JS: Add prompt injection detection (CWE-1427) for OpenAI, Anthropic, …#21780
Closed
BazookaMusic wants to merge 1 commit intogithub:mainfrom
Closed
JS: Add prompt injection detection (CWE-1427) for OpenAI, Anthropic, …#21780BazookaMusic wants to merge 1 commit intogithub:mainfrom
BazookaMusic wants to merge 1 commit intogithub:mainfrom
Conversation
…and Google GenAI SDKs Add experimental CodeQL query detecting prompt injection vulnerabilities in JavaScript/TypeScript applications using AI SDK libraries. Modeled frameworks: - openai (OpenAI, AzureOpenAI): responses, chat.completions, completions, images, embeddings, beta.assistants, beta.threads, audio APIs - @openai/agents: Agent instructions, handoffDescription, run/Runner.run, asTool, tool() - @anthropic-ai/sdk: messages.create, beta.messages.create, beta.agents.create/update - @google/genai (GoogleGenAI): generateContent, generateContentStream, generateImages, editImage, chats, live.connect Includes role-based filtering (system/developer/assistant/model roles) and constant-comparison sanitizer guard.
Contributor
|
QHelp previews: javascript/ql/src/experimental/Security/CWE-1427/PromptInjection.qhelpPrompt injectionPrompts can be constructed to bypass the original purposes of an agent and lead to sensitive data leak or operations that were not intended. RecommendationSanitize user input and also avoid using user input in developer or system level prompts. ExampleIn the following examples, the cases marked GOOD show secure prompt construction; whereas in the case marked BAD they may be susceptible to prompt injection. from flask import Flask, request
from agents import Agent
from guardrails import GuardrailAgent
@app.route("/parameter-route")
def get_input():
input = request.args.get("input")
goodAgent = GuardrailAgent( # GOOD: Agent created with guardrails automatically configured.
config=Path("guardrails_config.json"),
name="Assistant",
instructions="This prompt is customized for " + input)
badAgent = Agent(
name="Assistant",
instructions="This prompt is customized for " + input # BAD: user input in agent instruction.
)References
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| * | ||
| * See https://github.com/openai/openai-agents-js. | ||
| */ | ||
| module AgentSDK { |
| @@ -0,0 +1 @@ | |||
| ./experimental/Security/CWE-1427/PromptInjection.ql | |||
Author
|
Ignore, was trying to create it for the fork |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…and Google GenAI SDKs
Add experimental CodeQL query detecting prompt injection vulnerabilities in JavaScript/TypeScript applications using AI SDK libraries.
Modeled frameworks:
Includes role-based filtering (system/developer/assistant/model roles) and constant-comparison sanitizer guard.