codeql/ext at 34da804aee29d3c7a8d4ed248b04f2e868e26d30 - codeql - Gitea: Git with a cup of tea

hohn/codeql

mirror of https://github.com/github/codeql.git synced 2026-05-14 11:19:27 +02:00

Files

History

BazookaMusic 34da804aee Move structurally typed prompt injection sinks to Models as Data

Move OpenAI, Anthropic, Google GenAI, and LangChain sinks that are
structurally typed (identified by API name alone) into MaD YAML files.

Role-filtered sinks that require inspecting a sibling 'role' property
remain in QL code since MaD cannot express conditional logic.

Use two distinct sink kinds:
- user-prompt-injection: picked up by UserPromptInjection.ql
- system-prompt-injection: picked up by SystemPromptInjection.ql

New files:
- javascript/ql/lib/ext/openai.model.yml
- javascript/ql/lib/ext/anthropic.model.yml
- javascript/ql/lib/ext/google-genai.model.yml
- javascript/ql/lib/ext/langchain.model.yml

2026-05-13 11:08:25 +02:00

..

anthropic.model.yml

Move structurally typed prompt injection sinks to Models as Data

2026-05-13 11:08:25 +02:00

apollo-server.model.yml

Rename cors-misconfiguration to cors-origin.

2025-09-05 11:30:07 +02:00

aws-sdk.model.yml

Renamed AWS-V3-Common to @aws-sdk/client.Client

2025-09-17 10:21:29 +02:00

axios.model.yml

Update javascript/ql/lib/ext/axios.model.yml

2025-03-25 10:56:01 +01:00

call-me-maybe.model.yml

JS: Add modeling for call-me-maybe

2025-09-15 17:15:31 +02:00

cors.model.yml

Rename cors-misconfiguration to cors-origin.

2025-09-05 11:30:07 +02:00

default-threat-models-fixup.model.yml

JS: Remove 'response' from default threat-models

2024-10-25 14:52:49 +02:00

google-genai.model.yml

Move structurally typed prompt injection sinks to Models as Data

2026-05-13 11:08:25 +02:00

graph-ql.model.yml

JS: Model GraphQLObjectType resolve params as sources

2025-09-19 14:39:36 +02:00

hana-db-client.model.yml

Added sources from hana db as MaD.

2025-03-28 14:55:17 +01:00

langchain.model.yml

Move structurally typed prompt injection sinks to Models as Data

2026-05-13 11:08:25 +02:00

make-dir.model.yml

Added make-dir model as data

2025-04-09 14:42:29 +02:00

markdown-table.model.yml

Refactor Markdown taint steps and update expected results for reflected XSS tests

2025-03-10 19:27:36 +01:00

mkdirp.model.yml

Removed old mkdirp modeling and replaced it with MaD.

2025-04-03 10:45:16 +02:00

open.model.yml

Added open package model as data.

2025-04-08 08:12:30 +02:00

openai.model.yml

Move structurally typed prompt injection sinks to Models as Data

2026-05-13 11:08:25 +02:00

react-relay-threat.model.yml

Applied changes from comments

2025-03-10 12:24:45 +01:00

react.model.yml

JS: Add model for react 'use'

2025-06-23 15:27:21 +02:00

rimraf.model.yml

Add rimraf model and update tests for path injection vulnerabilities

2025-04-02 12:49:48 +02:00

shelljs.model.yml

Added model for shelljs.env

2025-05-01 11:09:47 +02:00

tanstack.model.yml

JS: Use ArrayElement instead of AnyMember

2025-03-18 09:26:02 +01:00

underscore.string.model.yml

Adressed comments.

2025-03-20 12:37:06 +01:00