github
diff --git a/‎javascript/ql/lib/ext/openrouter.model.yml‎
Lines changed: 19 additions & 0 deletions b/‎javascript/ql/lib/ext/openrouter.model.yml‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎javascript/ql/lib/semmle/javascript/frameworks/OpenRouter.qll‎
Lines changed: 124 additions & 0 deletions b/‎javascript/ql/lib/semmle/javascript/frameworks/OpenRouter.qll‎
Lines changed: 124 additions & 0 deletions
diff --git a/‎javascript/ql/lib/semmle/javascript/security/dataflow/SystemPromptInjectionCustomizations.qll‎
Lines changed: 5 additions & 0 deletions b/‎javascript/ql/lib/semmle/javascript/security/dataflow/SystemPromptInjectionCustomizations.qll‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎javascript/ql/src/experimental/semmle/javascript/security/PromptInjection/UserPromptInjectionCustomizations.qll‎
Lines changed: 5 additions & 0 deletions b/‎javascript/ql/src/experimental/semmle/javascript/security/PromptInjection/UserPromptInjectionCustomizations.qll‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎javascript/ql/test/experimental/Security/CWE-1427/SystemPromptInjection/SystemPromptInjection.expected‎
Lines changed: 48 additions & 0 deletions b/‎javascript/ql/test/experimental/Security/CWE-1427/SystemPromptInjection/SystemPromptInjection.expected‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎javascript/ql/test/experimental/Security/CWE-1427/SystemPromptInjection/agents_test.js‎
Lines changed: 9 additions & 9 deletions b/‎javascript/ql/test/experimental/Security/CWE-1427/SystemPromptInjection/agents_test.js‎
Lines changed: 9 additions & 9 deletions
@@ -0,0 +1,19 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: typeModel
+    data:
+      - ["openrouter.Client", "@openrouter/sdk", "Instance"]
+      - ["openrouter.Client", "@openrouter/sdk", "Member[OpenRouter].Instance"]
+      - ["openrouter.Agent", "@openrouter/agent", "Member[OpenRouter].Instance"]
+
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["@openrouter/agent", "Member[callModel].Argument[0].Member[instructions]", "system-prompt-injection"]
+      - ["openrouter.Agent", "Member[callModel].Argument[0].Member[instructions]", "system-prompt-injection"]
+      - ["@openrouter/agent", "Member[tool].Argument[0].Member[description]", "system-prompt-injection"]
+      - ["openrouter.Client", "Member[embeddings].Member[create].Argument[0].Member[input]", "user-prompt-injection"]
+      - ["@openrouter/agent", "Member[callModel].Argument[0].Member[input]", "user-prompt-injection"]
+      - ["openrouter.Agent", "Member[callModel].Argument[0].Member[input]", "user-prompt-injection"]
@@ -0,0 +1,124 @@
+/**
+ * Provides classes modeling security-relevant aspects of the OpenRouter JS/TS SDKs.
+ * See https://openrouter.ai/docs/client-sdks/typescript (`@openrouter/sdk`) and
+ * https://openrouter.ai/docs/agent-sdk/overview (`@openrouter/agent`).
+ *
+ * Structurally typed sinks (instructions, input, description, etc.) have been moved to
+ * Models as Data: javascript/ql/lib/ext/openrouter.model.yml
+ *
+ * This file retains only role-filtered sinks that require inspecting a sibling
+ * `role` property, which MaD cannot express.
+ */
+
+private import javascript
+
+/** Holds if `msg` is a message array element with a privileged role. */
+private predicate isSystemOrDevMessage(API::Node msg) {
+  msg.getMember("role").asSink().mayHaveStringValue(["system", "developer", "assistant"])
+}
+
+/**
+ * Provides models for the OpenRouter Client SDK (`@openrouter/sdk`).
+ */
+module OpenRouter {
+  /** Gets a reference to an `@openrouter/sdk` client instance. */
+  private API::Node clientRef() {
+    // Default export: import OpenRouter from '@openrouter/sdk'; new OpenRouter()
+    result = API::moduleImport("@openrouter/sdk").getInstance()
+    or
+    // Named import: import { OpenRouter } from '@openrouter/sdk'; new OpenRouter()
+    result = API::moduleImport("@openrouter/sdk").getMember("OpenRouter").getInstance()
+  }
+
+  /** Gets the parameter object of a chat completion call. */
+  private API::Node chatCreateParams() {
+    // client.chat.send({ messages: [...] })
+    result = clientRef().getMember("chat").getMember("send").getParameter(0)
+    or
+    // OpenAI-compatible surface: client.chat.completions.create({ messages: [...] })
+    result =
+      clientRef().getMember("chat").getMember("completions").getMember("create").getParameter(0)
+  }
+
+  /**
+   * Gets role-filtered system/developer/assistant message sinks.
+   * These require checking a sibling `role` property and cannot be expressed in MaD.
+   */
+  API::Node getSystemOrAssistantPromptNode() {
+    // chat.send/completions.create({ messages: [{ role: "system"/"developer"/"assistant", content: ... }] })
+    exists(API::Node msg, API::Node content |
+      msg = chatCreateParams().getMember("messages").getArrayElement() and
+      isSystemOrDevMessage(msg) and
+      content = msg.getMember("content")
+    |
+      result = content
+      or
+      result = content.getArrayElement().getMember("text")
+    )
+  }
+
+  /**
+   * Gets role-filtered user message sinks.
+   * These require checking a sibling `role` property and cannot be expressed in MaD.
+   */
+  API::Node getUserPromptNode() {
+    // chat.send/completions.create({ messages: [{ role: "user", content: ... }] })
+    exists(API::Node msg, API::Node content |
+      msg = chatCreateParams().getMember("messages").getArrayElement() and
+      not isSystemOrDevMessage(msg) and
+      content = msg.getMember("content")
+    |
+      result = content
+      or
+      result = content.getArrayElement().getMember("text")
+    )
+  }
+}
+
+/**
+ * Provides models for the OpenRouter Agent SDK (`@openrouter/agent`).
+ *
+ * Structurally typed sinks have been moved to openrouter.model.yml.
+ * This module retains only role-filtered sinks that MaD cannot express.
+ */
+module OpenRouterAgent {
+  /** Gets a reference to the `@openrouter/agent` module. */
+  private API::Node moduleRef() { result = API::moduleImport("@openrouter/agent") }
+
+  /** Gets a `callModel` invocation's parameter object (top-level and instance forms). */
+  private API::Node callModelParams() {
+    // import { callModel } from '@openrouter/agent'; callModel({ ... })
+    result = moduleRef().getMember("callModel").getParameter(0)
+    or
+    // import { OpenRouter } from '@openrouter/agent'; new OpenRouter(...).callModel({ ... })
+    result = moduleRef().getMember("OpenRouter").getInstance().getMember("callModel").getParameter(0)
+  }
+
+  /**
+   * Gets role-filtered system/developer/assistant message sinks.
+   * These require checking a sibling `role` property and cannot be expressed in MaD.
+   */
+  API::Node getSystemOrAssistantPromptNode() {
+    // callModel({ messages/input: [{ role: "system"/"developer"/"assistant", content: ... }] })
+    exists(API::Node msg |
+      msg = callModelParams().getMember(["messages", "input"]).getArrayElement() and
+      isSystemOrDevMessage(msg)
+    |
+      result = msg.getMember("content")
+    )
+  }
+
+  /**
+   * Gets role-filtered user message sinks.
+   * These require checking a sibling `role` property and cannot be expressed in MaD.
+   */
+  API::Node getUserPromptNode() {
+    // callModel({ messages/input: [{ role: "user", content: ... }] })
+    exists(API::Node msg |
+      msg = callModelParams().getMember(["messages", "input"]).getArrayElement() and
+      not isSystemOrDevMessage(msg)
+    |
+      result = msg.getMember("content")
+    )
+  }
+}
@@ -14,6 +14,7 @@ private import semmle.javascript.frameworks.data.ModelsAsData
 private import semmle.javascript.frameworks.OpenAI
 private import semmle.javascript.frameworks.Anthropic
 private import semmle.javascript.frameworks.GoogleGenAI
+private import semmle.javascript.frameworks.OpenRouter
 
 /**
  * Provides default sources, sinks and sanitizers for detecting
@@ -64,6 +65,10 @@ module SystemPromptInjection {
       this = Anthropic::getSystemOrAssistantPromptNode().asSink()
       or
       this = GoogleGenAI::getSystemOrAssistantPromptNode().asSink()
+      or
+      this = OpenRouter::getSystemOrAssistantPromptNode().asSink()
+      or
+      this = OpenRouterAgent::getSystemOrAssistantPromptNode().asSink()
     }
   }
 
 
@@ -14,6 +14,7 @@ private import semmle.javascript.frameworks.data.ModelsAsData
 private import semmle.javascript.frameworks.OpenAI
 private import semmle.javascript.frameworks.Anthropic
 private import semmle.javascript.frameworks.GoogleGenAI
+private import semmle.javascript.frameworks.OpenRouter
 
 /**
  * Provides default sources, sinks and sanitizers for detecting
@@ -65,6 +66,10 @@ module UserPromptInjection {
       this = GoogleGenAI::getUserPromptNode().asSink()
       or
       this = AgentSDK::getUserPromptNode().asSink()
+      or
+      this = OpenRouter::getUserPromptNode().asSink()
+      or
+      this = OpenRouterAgent::getUserPromptNode().asSink()
     }
   }
 
 
@@ -97,6 +97,25 @@ edges
 | openai_test.js:158:52:158:58 | persona | openai_test.js:158:30:158:58 | "Also t ... persona | provenance |  |
 | openai_test.js:164:31:164:37 | persona | openai_test.js:164:14:164:37 | "Talk l ... persona | provenance |  |
 | openai_test.js:192:49:192:55 | persona | openai_test.js:192:32:192:55 | "Talk l ... persona | provenance |  |
+| openrouter_test.js:12:9:12:15 | persona | openrouter_test.js:23:35:23:41 | persona | provenance |  |
+| openrouter_test.js:12:9:12:15 | persona | openrouter_test.js:38:35:38:41 | persona | provenance |  |
+| openrouter_test.js:12:9:12:15 | persona | openrouter_test.js:52:36:52:42 | persona | provenance |  |
+| openrouter_test.js:12:9:12:15 | persona | openrouter_test.js:78:35:78:41 | persona | provenance |  |
+| openrouter_test.js:12:9:12:15 | persona | openrouter_test.js:88:36:88:42 | persona | provenance |  |
+| openrouter_test.js:12:9:12:15 | persona | openrouter_test.js:98:35:98:41 | persona | provenance |  |
+| openrouter_test.js:12:9:12:15 | persona | openrouter_test.js:109:35:109:41 | persona | provenance |  |
+| openrouter_test.js:12:9:12:15 | persona | openrouter_test.js:118:36:118:42 | persona | provenance |  |
+| openrouter_test.js:12:9:12:15 | persona | openrouter_test.js:125:35:125:41 | persona | provenance |  |
+| openrouter_test.js:12:19:12:35 | req.query.persona | openrouter_test.js:12:9:12:15 | persona | provenance |  |
+| openrouter_test.js:23:35:23:41 | persona | openrouter_test.js:23:18:23:41 | "Talk l ... persona | provenance |  |
+| openrouter_test.js:38:35:38:41 | persona | openrouter_test.js:38:18:38:41 | "Talk l ... persona | provenance |  |
+| openrouter_test.js:52:36:52:42 | persona | openrouter_test.js:52:19:52:42 | "Talk l ... persona | provenance |  |
+| openrouter_test.js:78:35:78:41 | persona | openrouter_test.js:78:18:78:41 | "Talk l ... persona | provenance |  |
+| openrouter_test.js:88:36:88:42 | persona | openrouter_test.js:88:19:88:42 | "Talk l ... persona | provenance |  |
+| openrouter_test.js:98:35:98:41 | persona | openrouter_test.js:98:18:98:41 | "Talk l ... persona | provenance |  |
+| openrouter_test.js:109:35:109:41 | persona | openrouter_test.js:109:18:109:41 | "Talk l ... persona | provenance |  |
+| openrouter_test.js:118:36:118:42 | persona | openrouter_test.js:118:19:118:42 | "Talk l ... persona | provenance |  |
+| openrouter_test.js:125:35:125:41 | persona | openrouter_test.js:125:18:125:41 | "Talk l ... persona | provenance |  |
 nodes
 | agents_test.js:8:9:8:15 | persona | semmle.label | persona |
 | agents_test.js:8:19:8:35 | req.query.persona | semmle.label | req.query.persona |
@@ -195,6 +214,26 @@ nodes
 | openai_test.js:164:31:164:37 | persona | semmle.label | persona |
 | openai_test.js:192:32:192:55 | "Talk l ... persona | semmle.label | "Talk l ... persona |
 | openai_test.js:192:49:192:55 | persona | semmle.label | persona |
+| openrouter_test.js:12:9:12:15 | persona | semmle.label | persona |
+| openrouter_test.js:12:19:12:35 | req.query.persona | semmle.label | req.query.persona |
+| openrouter_test.js:23:18:23:41 | "Talk l ... persona | semmle.label | "Talk l ... persona |
+| openrouter_test.js:23:35:23:41 | persona | semmle.label | persona |
+| openrouter_test.js:38:18:38:41 | "Talk l ... persona | semmle.label | "Talk l ... persona |
+| openrouter_test.js:38:35:38:41 | persona | semmle.label | persona |
+| openrouter_test.js:52:19:52:42 | "Talk l ... persona | semmle.label | "Talk l ... persona |
+| openrouter_test.js:52:36:52:42 | persona | semmle.label | persona |
+| openrouter_test.js:78:18:78:41 | "Talk l ... persona | semmle.label | "Talk l ... persona |
+| openrouter_test.js:78:35:78:41 | persona | semmle.label | persona |
+| openrouter_test.js:88:19:88:42 | "Talk l ... persona | semmle.label | "Talk l ... persona |
+| openrouter_test.js:88:36:88:42 | persona | semmle.label | persona |
+| openrouter_test.js:98:18:98:41 | "Talk l ... persona | semmle.label | "Talk l ... persona |
+| openrouter_test.js:98:35:98:41 | persona | semmle.label | persona |
+| openrouter_test.js:109:18:109:41 | "Talk l ... persona | semmle.label | "Talk l ... persona |
+| openrouter_test.js:109:35:109:41 | persona | semmle.label | persona |
+| openrouter_test.js:118:19:118:42 | "Talk l ... persona | semmle.label | "Talk l ... persona |
+| openrouter_test.js:118:36:118:42 | persona | semmle.label | persona |
+| openrouter_test.js:125:18:125:41 | "Talk l ... persona | semmle.label | "Talk l ... persona |
+| openrouter_test.js:125:35:125:41 | persona | semmle.label | persona |
 subpaths
 #select
 | agents_test.js:16:19:16:42 | "Talk l ... persona | agents_test.js:8:19:8:35 | req.query.persona | agents_test.js:16:19:16:42 | "Talk l ... persona | This prompt construction depends on a $@. | agents_test.js:8:19:8:35 | req.query.persona | user-provided value |
@@ -236,3 +275,12 @@ subpaths
 | openai_test.js:158:30:158:58 | "Also t ... persona | openai_test.js:11:19:11:35 | req.query.persona | openai_test.js:158:30:158:58 | "Also t ... persona | This prompt construction depends on a $@. | openai_test.js:11:19:11:35 | req.query.persona | user-provided value |
 | openai_test.js:164:14:164:37 | "Talk l ... persona | openai_test.js:11:19:11:35 | req.query.persona | openai_test.js:164:14:164:37 | "Talk l ... persona | This prompt construction depends on a $@. | openai_test.js:11:19:11:35 | req.query.persona | user-provided value |
 | openai_test.js:192:32:192:55 | "Talk l ... persona | openai_test.js:11:19:11:35 | req.query.persona | openai_test.js:192:32:192:55 | "Talk l ... persona | This prompt construction depends on a $@. | openai_test.js:11:19:11:35 | req.query.persona | user-provided value |
+| openrouter_test.js:23:18:23:41 | "Talk l ... persona | openrouter_test.js:12:19:12:35 | req.query.persona | openrouter_test.js:23:18:23:41 | "Talk l ... persona | This prompt construction depends on a $@. | openrouter_test.js:12:19:12:35 | req.query.persona | user-provided value |
+| openrouter_test.js:38:18:38:41 | "Talk l ... persona | openrouter_test.js:12:19:12:35 | req.query.persona | openrouter_test.js:38:18:38:41 | "Talk l ... persona | This prompt construction depends on a $@. | openrouter_test.js:12:19:12:35 | req.query.persona | user-provided value |
+| openrouter_test.js:52:19:52:42 | "Talk l ... persona | openrouter_test.js:12:19:12:35 | req.query.persona | openrouter_test.js:52:19:52:42 | "Talk l ... persona | This prompt construction depends on a $@. | openrouter_test.js:12:19:12:35 | req.query.persona | user-provided value |
+| openrouter_test.js:78:18:78:41 | "Talk l ... persona | openrouter_test.js:12:19:12:35 | req.query.persona | openrouter_test.js:78:18:78:41 | "Talk l ... persona | This prompt construction depends on a $@. | openrouter_test.js:12:19:12:35 | req.query.persona | user-provided value |
+| openrouter_test.js:88:19:88:42 | "Talk l ... persona | openrouter_test.js:12:19:12:35 | req.query.persona | openrouter_test.js:88:19:88:42 | "Talk l ... persona | This prompt construction depends on a $@. | openrouter_test.js:12:19:12:35 | req.query.persona | user-provided value |
+| openrouter_test.js:98:18:98:41 | "Talk l ... persona | openrouter_test.js:12:19:12:35 | req.query.persona | openrouter_test.js:98:18:98:41 | "Talk l ... persona | This prompt construction depends on a $@. | openrouter_test.js:12:19:12:35 | req.query.persona | user-provided value |
+| openrouter_test.js:109:18:109:41 | "Talk l ... persona | openrouter_test.js:12:19:12:35 | req.query.persona | openrouter_test.js:109:18:109:41 | "Talk l ... persona | This prompt construction depends on a $@. | openrouter_test.js:12:19:12:35 | req.query.persona | user-provided value |
+| openrouter_test.js:118:19:118:42 | "Talk l ... persona | openrouter_test.js:12:19:12:35 | req.query.persona | openrouter_test.js:118:19:118:42 | "Talk l ... persona | This prompt construction depends on a $@. | openrouter_test.js:12:19:12:35 | req.query.persona | user-provided value |
+| openrouter_test.js:125:18:125:41 | "Talk l ... persona | openrouter_test.js:12:19:12:35 | req.query.persona | openrouter_test.js:125:18:125:41 | "Talk l ... persona | This prompt construction depends on a $@. | openrouter_test.js:12:19:12:35 | req.query.persona | user-provided value |
@@ -13,7 +13,7 @@ app.get("/agents", async (req, res) => {
   // SHOULD ALERT
   const agent1 = new Agent({
     name: "Assistant",
-    instructions: "Talk like a " + persona, // $ Alert[js/prompt-injection]
+    instructions: "Talk like a " + persona, // $ Alert[js/system-prompt-injection]
   });
 
   // === Agent constructor: instructions as lambda ===
@@ -22,15 +22,15 @@ app.get("/agents", async (req, res) => {
   const agent2 = new Agent({
     name: "Dynamic",
     instructions: (runContext) => {
-      return "Talk like a " + persona; // $ Alert[js/prompt-injection]
+      return "Talk like a " + persona; // $ Alert[js/system-prompt-injection]
     },
   });
 
   // SHOULD ALERT (async lambda)
   const agent3 = new Agent({
     name: "AsyncDynamic",
     instructions: async (runContext) => {
-      return "Talk like a " + persona; // $ Alert[js/prompt-injection]
+      return "Talk like a " + persona; // $ Alert[js/system-prompt-injection]
     },
   });
 
@@ -40,23 +40,23 @@ app.get("/agents", async (req, res) => {
   const agent4 = new Agent({
     name: "Specialist",
     instructions: "Help with refunds",
-    handoffDescription: "Handles " + persona, // $ Alert[js/prompt-injection]
+    handoffDescription: "Handles " + persona, // $ Alert[js/system-prompt-injection]
   });
 
   // === agent.asTool(): toolDescription ===
 
   // SHOULD ALERT
   agent1.asTool({
     toolName: "helper",
-    toolDescription: "Ask about " + persona, // $ Alert[js/prompt-injection]
+    toolDescription: "Ask about " + persona, // $ Alert[js/system-prompt-injection]
   });
 
   // === tool(): description ===
 
   // SHOULD ALERT
   const myTool = tool({
     name: "lookup",
-    description: "Look up info about " + persona, // $ Alert[js/prompt-injection]
+    description: "Look up info about " + persona, // $ Alert[js/system-prompt-injection]
     parameters: z.object({ query: z.string() }),
     execute: async ({ query }) => "result",
   });
@@ -70,15 +70,15 @@ app.get("/agents", async (req, res) => {
 
   // SHOULD ALERT
   const r2 = await run(agent1, [
-    { role: "system", content: "Talk like a " + persona }, // $ Alert[js/prompt-injection]
+    { role: "system", content: "Talk like a " + persona }, // $ Alert[js/system-prompt-injection]
     { role: "user", content: query },
   ]);
 
   // === run() with array input: developer role ===
 
   // SHOULD ALERT
   const r3 = await run(agent1, [
-    { role: "developer", content: "Talk like a " + persona }, // $ Alert[js/prompt-injection]
+    { role: "developer", content: "Talk like a " + persona }, // $ Alert[js/system-prompt-injection]
   ]);
 
   // === run() with array input: user role ===
@@ -93,7 +93,7 @@ app.get("/agents", async (req, res) => {
   // SHOULD ALERT
   const runner = new Runner();
   const r5 = await runner.run(agent1, [
-    { role: "system", content: "Talk like a " + persona }, // $ Alert[js/prompt-injection]
+    { role: "system", content: "Talk like a " + persona }, // $ Alert[js/system-prompt-injection]
   ]);
 
   // === Sanitizer: constant comparison ===