move system prompt injection to non-experimental

Author: BazookaMusic

…mmle/javascript/frameworks/Anthropic.qll …mmle/javascript/frameworks/Anthropic.qlljavascript/ql/src/experimental/semmle/javascript/frameworks/Anthropic.qll renamed to javascript/ql/lib/semmle/javascript/frameworks/Anthropic.qll javascript/ql/src/experimental/semmle/javascript/frameworks/Anthropic.qll renamed to javascript/ql/lib/semmle/javascript/frameworks/Anthropic.qll

@@ -11,9 +11,9 @@ private import semmle.javascript.Concepts
 private import semmle.javascript.security.dataflow.RemoteFlowSources
 private import semmle.javascript.dataflow.internal.BarrierGuards
 private import semmle.javascript.frameworks.data.ModelsAsData
-private import experimental.semmle.javascript.frameworks.OpenAI
-private import experimental.semmle.javascript.frameworks.Anthropic
-private import experimental.semmle.javascript.frameworks.GoogleGenAI
+private import semmle.javascript.frameworks.OpenAI
+private import semmle.javascript.frameworks.Anthropic
+private import semmle.javascript.frameworks.GoogleGenAI
 
 /**
  * Provides default sources, sinks and sanitizers for detecting

…le/javascript/frameworks/GoogleGenAI.qll …le/javascript/frameworks/GoogleGenAI.qlljavascript/ql/src/experimental/semmle/javascript/frameworks/GoogleGenAI.qll renamed to javascript/ql/lib/semmle/javascript/frameworks/GoogleGenAI.qll javascript/ql/src/experimental/semmle/javascript/frameworks/GoogleGenAI.qll renamed to javascript/ql/lib/semmle/javascript/frameworks/GoogleGenAI.qll

@@ -4,14 +4,13 @@
  * @problem.severity error
  * @security-severity 5.0
  * @precision high
- * @id js/prompt-injection
+ * @id js/system-prompt-injection
  * @tags security
- *       experimental
  *       external/cwe/cwe-1427
  */
 
 import javascript
-import experimental.semmle.javascript.security.PromptInjection.SystemPromptInjectionQuery
+import semmle.javascript.security.dataflow.SystemPromptInjectionQuery
 import SystemPromptInjectionFlow::PathGraph
 
 from SystemPromptInjectionFlow::PathNode source, SystemPromptInjectionFlow::PathNode sink

…/semmle/javascript/frameworks/OpenAI.qll …/semmle/javascript/frameworks/OpenAI.qlljavascript/ql/src/experimental/semmle/javascript/frameworks/OpenAI.qll renamed to javascript/ql/lib/semmle/javascript/frameworks/OpenAI.qll javascript/ql/src/experimental/semmle/javascript/frameworks/OpenAI.qll renamed to javascript/ql/lib/semmle/javascript/frameworks/OpenAI.qll

@@ -23,4 +23,4 @@ app.get("/chat", async (req, res) => {
     });
 
     res.json(response);
-});
+});

…/SystemPromptInjectionCustomizations.qll …/SystemPromptInjectionCustomizations.qlljavascript/ql/src/experimental/semmle/javascript/security/PromptInjection/SystemPromptInjectionCustomizations.qll renamed to javascript/ql/lib/semmle/javascript/security/dataflow/SystemPromptInjectionCustomizations.qll javascript/ql/src/experimental/semmle/javascript/security/PromptInjection/SystemPromptInjectionCustomizations.qll renamed to javascript/ql/lib/semmle/javascript/security/dataflow/SystemPromptInjectionCustomizations.qll

@@ -0,0 +1,41 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>If untrusted input is included in a user-role prompt sent to an AI model, an attacker can inject
+instructions that manipulate the model's behavior. This is known as <i>indirect prompt injection</i>
+when the malicious content arrives through data the model processes, or <i>direct prompt injection</i>
+when the attacker controls the prompt directly.</p>
+
+<p>Unlike system prompt injection, user prompt injection targets the user-role messages. Although
+user messages are expected to carry user input, passing unsanitized data directly into structured
+prompt templates can still allow an attacker to override intended instructions, extract sensitive
+context, or trigger unintended tool calls.</p>
+</overview>
+
+<recommendation>
+<p>To mitigate user prompt injection:</p>
+<ul>
+<li>Validate user input against a fixed allowlist of permitted values before including it in a prompt.</li>
+<li>Use parameterized prompt templates that clearly separate instructions from user data.</li>
+<li>Apply output filtering to detect and block responses that indicate prompt injection attempts.</li>
+</ul>
+</recommendation>
+
+<example>
+<p>In the following example, user-controlled data is inserted directly into a user-role prompt
+without any validation, allowing an attacker to inject arbitrary instructions.</p>
+<sample src="examples/user-prompt-injection.js" />
+<p>The fix validates the user input against a fixed allowlist of permitted values before
+including it in the prompt.</p>
+<sample src="examples/user-prompt-injection_fixed.js" />
+</example>
+
+<references>
+<li>OWASP: <a href="https://genai.owasp.org/llmrisk/llm01-prompt-injection/">LLM01: Prompt Injection</a>.</li>
+<li>MITRE CWE: <a href="https://cwe.mitre.org/data/definitions/1427.html">CWE-1427: Improper Neutralization of Input Used for LLM Prompting</a>.</li>
+</references>
+
+</qhelp>