add tests for langchain and remove wrong model for guardrails agent

Author: BazookaMusic

javascript/ql/lib/ext/openai.model.yml

@@ -21,3 +21,5 @@ extensions:
       - ["@openai/agents", "Member[tool].Argument[0].Member[description]", "system-prompt-injection"]
       - ["@openai/guardrails", "Member[tool].Argument[0].Member[description]", "system-prompt-injection"]
       - ["@openai/guardrails", "Member[GuardrailAgent].Member[create].Argument[2]", "system-prompt-injection"]
+      - ["@openai/agents", "Member[run].Argument[1]", "user-prompt-injection"]
+      - ["@openai/agents", "Member[Runner].Instance.Member[run].Argument[1]", "user-prompt-injection"]

javascript/ql/src/experimental/semmle/javascript/frameworks/OpenAI.qll

@@ -243,13 +243,10 @@ module AgentSDK {
   }
 
   /**
-   * Gets user prompt sinks for run(agent, input).
-   * Covers string input and user-role array messages.
+   * Gets role-filtered user prompt sinks for run(agent, input).
+   * The string-input case is handled via MaD (openai.model.yml).
    */
   API::Node getUserPromptNode() {
-    // run(agent, "string") — string input is the user prompt
-    result = run().getParameter(1)
-    or
     // run(agent, [{ role: "user", content: ... }])
     exists(API::Node msg |
       msg = run().getParameter(1).getArrayElement() and

javascript/ql/test/experimental/Security/CWE-1427/SystemPromptInjection/SystemPromptInjection.expected

@@ -65,6 +65,13 @@ edges
 | gemini_test.js:85:43:85:49 | persona | gemini_test.js:85:26:85:49 | "Talk l ... persona | provenance |  |
 | gemini_test.js:95:43:95:49 | persona | gemini_test.js:95:26:95:49 | "Talk l ... persona | provenance |  |
 | gemini_test.js:105:43:105:49 | persona | gemini_test.js:105:26:105:49 | "Talk l ... persona | provenance |  |
+| langchain_test.js:9:9:9:15 | persona | langchain_test.js:16:54:16:60 | persona | provenance |  |
+| langchain_test.js:9:9:9:15 | persona | langchain_test.js:19:31:19:37 | persona | provenance |  |
+| langchain_test.js:9:9:9:15 | persona | langchain_test.js:25:36:25:42 | persona | provenance |  |
+| langchain_test.js:9:19:9:35 | req.query.persona | langchain_test.js:9:9:9:15 | persona | provenance |  |
+| langchain_test.js:16:54:16:60 | persona | langchain_test.js:16:37:16:60 | "Talk l ... persona | provenance |  |
+| langchain_test.js:19:31:19:37 | persona | langchain_test.js:19:14:19:37 | "Talk l ... persona | provenance |  |
+| langchain_test.js:25:36:25:42 | persona | langchain_test.js:25:19:25:42 | "Talk l ... persona | provenance |  |
 | openai_test.js:11:9:11:15 | persona | openai_test.js:19:36:19:42 | persona | provenance |  |
 | openai_test.js:11:9:11:15 | persona | openai_test.js:29:35:29:41 | persona | provenance |  |
 | openai_test.js:11:9:11:15 | persona | openai_test.js:44:35:44:41 | persona | provenance |  |
@@ -154,6 +161,14 @@ nodes
 | gemini_test.js:95:43:95:49 | persona | semmle.label | persona |
 | gemini_test.js:105:26:105:49 | "Talk l ... persona | semmle.label | "Talk l ... persona |
 | gemini_test.js:105:43:105:49 | persona | semmle.label | persona |
+| langchain_test.js:9:9:9:15 | persona | semmle.label | persona |
+| langchain_test.js:9:19:9:35 | req.query.persona | semmle.label | req.query.persona |
+| langchain_test.js:16:37:16:60 | "Talk l ... persona | semmle.label | "Talk l ... persona |
+| langchain_test.js:16:54:16:60 | persona | semmle.label | persona |
+| langchain_test.js:19:14:19:37 | "Talk l ... persona | semmle.label | "Talk l ... persona |
+| langchain_test.js:19:31:19:37 | persona | semmle.label | persona |
+| langchain_test.js:25:19:25:42 | "Talk l ... persona | semmle.label | "Talk l ... persona |
+| langchain_test.js:25:36:25:42 | persona | semmle.label | persona |
 | openai_test.js:11:9:11:15 | persona | semmle.label | persona |
 | openai_test.js:11:19:11:35 | req.query.persona | semmle.label | req.query.persona |
 | openai_test.js:19:19:19:42 | "Talk l ... persona | semmle.label | "Talk l ... persona |
@@ -206,6 +221,9 @@ subpaths
 | gemini_test.js:85:26:85:49 | "Talk l ... persona | gemini_test.js:8:19:8:35 | req.query.persona | gemini_test.js:85:26:85:49 | "Talk l ... persona | This prompt construction depends on a $@. | gemini_test.js:8:19:8:35 | req.query.persona | user-provided value |
 | gemini_test.js:95:26:95:49 | "Talk l ... persona | gemini_test.js:8:19:8:35 | req.query.persona | gemini_test.js:95:26:95:49 | "Talk l ... persona | This prompt construction depends on a $@. | gemini_test.js:8:19:8:35 | req.query.persona | user-provided value |
 | gemini_test.js:105:26:105:49 | "Talk l ... persona | gemini_test.js:8:19:8:35 | req.query.persona | gemini_test.js:105:26:105:49 | "Talk l ... persona | This prompt construction depends on a $@. | gemini_test.js:8:19:8:35 | req.query.persona | user-provided value |
+| langchain_test.js:16:37:16:60 | "Talk l ... persona | langchain_test.js:9:19:9:35 | req.query.persona | langchain_test.js:16:37:16:60 | "Talk l ... persona | This prompt construction depends on a $@. | langchain_test.js:9:19:9:35 | req.query.persona | user-provided value |
+| langchain_test.js:19:14:19:37 | "Talk l ... persona | langchain_test.js:9:19:9:35 | req.query.persona | langchain_test.js:19:14:19:37 | "Talk l ... persona | This prompt construction depends on a $@. | langchain_test.js:9:19:9:35 | req.query.persona | user-provided value |
+| langchain_test.js:25:19:25:42 | "Talk l ... persona | langchain_test.js:9:19:9:35 | req.query.persona | langchain_test.js:25:19:25:42 | "Talk l ... persona | This prompt construction depends on a $@. | langchain_test.js:9:19:9:35 | req.query.persona | user-provided value |
 | openai_test.js:19:19:19:42 | "Talk l ... persona | openai_test.js:11:19:11:35 | req.query.persona | openai_test.js:19:19:19:42 | "Talk l ... persona | This prompt construction depends on a $@. | openai_test.js:11:19:11:35 | req.query.persona | user-provided value |
 | openai_test.js:29:18:29:41 | "Talk l ... persona | openai_test.js:11:19:11:35 | req.query.persona | openai_test.js:29:18:29:41 | "Talk l ... persona | This prompt construction depends on a $@. | openai_test.js:11:19:11:35 | req.query.persona | user-provided value |
 | openai_test.js:44:18:44:41 | "Talk l ... persona | openai_test.js:11:19:11:35 | req.query.persona | openai_test.js:44:18:44:41 | "Talk l ... persona | This prompt construction depends on a $@. | openai_test.js:11:19:11:35 | req.query.persona | user-provided value |

javascript/ql/test/experimental/Security/CWE-1427/SystemPromptInjection/langchain_test.js

@@ -0,0 +1,50 @@
+const express = require("express");
+const { ChatOpenAI } = require("@langchain/openai");
+const { HumanMessage, SystemMessage } = require("@langchain/core/messages");
+const { createAgent } = require("langchain");
+
+const app = express();
+
+app.get("/test", async (req, res) => {
+  const persona = req.query.persona;
+  const query = req.query.query;
+
+  const chatModel = new ChatOpenAI({ model: "gpt-4" });
+
+  // === SystemMessage (SHOULD ALERT) ===
+
+  const sysMsg1 = new SystemMessage("Talk like a " + persona); // $ Alert[js/prompt-injection]
+
+  const sysMsg2 = new SystemMessage({
+    content: "Talk like a " + persona, // $ Alert[js/prompt-injection]
+  });
+
+  // === createAgent with systemPrompt (SHOULD ALERT) ===
+
+  const agent = createAgent({
+    systemPrompt: "Talk like a " + persona, // $ Alert[js/prompt-injection]
+  });
+
+  // === Barrier test: user role content in shared array (SHOULD NOT ALERT) ===
+  // When user input goes into a HumanMessage alongside a SystemMessage,
+  // the system prompt query should NOT alert on the HumanMessage content.
+
+  await chatModel.invoke([
+    new SystemMessage("You are a helpful assistant"),
+    new HumanMessage({ role: "user", content: query }), // OK - user role content is not a system prompt
+  ]);
+
+  // Same pattern with raw message objects passed to invoke
+  await chatModel.invoke([
+    { role: "system", content: "You are a helpful assistant" },
+    { role: "user", content: query }, // OK - user role content blocked by barrier
+  ]);
+
+  // === Constant comparison sanitizer (SHOULD NOT ALERT) ===
+
+  if (persona === "pirate") {
+    const sysMsg3 = new SystemMessage("Talk like a " + persona); // OK - sanitized
+  }
+
+  res.send("done");
+});

javascript/ql/test/experimental/Security/CWE-1427/UserPromptInjection/UserPromptInjection.expected

@@ -9,6 +9,24 @@ edges
 | gemini_user_test.js:8:9:8:17 | userInput | gemini_user_test.js:51:13:51:21 | userInput | provenance |  |
 | gemini_user_test.js:8:9:8:17 | userInput | gemini_user_test.js:58:13:58:21 | userInput | provenance |  |
 | gemini_user_test.js:8:21:8:39 | req.query.userInput | gemini_user_test.js:8:9:8:17 | userInput | provenance |  |
+| langchain_user_test.js:13:9:13:17 | userInput | langchain_user_test.js:18:26:18:34 | userInput | provenance |  |
+| langchain_user_test.js:13:9:13:17 | userInput | langchain_user_test.js:22:26:22:34 | userInput | provenance |  |
+| langchain_user_test.js:13:9:13:17 | userInput | langchain_user_test.js:26:24:26:32 | userInput | provenance |  |
+| langchain_user_test.js:13:9:13:17 | userInput | langchain_user_test.js:30:27:30:35 | userInput | provenance |  |
+| langchain_user_test.js:13:9:13:17 | userInput | langchain_user_test.js:34:26:34:34 | userInput | provenance |  |
+| langchain_user_test.js:13:9:13:17 | userInput | langchain_user_test.js:38:30:38:38 | userInput | provenance |  |
+| langchain_user_test.js:13:9:13:17 | userInput | langchain_user_test.js:42:33:42:41 | userInput | provenance |  |
+| langchain_user_test.js:13:9:13:17 | userInput | langchain_user_test.js:44:44:44:52 | userInput | provenance |  |
+| langchain_user_test.js:13:9:13:17 | userInput | langchain_user_test.js:49:31:49:39 | userInput | provenance |  |
+| langchain_user_test.js:13:9:13:17 | userInput | langchain_user_test.js:54:29:54:37 | userInput | provenance |  |
+| langchain_user_test.js:13:9:13:17 | userInput | langchain_user_test.js:59:34:59:42 | userInput | provenance |  |
+| langchain_user_test.js:13:9:13:17 | userInput | langchain_user_test.js:65:27:65:35 | userInput | provenance |  |
+| langchain_user_test.js:13:9:13:17 | userInput | langchain_user_test.js:71:27:71:35 | userInput | provenance |  |
+| langchain_user_test.js:13:9:13:17 | userInput | langchain_user_test.js:77:29:77:37 | userInput | provenance |  |
+| langchain_user_test.js:13:9:13:17 | userInput | langchain_user_test.js:81:31:81:39 | userInput | provenance |  |
+| langchain_user_test.js:13:9:13:17 | userInput | langchain_user_test.js:85:37:85:45 | userInput | provenance |  |
+| langchain_user_test.js:13:9:13:17 | userInput | langchain_user_test.js:90:21:90:29 | userInput | provenance |  |
+| langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:13:9:13:17 | userInput | provenance |  |
 | openai_user_test.js:15:9:15:17 | userInput | openai_user_test.js:23:12:23:20 | userInput | provenance |  |
 | openai_user_test.js:15:9:15:17 | userInput | openai_user_test.js:32:18:32:26 | userInput | provenance |  |
 | openai_user_test.js:15:9:15:17 | userInput | openai_user_test.js:43:18:43:26 | userInput | provenance |  |
@@ -39,6 +57,25 @@ nodes
 | gemini_user_test.js:44:13:44:21 | userInput | semmle.label | userInput |
 | gemini_user_test.js:51:13:51:21 | userInput | semmle.label | userInput |
 | gemini_user_test.js:58:13:58:21 | userInput | semmle.label | userInput |
+| langchain_user_test.js:13:9:13:17 | userInput | semmle.label | userInput |
+| langchain_user_test.js:13:21:13:39 | req.query.userInput | semmle.label | req.query.userInput |
+| langchain_user_test.js:18:26:18:34 | userInput | semmle.label | userInput |
+| langchain_user_test.js:22:26:22:34 | userInput | semmle.label | userInput |
+| langchain_user_test.js:26:24:26:32 | userInput | semmle.label | userInput |
+| langchain_user_test.js:30:27:30:35 | userInput | semmle.label | userInput |
+| langchain_user_test.js:34:26:34:34 | userInput | semmle.label | userInput |
+| langchain_user_test.js:38:30:38:38 | userInput | semmle.label | userInput |
+| langchain_user_test.js:42:33:42:41 | userInput | semmle.label | userInput |
+| langchain_user_test.js:44:44:44:52 | userInput | semmle.label | userInput |
+| langchain_user_test.js:49:31:49:39 | userInput | semmle.label | userInput |
+| langchain_user_test.js:54:29:54:37 | userInput | semmle.label | userInput |
+| langchain_user_test.js:59:34:59:42 | userInput | semmle.label | userInput |
+| langchain_user_test.js:65:27:65:35 | userInput | semmle.label | userInput |
+| langchain_user_test.js:71:27:71:35 | userInput | semmle.label | userInput |
+| langchain_user_test.js:77:29:77:37 | userInput | semmle.label | userInput |
+| langchain_user_test.js:81:31:81:39 | userInput | semmle.label | userInput |
+| langchain_user_test.js:85:37:85:45 | userInput | semmle.label | userInput |
+| langchain_user_test.js:90:21:90:29 | userInput | semmle.label | userInput |
 | openai_user_test.js:15:9:15:17 | userInput | semmle.label | userInput |
 | openai_user_test.js:15:21:15:39 | req.query.userInput | semmle.label | req.query.userInput |
 | openai_user_test.js:23:12:23:20 | userInput | semmle.label | userInput |
@@ -67,6 +104,23 @@ subpaths
 | gemini_user_test.js:44:13:44:21 | userInput | gemini_user_test.js:8:21:8:39 | req.query.userInput | gemini_user_test.js:44:13:44:21 | userInput | This prompt construction depends on a $@. | gemini_user_test.js:8:21:8:39 | req.query.userInput | user-provided value |
 | gemini_user_test.js:51:13:51:21 | userInput | gemini_user_test.js:8:21:8:39 | req.query.userInput | gemini_user_test.js:51:13:51:21 | userInput | This prompt construction depends on a $@. | gemini_user_test.js:8:21:8:39 | req.query.userInput | user-provided value |
 | gemini_user_test.js:58:13:58:21 | userInput | gemini_user_test.js:8:21:8:39 | req.query.userInput | gemini_user_test.js:58:13:58:21 | userInput | This prompt construction depends on a $@. | gemini_user_test.js:8:21:8:39 | req.query.userInput | user-provided value |
+| langchain_user_test.js:18:26:18:34 | userInput | langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:18:26:18:34 | userInput | This prompt construction depends on a $@. | langchain_user_test.js:13:21:13:39 | req.query.userInput | user-provided value |
+| langchain_user_test.js:22:26:22:34 | userInput | langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:22:26:22:34 | userInput | This prompt construction depends on a $@. | langchain_user_test.js:13:21:13:39 | req.query.userInput | user-provided value |
+| langchain_user_test.js:26:24:26:32 | userInput | langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:26:24:26:32 | userInput | This prompt construction depends on a $@. | langchain_user_test.js:13:21:13:39 | req.query.userInput | user-provided value |
+| langchain_user_test.js:30:27:30:35 | userInput | langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:30:27:30:35 | userInput | This prompt construction depends on a $@. | langchain_user_test.js:13:21:13:39 | req.query.userInput | user-provided value |
+| langchain_user_test.js:34:26:34:34 | userInput | langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:34:26:34:34 | userInput | This prompt construction depends on a $@. | langchain_user_test.js:13:21:13:39 | req.query.userInput | user-provided value |
+| langchain_user_test.js:38:30:38:38 | userInput | langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:38:30:38:38 | userInput | This prompt construction depends on a $@. | langchain_user_test.js:13:21:13:39 | req.query.userInput | user-provided value |
+| langchain_user_test.js:42:33:42:41 | userInput | langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:42:33:42:41 | userInput | This prompt construction depends on a $@. | langchain_user_test.js:13:21:13:39 | req.query.userInput | user-provided value |
+| langchain_user_test.js:44:44:44:52 | userInput | langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:44:44:44:52 | userInput | This prompt construction depends on a $@. | langchain_user_test.js:13:21:13:39 | req.query.userInput | user-provided value |
+| langchain_user_test.js:49:31:49:39 | userInput | langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:49:31:49:39 | userInput | This prompt construction depends on a $@. | langchain_user_test.js:13:21:13:39 | req.query.userInput | user-provided value |
+| langchain_user_test.js:54:29:54:37 | userInput | langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:54:29:54:37 | userInput | This prompt construction depends on a $@. | langchain_user_test.js:13:21:13:39 | req.query.userInput | user-provided value |
+| langchain_user_test.js:59:34:59:42 | userInput | langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:59:34:59:42 | userInput | This prompt construction depends on a $@. | langchain_user_test.js:13:21:13:39 | req.query.userInput | user-provided value |
+| langchain_user_test.js:65:27:65:35 | userInput | langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:65:27:65:35 | userInput | This prompt construction depends on a $@. | langchain_user_test.js:13:21:13:39 | req.query.userInput | user-provided value |
+| langchain_user_test.js:71:27:71:35 | userInput | langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:71:27:71:35 | userInput | This prompt construction depends on a $@. | langchain_user_test.js:13:21:13:39 | req.query.userInput | user-provided value |
+| langchain_user_test.js:77:29:77:37 | userInput | langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:77:29:77:37 | userInput | This prompt construction depends on a $@. | langchain_user_test.js:13:21:13:39 | req.query.userInput | user-provided value |
+| langchain_user_test.js:81:31:81:39 | userInput | langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:81:31:81:39 | userInput | This prompt construction depends on a $@. | langchain_user_test.js:13:21:13:39 | req.query.userInput | user-provided value |
+| langchain_user_test.js:85:37:85:45 | userInput | langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:85:37:85:45 | userInput | This prompt construction depends on a $@. | langchain_user_test.js:13:21:13:39 | req.query.userInput | user-provided value |
+| langchain_user_test.js:90:21:90:29 | userInput | langchain_user_test.js:13:21:13:39 | req.query.userInput | langchain_user_test.js:90:21:90:29 | userInput | This prompt construction depends on a $@. | langchain_user_test.js:13:21:13:39 | req.query.userInput | user-provided value |
 | openai_user_test.js:23:12:23:20 | userInput | openai_user_test.js:15:21:15:39 | req.query.userInput | openai_user_test.js:23:12:23:20 | userInput | This prompt construction depends on a $@. | openai_user_test.js:15:21:15:39 | req.query.userInput | user-provided value |
 | openai_user_test.js:32:18:32:26 | userInput | openai_user_test.js:15:21:15:39 | req.query.userInput | openai_user_test.js:32:18:32:26 | userInput | This prompt construction depends on a $@. | openai_user_test.js:15:21:15:39 | req.query.userInput | user-provided value |
 | openai_user_test.js:43:18:43:26 | userInput | openai_user_test.js:15:21:15:39 | req.query.userInput | openai_user_test.js:43:18:43:26 | userInput | This prompt construction depends on a $@. | openai_user_test.js:15:21:15:39 | req.query.userInput | user-provided value |