python: Add query for prompt injection

This pull request introduces a new CodeQL query for detecting prompt injection vulnerabilities in Python code targeting AI prompting APIs such as agents and openai. The changes includes a new experimental query, new taint flow and type models, a customizable dataflow configuration, documentation, and comprehensive test coverage.
2026-02-11 20:51:06 +01:00 · 2026-01-29 23:47:52 +01:00
parent 34800d1519
commit e7a0fc7140
17 changed files with 519 additions and 1 deletions
--- a/shared/mad/codeql/mad/ModelValidation.qll
+++ b/shared/mad/codeql/mad/ModelValidation.qll
@@ -46,7 +46,9 @@ module KindValidation<KindValidationConfigSig Config> {
          // Go-only currently, but may be shared in the future
          "jwt",
          // CPP-only currently
-          "remote-sink"
+          "remote-sink",
+          // Python-only currently, but may be shared in the future
+          "prompt-injection"
        ]
      or
      this.matches([