codeql

mirror of https://github.com/github/codeql.git synced 2026-05-14 11:19:27 +02:00

Files

BazookaMusic 0b7133c4ce JS: Add prompt injection detection (CWE-1427) for OpenAI, Anthropic, and Google GenAI SDKs

Add experimental CodeQL query detecting prompt injection vulnerabilities
in JavaScript/TypeScript applications using AI SDK libraries.

Modeled frameworks:
- openai (OpenAI, AzureOpenAI): responses, chat.completions, completions,
  images, embeddings, beta.assistants, beta.threads, audio APIs
- @openai/agents: Agent instructions, handoffDescription, run/Runner.run,
  asTool, tool()
- @anthropic-ai/sdk: messages.create, beta.messages.create,
  beta.agents.create/update
- @google/genai (GoogleGenAI): generateContent, generateContentStream,
  generateImages, editImage, chats, live.connect

Includes role-based filtering (system/developer/assistant/model roles)
and constant-comparison sanitizer guard.

2026-04-30 17:39:09 +02:00

dataflow

Merge pull request #21051 from hvitved/shared/flow-summary-provenance-filtering

2026-01-26 17:24:34 +01:00

dependencies

JS: Deprecate PathExpr and related classes

2025-04-29 13:23:47 +02:00

endpoints

JS: Expose InternalModuleNaming

2024-04-25 13:33:17 +02:00

explore

JS: Deprecate forward/backward exploration modules

2025-01-03 11:41:39 +01:00

filters

JS: More aggressive test file classification

2024-11-19 13:23:32 +01:00

frameworks

Model res.json and res.jsonp as Vercel response sinks

2026-04-28 16:14:53 +00:00

heuristics

JS: Make implicit this receivers explicit

2023-05-03 15:31:00 +02:00

internal

JS: Adapt to changes in FlowSummaryImpl

2026-01-26 12:40:21 +01:00

linters

JS: Make implicit this receivers explicit

2023-05-11 11:50:56 +02:00

meta

JS: Make implicit this receivers explicit

2023-05-11 11:50:56 +02:00

security

JS: Recognize Fastify per-route rate limiting

2026-04-13 11:31:34 +02:00

Actions.qll

JS: Un-deprecate Actions.qll for now as we have some internal queries that use it.

2025-06-23 16:38:04 +02:00

Aliases.qll

…

AMD.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

ApiGraphs.qll

JS: Also track additional use-steps crossing the overlay boundary

2026-01-13 10:54:16 +01:00

Arrays.qll

Merge branch 'main' into js/shared-dataflow-merge-main

2024-12-19 10:14:38 +01:00

AST.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

Base64.qll

JS: Make implicit this receivers explicit

2023-05-03 15:31:00 +02:00

BasicBlocks.qll

JS: Add qldoc to file

2024-10-22 12:46:09 +02:00

CanonicalNames.qll

JS: Deprecate everything that depends on type extraction

2025-06-23 12:55:14 +02:00

CFG.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

CharacterEscapes.qll

…

Classes.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

Closure.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

Collections.qll

Merge branch 'main' into js/shared-dataflow-merge-main

2024-12-19 10:14:38 +01:00

Comments.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

Concepts.qll

JS: Add prompt injection detection (CWE-1427) for OpenAI, Anthropic, and Google GenAI SDKs

2026-04-30 17:39:09 +02:00

Constants.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

DefensiveProgramming.qll

Py/JS/RB: Use instanceof in more places

2022-12-12 16:06:57 +01:00

DefUse.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

DOM.qll

JS: Add overlay[global] to abstract classes with fields

2026-01-07 11:05:41 +01:00

DynamicPropertyAccess.qll

JS: Make implicit this receivers explicit

2023-05-03 15:31:00 +02:00

E4X.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

EmailClients.qll

JS: Make implicit this receivers explicit

2023-05-03 15:31:00 +02:00

Errors.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

ES2015Modules.qll

JS: Fix bad join in export logic

2026-01-07 11:05:41 +01:00

Expr.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

Extend.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

Externs.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

Files.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

Functions.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

GeneratedCode.qll

JavaScript: Autoformat

2023-03-10 09:41:20 +01:00

Generators.qll

JS: Summary/steps for iterators and generators

2023-10-13 12:42:41 +02:00

GlobalAccessPaths.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

HTML.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

HtmlSanitizers.qll

JS: Make implicit this receivers explicit

2023-05-03 15:31:00 +02:00

InclusionTests.qll

Remove pragma[assume_small_delta]

2023-06-30 11:09:29 -07:00

JSDoc.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

JSON.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

JsonParsers.qll

JS: remove serialize-javascript from JsonParsers.qll as it is not a parser

2025-06-16 12:59:36 +02:00

JsonSchema.qll

…

JsonStringifiers.qll

JS: track taint through serialize-javascript calls with object arguments

2025-06-16 10:38:20 +02:00

JSX.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

Lines.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

Locations.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

MembershipCandidates.qll

JS: Sharpen up EnumerationRegExp

2025-02-28 13:58:11 +01:00

Modules.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

NodeJS.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

NodeModuleResolutionImpl.qll

JS: Deprecate PathExpr and related classes

2025-04-29 13:23:47 +02:00

NPM.qll

JS: Overlay annotations for AST layer

2025-11-13 09:45:56 +01:00

PackageExports.qll

JS: Use PackageJsonEx instead of resolveMainModule

2025-04-29 13:23:45 +02:00

Paths.qll

JS: Deprecate PathExpr and related classes

2025-04-29 13:23:47 +02:00

PrintAst.qll

Add support for XML attributes in the data flow graph

2023-12-14 11:33:53 -08:00

Promises.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

RangeAnalysis.qll

…

Regexp.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

RestrictedLocations.qll

JS: Remove synthetic locations

2025-08-27 11:20:24 +02:00

Routing.qll

JS: enchance middleware taint tracking via local source

2025-06-17 08:30:19 +02:00

SourceMaps.qll

use my script to delete outdated deprecations

2024-09-03 20:30:58 +02:00

SSA.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

StandardLibrary.qll

Merge branch 'main' into js/shared-dataflow-merge-main

2024-12-19 10:14:38 +01:00

Stmt.qll

Merge branch 'main' into js/use-cache-directives

2026-01-05 10:59:50 +01:00

StringConcatenation.qll

…

StringOps.qll

Added support for matchAll in CWE-020 including new test cases

2024-11-05 08:51:24 +01:00

Templates.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

Tokens.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

TSConfig.qll

Apply suggestions from code review

2025-05-02 12:41:29 +02:00

TypeAnnotations.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

TypeScript.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

Unit.qll

Replace all definitions of Unit by import codeql.util.Unit

2023-03-24 10:39:34 +01:00

Util.qll

…

Variables.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

ViewComponentInput.qll

JS: Update API usage in ViewComponentInput

2025-06-23 12:55:08 +02:00

XML.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00

YAML.qll

JS: Use question-mark variant in all overlay annotations

2025-12-08 13:13:09 +01:00