JS Prompt Injection - Add some more sinks and reclassify legacy API#22012
Merged
Conversation
Add missing system/user prompt-injection sinks across the OpenAI, Anthropic, and Google GenAI JavaScript models: - OpenAI videos.create/edit/extend/remix prompts (user) - OpenAI beta.realtime.sessions.create instructions (system) - Anthropic legacy completions.create prompt (user) - Google GenAI caches.create config.systemInstruction (system) - Google GenAI caches.create config.contents (user) Also reclassify the OpenAI legacy completions.create prompt from system-prompt-injection to user-prompt-injection: the legacy /v1/completions endpoint takes a single free-form prompt with no role separation, so it is the text-in/text-out equivalent of a user message. Note: videos.remix takes the prompt in Argument[1] (remix(videoID, body)), and Google GenAI caches.create nests both contents and systemInstruction under config, so the model entries differ slightly from a naive mapping. Add corresponding test cases with inline annotations and regenerate the .expected files. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR extends the JavaScript prompt-injection threat models and corresponding tests for several AI SDKs, adding coverage for newly identified sink locations and correcting the classification of OpenAI’s legacy completions.create prompt field (system → user).
Changes:
- Added new sink models for OpenAI videos (Sora) prompts and OpenAI
beta.realtime.sessions.createinstructions. - Added sink models for Anthropic legacy
completions.createprompts and Google GenAIcaches.createconfig.contents/config.systemInstruction. - Updated CWE-1427 system/user prompt-injection tests, expected outputs, and added a change note documenting the analysis-impacting changes.
Show a summary per file
| File | Description |
|---|---|
| javascript/ql/lib/ext/openai.model.yml | Removes the legacy completions system-sink classification; adds OpenAI realtime instructions system sink and Sora video prompt user sinks. |
| javascript/ql/lib/ext/anthropic.model.yml | Adds a user-prompt-injection sink for legacy completions.create prompt. |
| javascript/ql/lib/ext/google-genai.model.yml | Adds caches.create sinks for both config.systemInstruction (system) and config.contents (user). |
| javascript/ql/lib/change-notes/2026-06-18-prompt-injection-sinks.md | Documents the new sinks and the OpenAI legacy completions reclassification. |
| javascript/ql/test/Security/CWE-1427/UserPromptInjection/openai_user_test.js | Adds Sora videos API user-prompt sink test cases. |
| javascript/ql/test/Security/CWE-1427/UserPromptInjection/gemini_user_test.js | Adds Google GenAI caches.create user-prompt sink test case (config.contents). |
| javascript/ql/test/Security/CWE-1427/UserPromptInjection/anthropic_user_test.js | Adds Anthropic legacy completions.create user-prompt sink test case. |
| javascript/ql/test/Security/CWE-1427/UserPromptInjection/UserPromptInjection.expected | Updates expected results for the added/shifted user-prompt sink cases. |
| javascript/ql/test/Security/CWE-1427/SystemPromptInjection/openai_test.js | Removes the legacy completions prompt system-sink expectation and adds realtime instructions system-sink test case. |
| javascript/ql/test/Security/CWE-1427/SystemPromptInjection/gemini_test.js | Adds Google GenAI caches.create system-prompt sink test case (config.systemInstruction). |
| javascript/ql/test/Security/CWE-1427/SystemPromptInjection/SystemPromptInjection.expected | Updates expected results for the added/shifted system-prompt sink cases. |
Copilot's findings
- Files reviewed: 11/11 changed files
- Comments generated: 0
Contributor
Author
|
DCA looks ok |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
As I was porting #21780 to python, I figured out I missed some models from legacy APIs and some newer methods since I first started working on it.
This PR completes the coverage.
It also removes a wrong classification:
This is the legacy API for calling an LLM and was used before the concept of using a system prompt. It is already classified as "user-prompt-injection" correctly.
Models covered