Add run from agents into the user prompt and fix an issue with classifying it as a system prompt injection

2026-06-12 16:31:10 +02:00 · 2026-05-15 12:39:54 +02:00
parent 535adc7a31
commit fe7eabd56f
5 changed files with 107 additions and 41 deletions
--- a/javascript/ql/src/experimental/semmle/javascript/frameworks/OpenAI.qll
+++ b/javascript/ql/src/experimental/semmle/javascript/frameworks/OpenAI.qll
@@ -242,6 +242,23 @@ module AgentSDK {
    )
  }

+  /**
+   * Gets user prompt sinks for run(agent, input).
+   * Covers string input and user-role array messages.
+   */
+  API::Node getUserPromptNode() {
+    // run(agent, "string") — string input is the user prompt
+    result = run().getParameter(1)
+    or
+    // run(agent, [{ role: "user", content: ... }])
+    exists(API::Node msg |
+      msg = run().getParameter(1).getArrayElement() and
+      not isSystemOrDevMessage(msg)
+    |
+      result = msg.getMember("content")
+    )
+  }
+
  /**
   * Gets an agent constructor config that visibly lacks input guardrails.
   * Covers both native Agent({ inputGuardrails: [...] }) and
--- a/javascript/ql/src/experimental/semmle/javascript/security/PromptInjection/UserPromptInjectionCustomizations.qll
+++ b/javascript/ql/src/experimental/semmle/javascript/security/PromptInjection/UserPromptInjectionCustomizations.qll
@@ -63,6 +63,8 @@ module UserPromptInjection {
      this = Anthropic::getUserPromptNode().asSink()
      or
      this = GoogleGenAI::getUserPromptNode().asSink()
+      or
+      this = AgentSDK::getUserPromptNode().asSink()
    }
  }