Skip to content

Models openai for Prompt injection #21086

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mbaluda wants to merge 7 commits into from
Closed

Models openai for Prompt injection #21086

mbaluda wants to merge 7 commits into from

Conversation

@mbaluda
Copy link
Contributor

@mbaluda mbaluda commented Jan 2, 2026

No description provided.

@mbaluda mbaluda requested a review from a team as a code owner January 2, 2026 11:32
Copilot AI review requested due to automatic review settings January 2, 2026 11:32
Copilot AI reviewed Jan 2, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for detecting prompt injection vulnerabilities (CWE-1427) in Python code that uses the OpenAI package. It introduces a new security query that identifies when user-provided input flows into system prompts or developer messages, which could allow attackers to manipulate AI model behavior.

Key changes:

  • Creates a new prompt injection detection query with taint-tracking configuration
  • Adds OpenAI and Agent framework models to identify vulnerable sink points in the API
  • Includes comprehensive test cases covering various OpenAI API patterns

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 12 comments.

Show a summary per file
File Description
python/ql/test/query-tests/Security/CWE-1427-PromptInjection/openai_test.py Test cases for OpenAI API patterns including chat completions, responses, and realtime connections
python/ql/test/query-tests/Security/CWE-1427-PromptInjection/agent_instructions.py Test case for Agent SDK instructions parameter
python/ql/test/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.qlref Query reference file pointing to the security query
python/ql/test/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.expected Expected test results showing edges, nodes, and alerts
python/ql/src/Security/CWE-1427/PromptInjection.ql Main query implementation for prompt injection detection
python/ql/src/Security/CWE-1427/PromptInjection.qhelp Documentation describing the vulnerability and recommendations
python/ql/lib/semmle/python/security/dataflow/PromptInjectionQuery.qll Taint-tracking configuration for the query
python/ql/lib/semmle/python/security/dataflow/PromptInjectionCustomizations.qll Defines sources, sinks, and sanitizers for prompt injection
python/ql/lib/semmle/python/frameworks/OpenAI.qll Framework models for OpenAI and Agent APIs identifying vulnerable parameters
python/ql/lib/semmle/python/Frameworks.qll Registers the OpenAI framework models

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

python/ql/src/Security/CWE-1427/PromptInjection.ql Outdated
Comment on lines 2 to 3
* @name User input used in developer message and or system prompt
* @description User input used in developer message and or system prompt can allow for Prompt Injection attacks.
Copy link

Copilot AI Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a grammatical issue in this sentence. "and or" should be either "and/or" or simply "or". The recommended wording would be: "User input used in developer message or system prompt can allow for Prompt Injection attacks."

Suggested change
* @name User input used in developer message and or system prompt
* @description User input used in developer message and or system prompt can allow for Prompt Injection attacks.
* @name User input used in developer message or system prompt
* @description User input used in developer message or system prompt can allow for Prompt Injection attacks.

Copilot uses AI. Check for mistakes.
python/ql/src/Security/CWE-1427/PromptInjection.qhelp

<example>
<p>In the following examples, the cases marked GOOD show secure prompt construction; whereas in the case marked BAD they may be susceptible to prompt injection.</p>
<sample src="examples/TODO.py" />
Copy link

Copilot AI Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example reference file path is incomplete. "examples/TODO.py" should be replaced with an actual example file path or removed if the example doesn't exist yet.

Suggested change
<sample src="examples/TODO.py" />

Copilot uses AI. Check for mistakes.
@mbaluda mbaluda changed the title Add openai package models for Prompt injection Models openai for Prompt injection Jan 2, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 2, 2026
View reviewed changes
python/ql/lib/semmle/python/security/dataflow/PromptInjectionCustomizations.qll
Comment on lines +35 to +37
/**
* Agent prompt sinks, considered as a flow sink.
*/

Check warning

Code scanning / CodeQL

Class QLDoc style Warning

The QLDoc for a class should start with 'A', 'An', or 'The'.
python/ql/test/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.qlref
@@ -0,0 +1 @@
query: Security/CWE-1427/PromptInjection.ql

Check warning

Code scanning / CodeQL

Query test without inline test expectations Warning test

Query test does not use inline test expectations.
@mbaluda mbaluda closed this Jan 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

documentation Python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mbaluda @knewbury01