Files
codeql/javascript/ql/test/Security/CWE-1427/SystemPromptInjection/langchain_test.js
Sotiris Dragonas c444f41a3f 1. Enable inline expectations for tests
2. Add annotations for sources
2. Fix a modelling issue in the openai library - missing coverage for a legacy method when moving to MaDs and a mistake in the assistants.create models
2026-06-17 14:53:48 +03:00

51 lines
1.7 KiB
JavaScript

const express = require("express");
const { ChatOpenAI } = require("@langchain/openai");
const { HumanMessage, SystemMessage } = require("@langchain/core/messages");
const { createAgent } = require("langchain");
const app = express();
app.get("/test", async (req, res) => {
const persona = req.query.persona; // $ Source
const query = req.query.query;
const chatModel = new ChatOpenAI({ model: "gpt-4" });
// === SystemMessage (SHOULD ALERT) ===
const sysMsg1 = new SystemMessage("Talk like a " + persona); // $ Alert[js/system-prompt-injection]
const sysMsg2 = new SystemMessage({
content: "Talk like a " + persona, // $ Alert[js/system-prompt-injection]
});
// === createAgent with systemPrompt (SHOULD ALERT) ===
const agent = createAgent({
systemPrompt: "Talk like a " + persona, // $ Alert[js/system-prompt-injection]
});
// === Barrier test: user role content in shared array (SHOULD NOT ALERT) ===
// When user input goes into a HumanMessage alongside a SystemMessage,
// the system prompt query should NOT alert on the HumanMessage content.
await chatModel.invoke([
new SystemMessage("You are a helpful assistant"),
new HumanMessage({ role: "user", content: query }), // OK - user role content is not a system prompt
]);
// Same pattern with raw message objects passed to invoke
await chatModel.invoke([
{ role: "system", content: "You are a helpful assistant" },
{ role: "user", content: query }, // OK - user role content blocked by barrier
]);
// === Constant comparison sanitizer (SHOULD NOT ALERT) ===
if (persona === "pirate") {
const sysMsg3 = new SystemMessage("Talk like a " + persona); // OK - sanitized
}
res.send("done");
});