| langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
| langchain_test.py:3:26:3:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| langchain_test.py:10:5:10:11 | ControlFlowNode for persona | semmle.label | ControlFlowNode for persona |
| langchain_test.py:10:15:10:21 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| langchain_test.py:10:15:10:26 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| langchain_test.py:10:15:10:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| langchain_test.py:17:35:17:58 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
| langchain_test.py:28:5:28:11 | ControlFlowNode for persona | semmle.label | ControlFlowNode for persona |
| langchain_test.py:28:15:28:21 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| langchain_test.py:28:15:28:26 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| langchain_test.py:28:15:28:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| langchain_test.py:30:43:30:66 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
| openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
| openai_test.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| openai_test.py:12:5:12:11 | ControlFlowNode for persona | semmle.label | ControlFlowNode for persona |
@@ -130,10 +191,3 @@ nodes
| openrouter_test.py:18:28:18:51 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
| openrouter_test.py:29:22:29:45 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
subpaths
testFailures
| gemini_test.py:3:35:3:44 | Comment # $ Source | Missing result: Source |
| gemini_test.py:21:52:21:88 | Comment # $ Alert[py/system-prompt-injection] | Missing result: Alert[py/system-prompt-injection] |
| gemini_test.py:35:57:35:93 | Comment # $ Alert[py/system-prompt-injection] | Missing result: Alert[py/system-prompt-injection] |
| gemini_test.py:43:57:43:93 | Comment # $ Alert[py/system-prompt-injection] | Missing result: Alert[py/system-prompt-injection] |
| langchain_test.py:3:35:3:44 | Comment # $ Source | Missing result: Source |
| langchain_test.py:17:63:17:99 | Comment # $ Alert[py/system-prompt-injection] | Missing result: Alert[py/system-prompt-injection] |

View File

@@ -44,3 +44,16 @@ def get_input_gemini():
),
)
print(cache)
@app.route("/gemini-live")
async def get_input_gemini_live():
persona = request.args.get("persona")
async with client.aio.live.connect(
model="gemini-2.0-flash",
config=types.LiveConnectConfig(
system_instruction="Talk like " + persona, # $ Alert[py/system-prompt-injection]
),
) as session:
print(session)

View File

@@ -19,3 +19,12 @@ def get_input_langchain():
]
)
print(result)
@app.route("/langchain-create-agent")
def get_input_langchain_create_agent():
from langchain.agents import create_agent
persona = request.args.get("persona")
create_agent("gpt-4.1", system_prompt="Talk like a " + persona) # $ Alert[py/system-prompt-injection]

View File

@@ -4,7 +4,24 @@
| agent_test.py:20:28:20:32 | ControlFlowNode for query | agent_test.py:2:26:2:32 | ControlFlowNode for ImportMember | agent_test.py:20:28:20:32 | ControlFlowNode for query | This prompt construction depends on a $@. | agent_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
| anthropic_test.py:20:28:20:32 | ControlFlowNode for query | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | anthropic_test.py:20:28:20:32 | ControlFlowNode for query | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
| anthropic_test.py:29:16:29:55 | ControlFlowNode for BinaryExpr | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | anthropic_test.py:29:16:29:55 | ControlFlowNode for BinaryExpr | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
| gemini_test.py:15:18:15:22 | ControlFlowNode for query | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | gemini_test.py:15:18:15:22 | ControlFlowNode for query | This prompt construction depends on a $@. | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| gemini_test.py:20:18:29:9 | ControlFlowNode for List | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | gemini_test.py:20:18:29:9 | ControlFlowNode for List | This prompt construction depends on a $@. | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| gemini_test.py:25:33:25:37 | ControlFlowNode for query | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | gemini_test.py:25:33:25:37 | ControlFlowNode for query | This prompt construction depends on a $@. | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| gemini_test.py:33:35:33:58 | ControlFlowNode for BinaryExpr | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | gemini_test.py:33:35:33:58 | ControlFlowNode for BinaryExpr | This prompt construction depends on a $@. | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| gemini_test.py:37:16:37:20 | ControlFlowNode for query | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | gemini_test.py:37:16:37:20 | ControlFlowNode for query | This prompt construction depends on a $@. | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| gemini_test.py:43:22:43:26 | ControlFlowNode for query | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | gemini_test.py:43:22:43:26 | ControlFlowNode for query | This prompt construction depends on a $@. | gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| langchain_test.py:17:34:17:38 | ControlFlowNode for query | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | langchain_test.py:17:34:17:38 | ControlFlowNode for query | This prompt construction depends on a $@. | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| langchain_test.py:21:28:21:51 | ControlFlowNode for BinaryExpr | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | langchain_test.py:21:28:21:51 | ControlFlowNode for BinaryExpr | This prompt construction depends on a $@. | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| langchain_test.py:34:28:34:32 | ControlFlowNode for query | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | langchain_test.py:34:28:34:32 | ControlFlowNode for query | This prompt construction depends on a $@. | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| langchain_test.py:35:27:35:31 | ControlFlowNode for query | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | langchain_test.py:35:27:35:31 | ControlFlowNode for query | This prompt construction depends on a $@. | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| langchain_test.py:36:22:36:26 | ControlFlowNode for query | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | langchain_test.py:36:22:36:26 | ControlFlowNode for query | This prompt construction depends on a $@. | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| langchain_test.py:37:39:37:43 | ControlFlowNode for query | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | langchain_test.py:37:39:37:43 | ControlFlowNode for query | This prompt construction depends on a $@. | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| langchain_test.py:40:22:40:26 | ControlFlowNode for query | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | langchain_test.py:40:22:40:26 | ControlFlowNode for query | This prompt construction depends on a $@. | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| langchain_test.py:50:30:50:34 | ControlFlowNode for query | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | langchain_test.py:50:30:50:34 | ControlFlowNode for query | This prompt construction depends on a $@. | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| langchain_test.py:61:28:61:32 | ControlFlowNode for query | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | langchain_test.py:61:28:61:32 | ControlFlowNode for query | This prompt construction depends on a $@. | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| langchain_test.py:62:15:62:19 | ControlFlowNode for query | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | langchain_test.py:62:15:62:19 | ControlFlowNode for query | This prompt construction depends on a $@. | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| langchain_test.py:65:31:65:35 | ControlFlowNode for query | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | langchain_test.py:65:31:65:35 | ControlFlowNode for query | This prompt construction depends on a $@. | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| langchain_test.py:68:60:68:64 | ControlFlowNode for query | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | langchain_test.py:68:60:68:64 | ControlFlowNode for query | This prompt construction depends on a $@. | langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
| openai_test.py:16:15:16:19 | ControlFlowNode for query | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:16:15:16:19 | ControlFlowNode for query | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
| openai_test.py:20:15:29:9 | ControlFlowNode for List | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:20:15:29:9 | ControlFlowNode for List | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
| openai_test.py:27:28:27:32 | ControlFlowNode for query | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:27:28:27:32 | ControlFlowNode for query | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
@@ -20,13 +37,13 @@
edges
| agent_test.py:2:26:2:32 | ControlFlowNode for ImportMember | agent_test.py:2:26:2:32 | ControlFlowNode for request | provenance | |
| agent_test.py:2:26:2:32 | ControlFlowNode for request | agent_test.py:9:13:9:19 | ControlFlowNode for request | provenance | |
| agent_test.py:9:5:9:9 | ControlFlowNode for query | agent_test.py:13:38:13:42 | ControlFlowNode for query | provenance | Sink:MaD:9 |
| agent_test.py:9:5:9:9 | ControlFlowNode for query | agent_test.py:13:38:13:42 | ControlFlowNode for query | provenance | Sink:MaD:17 |
| agent_test.py:9:5:9:9 | ControlFlowNode for query | agent_test.py:20:28:20:32 | ControlFlowNode for query | provenance | |
| agent_test.py:9:5:9:9 | ControlFlowNode for query | agent_test.py:20:28:20:32 | ControlFlowNode for query | provenance | |
| agent_test.py:9:13:9:19 | ControlFlowNode for request | agent_test.py:9:13:9:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
| agent_test.py:9:13:9:24 | ControlFlowNode for Attribute | agent_test.py:9:13:9:37 | ControlFlowNode for Attribute() | provenance | dict.get |
| agent_test.py:9:13:9:37 | ControlFlowNode for Attribute() | agent_test.py:9:5:9:9 | ControlFlowNode for query | provenance | |
| agent_test.py:18:13:21:13 | ControlFlowNode for Dict [Dictionary element at key content] | agent_test.py:17:15:22:9 | ControlFlowNode for List | provenance | Sink:MaD:10 Sink:MaD:10 |
| agent_test.py:18:13:21:13 | ControlFlowNode for Dict [Dictionary element at key content] | agent_test.py:17:15:22:9 | ControlFlowNode for List | provenance | Sink:MaD:18 Sink:MaD:18 |
| agent_test.py:20:28:20:32 | ControlFlowNode for query | agent_test.py:18:13:21:13 | ControlFlowNode for Dict [Dictionary element at key content] | provenance | |
| anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | anthropic_test.py:2:26:2:32 | ControlFlowNode for request | provenance | |
| anthropic_test.py:2:26:2:32 | ControlFlowNode for request | anthropic_test.py:10:15:10:21 | ControlFlowNode for request | provenance | |
@@ -37,12 +54,52 @@ edges
| anthropic_test.py:11:13:11:19 | ControlFlowNode for request | anthropic_test.py:11:13:11:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
| anthropic_test.py:11:13:11:24 | ControlFlowNode for Attribute | anthropic_test.py:11:13:11:37 | ControlFlowNode for Attribute() | provenance | dict.get |
| anthropic_test.py:11:13:11:37 | ControlFlowNode for Attribute() | anthropic_test.py:11:5:11:9 | ControlFlowNode for query | provenance | |
| gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | gemini_test.py:3:26:3:32 | ControlFlowNode for request | provenance | |
| gemini_test.py:3:26:3:32 | ControlFlowNode for request | gemini_test.py:11:13:11:19 | ControlFlowNode for request | provenance | |
| gemini_test.py:11:5:11:9 | ControlFlowNode for query | gemini_test.py:15:18:15:22 | ControlFlowNode for query | provenance | Sink:MaD:3 |
| gemini_test.py:11:5:11:9 | ControlFlowNode for query | gemini_test.py:25:33:25:37 | ControlFlowNode for query | provenance | |
| gemini_test.py:11:5:11:9 | ControlFlowNode for query | gemini_test.py:25:33:25:37 | ControlFlowNode for query | provenance | |
| gemini_test.py:11:5:11:9 | ControlFlowNode for query | gemini_test.py:33:35:33:58 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:2 |
| gemini_test.py:11:5:11:9 | ControlFlowNode for query | gemini_test.py:37:16:37:20 | ControlFlowNode for query | provenance | Sink:MaD:4 |
| gemini_test.py:11:5:11:9 | ControlFlowNode for query | gemini_test.py:43:22:43:26 | ControlFlowNode for query | provenance | Sink:MaD:19 |
| gemini_test.py:11:13:11:19 | ControlFlowNode for request | gemini_test.py:11:13:11:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
| gemini_test.py:11:13:11:24 | ControlFlowNode for Attribute | gemini_test.py:11:13:11:37 | ControlFlowNode for Attribute() | provenance | dict.get |
| gemini_test.py:11:13:11:37 | ControlFlowNode for Attribute() | gemini_test.py:11:5:11:9 | ControlFlowNode for query | provenance | |
| gemini_test.py:21:13:28:13 | ControlFlowNode for Dict [Dictionary element at key parts, List element, Dictionary element at key text] | gemini_test.py:20:18:29:9 | ControlFlowNode for List | provenance | Sink:MaD:3 Sink:MaD:3 |
| gemini_test.py:21:13:28:13 | ControlFlowNode for Dict [Dictionary element at key parts, List element, Dictionary element at key text] | gemini_test.py:20:18:29:9 | ControlFlowNode for List | provenance | Sink:MaD:3 Sink:MaD:3 Sink:MaD:3 |
| gemini_test.py:21:13:28:13 | ControlFlowNode for Dict [Dictionary element at key parts, List element, Dictionary element at key text] | gemini_test.py:20:18:29:9 | ControlFlowNode for List | provenance | Sink:MaD:3 Sink:MaD:3 Sink:MaD:3 Sink:MaD:3 |
| gemini_test.py:23:26:27:17 | ControlFlowNode for List [List element, Dictionary element at key text] | gemini_test.py:21:13:28:13 | ControlFlowNode for Dict [Dictionary element at key parts, List element, Dictionary element at key text] | provenance | |
| gemini_test.py:24:21:26:21 | ControlFlowNode for Dict [Dictionary element at key text] | gemini_test.py:23:26:27:17 | ControlFlowNode for List [List element, Dictionary element at key text] | provenance | |
| gemini_test.py:25:33:25:37 | ControlFlowNode for query | gemini_test.py:24:21:26:21 | ControlFlowNode for Dict [Dictionary element at key text] | provenance | |
| langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | langchain_test.py:3:26:3:32 | ControlFlowNode for request | provenance | |
| langchain_test.py:3:26:3:32 | ControlFlowNode for request | langchain_test.py:10:13:10:19 | ControlFlowNode for request | provenance | |
| langchain_test.py:10:5:10:9 | ControlFlowNode for query | langchain_test.py:21:28:21:51 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:2 |
| langchain_test.py:3:26:3:32 | ControlFlowNode for request | langchain_test.py:32:13:32:19 | ControlFlowNode for request | provenance | |
| langchain_test.py:3:26:3:32 | ControlFlowNode for request | langchain_test.py:47:13:47:19 | ControlFlowNode for request | provenance | |
| langchain_test.py:3:26:3:32 | ControlFlowNode for request | langchain_test.py:58:13:58:19 | ControlFlowNode for request | provenance | |
| langchain_test.py:10:5:10:9 | ControlFlowNode for query | langchain_test.py:17:34:17:38 | ControlFlowNode for query | provenance | Sink:MaD:20 |
| langchain_test.py:10:5:10:9 | ControlFlowNode for query | langchain_test.py:21:28:21:51 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:8 |
| langchain_test.py:10:13:10:19 | ControlFlowNode for request | langchain_test.py:10:13:10:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
| langchain_test.py:10:13:10:24 | ControlFlowNode for Attribute | langchain_test.py:10:13:10:37 | ControlFlowNode for Attribute() | provenance | dict.get |
| langchain_test.py:10:13:10:37 | ControlFlowNode for Attribute() | langchain_test.py:10:5:10:9 | ControlFlowNode for query | provenance | |
| langchain_test.py:32:5:32:9 | ControlFlowNode for query | langchain_test.py:34:28:34:32 | ControlFlowNode for query | provenance | Sink:MaD:8 |
| langchain_test.py:32:5:32:9 | ControlFlowNode for query | langchain_test.py:35:27:35:31 | ControlFlowNode for query | provenance | Sink:MaD:8 |
| langchain_test.py:32:5:32:9 | ControlFlowNode for query | langchain_test.py:36:22:36:26 | ControlFlowNode for query | provenance | Sink:MaD:8 |
| langchain_test.py:32:5:32:9 | ControlFlowNode for query | langchain_test.py:37:39:37:43 | ControlFlowNode for query | provenance | Sink:MaD:8 |
| langchain_test.py:32:5:32:9 | ControlFlowNode for query | langchain_test.py:40:22:40:26 | ControlFlowNode for query | provenance | Sink:MaD:7 |
| langchain_test.py:32:13:32:19 | ControlFlowNode for request | langchain_test.py:32:13:32:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
| langchain_test.py:32:13:32:24 | ControlFlowNode for Attribute | langchain_test.py:32:13:32:37 | ControlFlowNode for Attribute() | provenance | dict.get |
| langchain_test.py:32:13:32:37 | ControlFlowNode for Attribute() | langchain_test.py:32:5:32:9 | ControlFlowNode for query | provenance | |
| langchain_test.py:47:5:47:9 | ControlFlowNode for query | langchain_test.py:50:30:50:34 | ControlFlowNode for query | provenance | Sink:MaD:21 |
| langchain_test.py:47:13:47:19 | ControlFlowNode for request | langchain_test.py:47:13:47:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
| langchain_test.py:47:13:47:24 | ControlFlowNode for Attribute | langchain_test.py:47:13:47:37 | ControlFlowNode for Attribute() | provenance | dict.get |
| langchain_test.py:47:13:47:37 | ControlFlowNode for Attribute() | langchain_test.py:47:5:47:9 | ControlFlowNode for query | provenance | |
| langchain_test.py:58:5:58:9 | ControlFlowNode for query | langchain_test.py:61:28:61:32 | ControlFlowNode for query | provenance | Sink:MaD:9 |
| langchain_test.py:58:5:58:9 | ControlFlowNode for query | langchain_test.py:62:15:62:19 | ControlFlowNode for query | provenance | Sink:MaD:10 |
| langchain_test.py:58:5:58:9 | ControlFlowNode for query | langchain_test.py:65:31:65:35 | ControlFlowNode for query | provenance | Sink:MaD:6 |
| langchain_test.py:58:5:58:9 | ControlFlowNode for query | langchain_test.py:68:60:68:64 | ControlFlowNode for query | provenance | Sink:MaD:5 |
| langchain_test.py:58:13:58:19 | ControlFlowNode for request | langchain_test.py:58:13:58:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
| langchain_test.py:58:13:58:24 | ControlFlowNode for Attribute | langchain_test.py:58:13:58:37 | ControlFlowNode for Attribute() | provenance | dict.get |
| langchain_test.py:58:13:58:37 | ControlFlowNode for Attribute() | langchain_test.py:58:5:58:9 | ControlFlowNode for query | provenance | |
| openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:2:26:2:32 | ControlFlowNode for request | provenance | |
| openai_test.py:2:26:2:32 | ControlFlowNode for request | openai_test.py:10:15:10:21 | ControlFlowNode for request | provenance | |
| openai_test.py:2:26:2:32 | ControlFlowNode for request | openai_test.py:11:13:11:19 | ControlFlowNode for request | provenance | |
@@ -51,41 +108,52 @@ edges
| openai_test.py:10:15:10:21 | ControlFlowNode for request | openai_test.py:11:13:11:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
| openai_test.py:10:15:10:26 | ControlFlowNode for Attribute | openai_test.py:10:15:10:41 | ControlFlowNode for Attribute() | provenance | dict.get |
| openai_test.py:10:15:10:41 | ControlFlowNode for Attribute() | openai_test.py:10:5:10:11 | ControlFlowNode for persona | provenance | |
| openai_test.py:11:5:11:9 | ControlFlowNode for query | openai_test.py:16:15:16:19 | ControlFlowNode for query | provenance | Sink:MaD:5 |
| openai_test.py:11:5:11:9 | ControlFlowNode for query | openai_test.py:16:15:16:19 | ControlFlowNode for query | provenance | Sink:MaD:13 |
| openai_test.py:11:5:11:9 | ControlFlowNode for query | openai_test.py:27:28:27:32 | ControlFlowNode for query | provenance | |
| openai_test.py:11:5:11:9 | ControlFlowNode for query | openai_test.py:27:28:27:32 | ControlFlowNode for query | provenance | |
| openai_test.py:11:5:11:9 | ControlFlowNode for query | openai_test.py:40:28:40:32 | ControlFlowNode for query | provenance | |
| openai_test.py:11:5:11:9 | ControlFlowNode for query | openai_test.py:44:28:44:32 | ControlFlowNode for query | provenance | |
| openai_test.py:11:5:11:9 | ControlFlowNode for query | openai_test.py:51:16:51:36 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:3 |
| openai_test.py:11:5:11:9 | ControlFlowNode for query | openai_test.py:55:16:55:38 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:4 |
| openai_test.py:11:5:11:9 | ControlFlowNode for query | openai_test.py:60:16:60:36 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:6 |
| openai_test.py:11:5:11:9 | ControlFlowNode for query | openai_test.py:51:16:51:36 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:11 |
| openai_test.py:11:5:11:9 | ControlFlowNode for query | openai_test.py:55:16:55:38 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:12 |
| openai_test.py:11:5:11:9 | ControlFlowNode for query | openai_test.py:60:16:60:36 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:14 |
| openai_test.py:11:5:11:9 | ControlFlowNode for query | openai_test.py:66:17:66:43 | ControlFlowNode for BinaryExpr | provenance | |
| openai_test.py:11:13:11:19 | ControlFlowNode for request | openai_test.py:11:13:11:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
| openai_test.py:11:13:11:24 | ControlFlowNode for Attribute | openai_test.py:11:13:11:37 | ControlFlowNode for Attribute() | provenance | dict.get |
| openai_test.py:11:13:11:37 | ControlFlowNode for Attribute() | openai_test.py:11:5:11:9 | ControlFlowNode for query | provenance | |
| openai_test.py:21:13:24:13 | ControlFlowNode for Dict [Dictionary element at key content] | openai_test.py:20:15:29:9 | ControlFlowNode for List | provenance | Sink:MaD:5 Sink:MaD:5 |
| openai_test.py:21:13:24:13 | ControlFlowNode for Dict [Dictionary element at key content] | openai_test.py:20:15:29:9 | ControlFlowNode for List | provenance | Sink:MaD:13 Sink:MaD:13 |
| openai_test.py:23:28:23:51 | ControlFlowNode for BinaryExpr | openai_test.py:21:13:24:13 | ControlFlowNode for Dict [Dictionary element at key content] | provenance | |
| openai_test.py:25:13:28:13 | ControlFlowNode for Dict [Dictionary element at key content] | openai_test.py:20:15:29:9 | ControlFlowNode for List | provenance | Sink:MaD:5 Sink:MaD:5 |
| openai_test.py:25:13:28:13 | ControlFlowNode for Dict [Dictionary element at key content] | openai_test.py:20:15:29:9 | ControlFlowNode for List | provenance | Sink:MaD:13 Sink:MaD:13 |
| openai_test.py:27:28:27:32 | ControlFlowNode for query | openai_test.py:25:13:28:13 | ControlFlowNode for Dict [Dictionary element at key content] | provenance | |
| openrouter_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openrouter_test.py:2:26:2:32 | ControlFlowNode for request | provenance | |
| openrouter_test.py:2:26:2:32 | ControlFlowNode for request | openrouter_test.py:10:13:10:19 | ControlFlowNode for request | provenance | |
| openrouter_test.py:10:5:10:9 | ControlFlowNode for query | openrouter_test.py:21:28:21:32 | ControlFlowNode for query | provenance | |
| openrouter_test.py:10:5:10:9 | ControlFlowNode for query | openrouter_test.py:29:15:29:19 | ControlFlowNode for query | provenance | Sink:MaD:8 |
| openrouter_test.py:10:5:10:9 | ControlFlowNode for query | openrouter_test.py:34:15:34:19 | ControlFlowNode for query | provenance | Sink:MaD:7 |
| openrouter_test.py:10:5:10:9 | ControlFlowNode for query | openrouter_test.py:29:15:29:19 | ControlFlowNode for query | provenance | Sink:MaD:16 |
| openrouter_test.py:10:5:10:9 | ControlFlowNode for query | openrouter_test.py:34:15:34:19 | ControlFlowNode for query | provenance | Sink:MaD:15 |
| openrouter_test.py:10:13:10:19 | ControlFlowNode for request | openrouter_test.py:10:13:10:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
| openrouter_test.py:10:13:10:24 | ControlFlowNode for Attribute | openrouter_test.py:10:13:10:37 | ControlFlowNode for Attribute() | provenance | dict.get |
| openrouter_test.py:10:13:10:37 | ControlFlowNode for Attribute() | openrouter_test.py:10:5:10:9 | ControlFlowNode for query | provenance | |
models
| 1 | Sink: Anthropic; Member[completions].Member[create].Argument[prompt:]; user-prompt-injection |
| 2 | Sink: LangChainChatModel; Member[invoke,stream,predict,call].Argument[0]; user-prompt-injection |
| 3 | Sink: OpenAI; Member[completions].Member[create].Argument[prompt:]; user-prompt-injection |
| 4 | Sink: OpenAI; Member[images].Member[generate,edit].Argument[prompt:]; user-prompt-injection |
| 5 | Sink: OpenAI; Member[responses].Member[create].Argument[input:]; user-prompt-injection |
| 6 | Sink: OpenAI; Member[videos].Member[create,create_and_poll,edit,remix,extend].Argument[prompt:]; user-prompt-injection |
| 7 | Sink: OpenRouter; Member[embeddings].Member[generate].Argument[input:]; user-prompt-injection |
| 8 | Sink: OpenRouter; Member[responses].Member[send].Argument[input:]; user-prompt-injection |
| 9 | Sink: agents; Member[Runner].Member[run,run_sync,run_streamed].Argument[1]; user-prompt-injection |
| 10 | Sink: agents; Member[Runner].Member[run,run_sync,run_streamed].Argument[input:]; user-prompt-injection |
| 2 | Sink: GoogleGenAI; Member[chats].Member[create].ReturnValue.Member[send_message,send_message_stream].Argument[0]; user-prompt-injection |
| 3 | Sink: GoogleGenAI; Member[models].Member[generate_content,generate_content_stream].Argument[contents:]; user-prompt-injection |
| 4 | Sink: GoogleGenAI; Member[models].Member[generate_images,generate_videos,edit_image].Argument[prompt:]; user-prompt-injection |
| 5 | Sink: LangChainAgent; Member[invoke,stream].Argument[0].DictionaryElement[messages].ListElement.DictionaryElement[content]; user-prompt-injection |
| 6 | Sink: LangChainAgentExecutor; Member[invoke].Argument[0].DictionaryElement[input]; user-prompt-injection |
| 7 | Sink: LangChainChatModel; Member[generate].Argument[0].ListElement.ListElement; user-prompt-injection |
| 8 | Sink: LangChainChatModel; Member[invoke,stream,predict,call].Argument[0]; user-prompt-injection |
| 9 | Sink: LangChainLLMChain; Member[invoke].Argument[0].DictionaryElement[input]; user-prompt-injection |
| 10 | Sink: LangChainLLMChain; Member[run].Argument[0]; user-prompt-injection |
| 11 | Sink: OpenAI; Member[completions].Member[create].Argument[prompt:]; user-prompt-injection |
| 12 | Sink: OpenAI; Member[images].Member[generate,edit].Argument[prompt:]; user-prompt-injection |
| 13 | Sink: OpenAI; Member[responses].Member[create].Argument[input:]; user-prompt-injection |
| 14 | Sink: OpenAI; Member[videos].Member[create,create_and_poll,edit,remix,extend].Argument[prompt:]; user-prompt-injection |
| 15 | Sink: OpenRouter; Member[embeddings].Member[generate].Argument[input:]; user-prompt-injection |
| 16 | Sink: OpenRouter; Member[responses].Member[send].Argument[input:]; user-prompt-injection |
| 17 | Sink: agents; Member[Runner].Member[run,run_sync,run_streamed].Argument[1]; user-prompt-injection |
| 18 | Sink: agents; Member[Runner].Member[run,run_sync,run_streamed].Argument[input:]; user-prompt-injection |
| 19 | Sink: google; Member[genai].Member[types].Member[CreateCachedContentConfig].Argument[contents:]; user-prompt-injection |
| 20 | Sink: langchain_core; Member[messages].Member[HumanMessage].Argument[content:]; user-prompt-injection |
| 21 | Sink: langchain_core; Member[prompts].Member[PromptTemplate].Instance.Member[format].Argument[any-named]; user-prompt-injection |
nodes
| agent_test.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
| agent_test.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
@@ -107,13 +175,52 @@ nodes
| anthropic_test.py:11:13:11:37 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| anthropic_test.py:20:28:20:32 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| anthropic_test.py:29:16:29:55 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
| gemini_test.py:3:26:3:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
| gemini_test.py:3:26:3:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| gemini_test.py:11:5:11:9 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| gemini_test.py:11:13:11:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| gemini_test.py:11:13:11:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| gemini_test.py:11:13:11:37 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| gemini_test.py:15:18:15:22 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| gemini_test.py:20:18:29:9 | ControlFlowNode for List | semmle.label | ControlFlowNode for List |
| gemini_test.py:21:13:28:13 | ControlFlowNode for Dict [Dictionary element at key parts, List element, Dictionary element at key text] | semmle.label | ControlFlowNode for Dict [Dictionary element at key parts, List element, Dictionary element at key text] |
| gemini_test.py:23:26:27:17 | ControlFlowNode for List [List element, Dictionary element at key text] | semmle.label | ControlFlowNode for List [List element, Dictionary element at key text] |
| gemini_test.py:24:21:26:21 | ControlFlowNode for Dict [Dictionary element at key text] | semmle.label | ControlFlowNode for Dict [Dictionary element at key text] |
| gemini_test.py:25:33:25:37 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| gemini_test.py:25:33:25:37 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| gemini_test.py:33:35:33:58 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
| gemini_test.py:37:16:37:20 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| gemini_test.py:43:22:43:26 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| langchain_test.py:3:26:3:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
| langchain_test.py:3:26:3:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| langchain_test.py:10:5:10:9 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| langchain_test.py:10:13:10:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| langchain_test.py:10:13:10:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| langchain_test.py:10:13:10:37 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| langchain_test.py:17:34:17:38 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| langchain_test.py:21:28:21:51 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
| langchain_test.py:32:5:32:9 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| langchain_test.py:32:13:32:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| langchain_test.py:32:13:32:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| langchain_test.py:32:13:32:37 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| langchain_test.py:34:28:34:32 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| langchain_test.py:35:27:35:31 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| langchain_test.py:36:22:36:26 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| langchain_test.py:37:39:37:43 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| langchain_test.py:40:22:40:26 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| langchain_test.py:47:5:47:9 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| langchain_test.py:47:13:47:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| langchain_test.py:47:13:47:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| langchain_test.py:47:13:47:37 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| langchain_test.py:50:30:50:34 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| langchain_test.py:58:5:58:9 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| langchain_test.py:58:13:58:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| langchain_test.py:58:13:58:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| langchain_test.py:58:13:58:37 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| langchain_test.py:61:28:61:32 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| langchain_test.py:62:15:62:19 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| langchain_test.py:65:31:65:35 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| langchain_test.py:68:60:68:64 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
| openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
| openai_test.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| openai_test.py:10:5:10:11 | ControlFlowNode for persona | semmle.label | ControlFlowNode for persona |
@@ -149,11 +256,5 @@ nodes
subpaths
testFailures
| agent_test.py:17:15:22:9 | ControlFlowNode for List | Unexpected result: Alert |
| gemini_test.py:3:35:3:44 | Comment # $ Source | Missing result: Source |
| gemini_test.py:15:26:15:60 | Comment # $ Alert[py/user-prompt-injection] | Missing result: Alert[py/user-prompt-injection] |
| gemini_test.py:25:40:25:74 | Comment # $ Alert[py/user-prompt-injection] | Missing result: Alert[py/user-prompt-injection] |
| gemini_test.py:33:62:33:96 | Comment # $ Alert[py/user-prompt-injection] | Missing result: Alert[py/user-prompt-injection] |
| gemini_test.py:37:24:37:58 | Comment # $ Alert[py/user-prompt-injection] | Missing result: Alert[py/user-prompt-injection] |
| gemini_test.py:43:30:43:64 | Comment # $ Alert[py/user-prompt-injection] | Missing result: Alert[py/user-prompt-injection] |
| langchain_test.py:17:43:17:77 | Comment # $ Alert[py/user-prompt-injection] | Missing result: Alert[py/user-prompt-injection] |
| gemini_test.py:20:18:29:9 | ControlFlowNode for List | Unexpected result: Alert |
| openai_test.py:20:15:29:9 | ControlFlowNode for List | Unexpected result: Alert |

View File

@@ -20,3 +20,49 @@ def get_input_langchain():
result2 = model.invoke("Tell me about " + query) # $ Alert[py/user-prompt-injection]
print(result1, result2)
@app.route("/langchain-providers")
def get_input_langchain_providers():
from langchain_fireworks import ChatFireworks
from langchain_together import ChatTogether
from langchain_xai import ChatXAI
from langchain.chat_models import init_chat_model
query = request.args.get("query")
ChatFireworks().invoke(query) # $ Alert[py/user-prompt-injection]
ChatTogether().invoke(query) # $ Alert[py/user-prompt-injection]
ChatXAI().invoke(query) # $ Alert[py/user-prompt-injection]
init_chat_model("gpt-4.1").invoke(query) # $ Alert[py/user-prompt-injection]
model = ChatOpenAI(model="gpt-4.1")
model.generate([[query]]) # $ Alert[py/user-prompt-injection]
@app.route("/langchain-prompts")
def get_input_langchain_prompts():
from langchain_core.prompts import PromptTemplate
query = request.args.get("query")
template = PromptTemplate(template="Answer: {question}", input_variables=["question"])
template.format(question=query) # $ Alert[py/user-prompt-injection]
@app.route("/langchain-chains")
def get_input_langchain_chains():
from langchain.chains import LLMChain
from langchain.agents import AgentExecutor, create_agent
query = request.args.get("query")
chain = LLMChain()
chain.invoke({"input": query}) # $ Alert[py/user-prompt-injection]
chain.run(query) # $ Alert[py/user-prompt-injection]
executor = AgentExecutor()
executor.invoke({"input": query}) # $ Alert[py/user-prompt-injection]
agent = create_agent("gpt-4.1")
agent.invoke({"messages": [{"role": "user", "content": query}]}) # $ Alert[py/user-prompt-injection]