Commit Graph

4199 Commits

Author SHA1 Message Date
Sotiris Dragonas
2bee6b845c Merge branch 'bazookamusic/python-prompt-injection' of https://github.com/github/codeql into bazookamusic/python-prompt-injection 2026-07-02 16:12:33 +02:00
Sotiris Dragonas
2eb2d623a6 Add proper coverage of tools 2026-07-02 15:59:39 +02:00
Sotiris Dragonas
27d2a2b16e Fix google genai models 2026-07-02 15:42:18 +02:00
Sotiris Dragonas
4c965e72e5 Merge branch 'main' into bazookamusic/python-prompt-injection 2026-07-02 15:04:51 +03:00
Tom Hvitved
2bf6031c0f Python: Update inline test expectations 2026-07-01 13:10:41 +02:00
Sotiris Dragonas
0abd325944 Python: stabilize XsltInjection test MaD index via PrettyPrintModels
Use the PrettyPrintModels postprocess so the test reports a stable
per-test model index instead of a brittle global MaD number that drifts
when models are added elsewhere.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-29 10:37:58 +03:00
Sotiris Dragonas
4fbb02d4e1 Merge branch 'main' into bazookamusic/python-prompt-injection 2026-06-29 10:30:22 +03:00
yoff
5fcaac7cb2 Merge pull request #21869 from yoff/python/support-flask-subclasses
Python: Support Flask subclasses
2026-06-25 23:42:21 +02:00
Copilot
717ff62d70 Python: deprecate AstNode.getAFlowNode() and rewrite internal callers
Preparatory refactor for the shared-CFG dataflow migration.

Deprecates the AstNode.getAFlowNode() cached predicate on the public
Python QL API and rewrites all ~140 internal callers across lib/, src/,
test/, and tools/ from `expr.getAFlowNode() = cfgNode` to
`cfgNode.getNode() = expr`, using ControlFlowNode.getNode() which
already exists in Flow.qll.

The predicate itself is preserved (with a deprecation note pointing at
the new pattern) so external users do not experience churn — they can
migrate at their own pace and the AST/CFG hierarchies still get the
intended untangling once the deprecation eventually elapses.

Semantic noop verified by:
- All 361 lib/ + src/ queries compile clean.
- All 122 ControlFlow + PointsTo library-tests pass.
- All 64 dataflow library-tests pass.
- All 113 Variables/Exceptions/Expressions/Statements/Functions/Imports/
  Security/CWE-798/ModificationOfParameterWithDefault query-tests pass.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-22 14:55:19 +02:00
Owen Mansel-Chan
c9d45217d2 Fix order of comments in test 2026-06-19 13:23:52 +01:00
Owen Mansel-Chan
451fc2e4e7 Undo conversion for queries that import LegacyPointsTo 2026-06-19 12:22:42 +01:00
Owen Mansel-Chan
5497f2c5fe Convert Python qlref tests to inline expectations 2026-06-19 12:22:40 +01:00
Sotiris Dragonas
018ba92b1e Add additional Python prompt-injection sinks for uncovered SDK methods
Cover prompt-carrying public API methods that were missing from the
framework models:

- OpenAI: videos.create/create_and_poll/edit/remix/extend (Sora, user),
  beta.realtime.sessions.create instructions (system), and role-filtered
  beta.threads.messages.create content (Assistants API).
- Anthropic: legacy completions.create prompt (user).
- agents: Agent.as_tool tool_description (system).
- Google GenAI: caches.create CreateCachedContentConfig system_instruction
  (system) and contents (user).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-18 17:02:14 +03:00
Sotiris Dragonas
8e5f214041 Fix OpenRouter Python API and expand model coverage
Verified all prompt-injection framework models against the real Python
SDK sources:

- OpenRouter: the official openrouter SDK uses client.chat.send(messages=)
  (not chat.completions.create), client.embeddings.generate(input=) (not
  embeddings.create), and client.responses.send(input=, instructions=).
  Corrected the framework qll and model, and fixed the test files that
  used the wrong API.
- Anthropic: added the managed-agents system prompt sink
  (beta.agents.create/update Argument[system:]).
- Google GenAI: added models.edit_image Argument[prompt:] as user content.

OpenAI, agents and LangChain models were confirmed correct against their
SDK sources.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-18 16:53:37 +03:00
Sotiris Dragonas
72bc52b2fd Python: promote prompt injection queries from experimental to production
Mirror the JavaScript layout from PR #21953:
- Move SystemPromptInjection.ql / UserPromptInjection.ql to src/Security/CWE-1427
- Move customizations, query and framework libs to python/ql/lib
- Move the AIPrompt concept to the production Concepts.qll
- Drop the experimental tag; py/system-prompt-injection (high precision) now
  joins the code-scanning, security-extended and security-and-quality suites,
  while py/user-prompt-injection (low precision) stays out of the default suites
- Move query tests to python/ql/test/query-tests/Security

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-18 16:30:29 +03:00
Sotiris Dragonas
db493ef30a Python: port prompt injection queries (system + user) from JS PR #21953
Replace the experimental py/prompt-injection query with two queries mirroring
the JavaScript split:
- py/system-prompt-injection (system prompt / tool description / developer prompt)
- py/user-prompt-injection (user-role prompt)

Supports OpenAI (+Agents), Anthropic, Google GenAI, LangChain and OpenRouter
via MaD models plus role-filtered framework sinks that MaD cannot express.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-18 13:52:51 +03:00
Owen Mansel-Chan
1f9899d7db Extend added type tracking step to related types 2026-06-17 15:04:53 +01:00
Owen Mansel-Chan
dd61dd2d74 Fix FP for py/modification-of-locals 2026-06-17 14:24:18 +01:00
Owen Mansel-Chan
47c2c9e763 Add test for FP for py/modification-of-locals 2026-06-17 14:22:42 +01:00
Owen Mansel-Chan
415857cacb Fix FP for py/should-use-with 2026-06-17 13:01:36 +01:00
Owen Mansel-Chan
d72144646a Add test for FP for py/should-use-with 2026-06-17 12:55:17 +01:00
Owen Mansel-Chan
199fd864ad Fix FP for py/file-not-closed 2026-06-17 12:36:04 +01:00
Owen Mansel-Chan
890969433f Add test for FP for py/file-not-closed 2026-06-17 12:19:03 +01:00
Owen Mansel-Chan
9c65082189 Fix MISSING alert 2026-06-15 00:14:52 +01:00
Owen Mansel-Chan
434a99447e Add thorough tests, including one MISSING alert 2026-06-12 13:45:02 +01:00
Owen Mansel-Chan
d389ea4039 Convert sql-injection test to inline expectations 2026-06-12 13:44:56 +01:00
Owen Mansel-Chan
befb557bfd Accept fixed MISSING tests 2026-06-11 15:44:20 +02:00
copilot-swe-agent[bot]
73bc2d70ae Model instance-attribute type flow
Use a field level step like JS and Ruby.
2026-06-11 14:48:55 +02:00
copilot-swe-agent[bot]
a4585d8d94 Add test documenting missing PEP249 alerts for connection stored in self attribute 2026-06-11 05:48:40 +00:00
Owen Mansel-Chan
1f91f915c7 Merge pull request #21888 from owen-mc/py/remove-imprecise-container-steps
Python: Remove imprecise container steps #2
2026-06-04 22:16:24 +01:00
Owen Mansel-Chan
b27d08ee32 Update edges in expected test output 2026-06-02 18:29:56 +01:00
Owen Mansel-Chan
20ce679d61 Accept changed edges in test output
No changes to alerts
2026-06-02 16:15:08 +01:00
Owen Mansel-Chan
f62ebef9e0 Adjust expected test output 2026-06-02 16:15:06 +01:00
yoff
f7c4e61956 Apply suggestions from code review
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-06-02 15:12:41 +02:00
yoff
f6ed5c19be Python: fix sub class test 2026-06-02 13:50:31 +02:00
yoff
4298b70f1c Python: add test for sub class 2026-06-02 13:49:25 +02:00
yoff
e88b8c53f3 Python: Add test for instances 2026-06-02 13:49:24 +02:00
Taus
6165623cbf Merge pull request #21724 from github/tausbn/python-add-self-validating-cfg-tests 2026-05-28 22:07:55 +02:00
Taus
35faec3db1 Python: Address review comments
- Get rid of unnecessary parentheses
- Use call syntax in the relevant test
- Get rid of `dead(2)` annotation
2026-05-27 15:27:19 +00:00
Owen Mansel-Chan
ec13e1bcd3 Add wildcard ContentSets to avoid performance problems 2026-05-27 15:28:07 +01:00
Owen Mansel-Chan
e8779295ee Update test results 2026-05-22 11:43:18 +01:00
Rasmus Lerchedahl Petersen
fa758d6bf5 python: fix test 2026-05-21 16:59:19 +01:00
Rasmus Lerchedahl Petersen
fa9426c749 Python: extra tests for comprehension 2026-05-21 16:59:18 +01:00
Rasmus Lerchedahl Petersen
f669a4f3bf Python: Make sure all imprecise taint bubbles up 2026-05-21 16:59:14 +01:00
Rasmus Lerchedahl Petersen
3275c814bd Python: reset test expectations 2026-05-21 16:59:11 +01:00
Rasmus Lerchedahl Petersen
9a180036a5 Python: conversion step for format_map
and adjust collection test
2026-05-21 16:59:08 +01:00
Rasmus Lerchedahl Petersen
93e7ab52b7 Python: adjust test expectations
We now find an alert on this line as we hope to
It is not an alert for _full_ SSRF, though, since that configuration cannot handle multiple substitutions.
2026-05-21 16:58:51 +01:00
Rasmus Lerchedahl Petersen
facb3b681d Python: recover taint for % format strings 2026-05-21 16:57:50 +01:00
Rasmus Lerchedahl Petersen
b67694b2ab Python: Remove imprecise container steps
- remove `tupleStoreStep` and `dictStoreStep` from `containerStep`
   These are imprecise compared to the content being precise.
- add implicit reads to recover taint at sinks
- add implicit read steps for decoders
  to supplement the `AdditionalTaintStep`
  that now only covers when the full container is tainted.
2026-05-21 16:57:44 +01:00
Taus
1ef557c972 Python: Address Copilot's comments 2026-05-12 15:27:14 +00:00