Python: Model openai packages for Prompt injection#3
Closed
Conversation
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
github-actions
bot
added
documentation
|
QHelp previews: python/ql/src/experimental/Security/CWE-1427/PromptInjection.qhelpPrompt injectionPrompts can be constructed to bypass the original purposes of an agent and lead to sensitive data leak or operations that were not intended. RecommendationSanitize user input and also avoid using user input in developer or system level prompts. ExampleIn the following examples, the cases marked GOOD show secure prompt construction; whereas in the case marked BAD they may be susceptible to prompt injection. from flask import Flask, request
from agents import Agent
from guardrails import GuardrailAgent
@app.route("/parameter-route")
def get_input():
input = request.args.get("input")
goodAgent = GuardrailAgent( # GOOD: Agent created with guardrails automatically configured.
config=Path("guardrails_config.json"),
name="Assistant",
instructions="This prompt is customized for " + input)
badAgent = Agent(
name="Assistant",
instructions="This prompt is customized for " + input # BAD: user input in agent instruction.
)References
|
There was a problem hiding this comment.
Pull request overview
This PR implements a new prompt injection security query for Python code that detects when user-controlled input flows into AI model prompts. The implementation adds taint tracking models for the OpenAI and agents libraries to identify potential CWE-1427 (Prompt Injection) vulnerabilities.
- Adds a new
py/prompt-injectionquery with supporting data flow analysis - Implements models for
openaiandagentsPython modules to track prompt injection sinks - Introduces the
AIPromptconcept to the codebase for modeling AI prompting mechanisms
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 12 comments.
Show a summary per file
| File | Description |
|---|---|
| python/ql/test/query-tests/Security/CWE-1427-PromptInjection/openai_test.py | Test file demonstrating prompt injection vulnerabilities in OpenAI API usage |
| python/ql/test/query-tests/Security/CWE-1427-PromptInjection/agent_instructions.py | Test file for agent instruction parameter injection |
| python/ql/test/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.qlref | Query reference configuration for test execution |
| python/ql/test/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.expected | Expected test results for the query |
| python/ql/src/Security/CWE-1427/examples/example.py | Example code showing good and bad practices for prompt construction |
| python/ql/src/Security/CWE-1427/PromptInjection.ql | Main query implementation for detecting prompt injection vulnerabilities |
| python/ql/src/Security/CWE-1427/PromptInjection.qhelp | Documentation and guidance for the prompt injection query |
| python/ql/lib/semmle/python/security/dataflow/PromptInjectionQuery.qll | Taint-tracking configuration for prompt injection detection |
| python/ql/lib/semmle/python/security/dataflow/PromptInjectionCustomizations.qll | Sources, sinks, and sanitizers for prompt injection analysis |
| python/ql/lib/semmle/python/frameworks/openai.model.yml | Model definitions for OpenAI API prompt injection sinks |
| python/ql/lib/semmle/python/frameworks/agent.model.yml | Model definitions for agents library prompt injection sinks |
| python/ql/lib/semmle/python/Concepts.qll | Adds AIPrompt concept for modeling AI prompting mechanisms |
| python/ql/lib/change-notes/2026-01-02-prompt-injection.md | Change notes documenting the new feature |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
mbaluda
changed the title
openai packages for Prompt injection
* Add testcase and coverage for agents sdk runner run with input param * Rename agent sdk module for clarity * Add case for unnamed param use in runner run from agent sdk
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces a new CodeQL query for detecting prompt injection vulnerabilities in Python code, specifically targeting AI prompting APIs such as
agentsandopenai. The changes include new taint flow and type models, a customizable dataflow configuration, documentation, and comprehensive test coverage.