Move structurally typed prompt injection sinks to Models as Data

Move OpenAI, Anthropic, Google GenAI, and LangChain sinks that are
structurally typed (identified by API name alone) into MaD YAML files.

Role-filtered sinks that require inspecting a sibling 'role' property
remain in QL code since MaD cannot express conditional logic.

Use two distinct sink kinds:
- user-prompt-injection: picked up by UserPromptInjection.ql
- system-prompt-injection: picked up by SystemPromptInjection.ql

New files:
- javascript/ql/lib/ext/openai.model.yml
- javascript/ql/lib/ext/anthropic.model.yml
- javascript/ql/lib/ext/google-genai.model.yml
- javascript/ql/lib/ext/langchain.model.yml

Author: BazookaMusic

javascript/ql/lib/ext/anthropic.model.yml

@@ -0,0 +1,17 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: typeModel
+    data:
+      - ["anthropic.Client", "@anthropic-ai/sdk", "Instance"]
+
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["anthropic.Client", "Member[messages].Member[create].Argument[0].Member[system]", "system-prompt-injection"]
+      - ["anthropic.Client", "Member[messages].Member[create].Argument[0].Member[system].ArrayElement.Member[text]", "system-prompt-injection"]
+      - ["anthropic.Client", "Member[beta].Member[messages].Member[create].Argument[0].Member[system]", "system-prompt-injection"]
+      - ["anthropic.Client", "Member[beta].Member[messages].Member[create].Argument[0].Member[system].ArrayElement.Member[text]", "system-prompt-injection"]
+      - ["anthropic.Client", "Member[beta].Member[agents].Member[create].Argument[0].Member[system]", "system-prompt-injection"]
+      - ["anthropic.Client", "Member[beta].Member[agents].Member[update].Argument[1].Member[system]", "system-prompt-injection"]

javascript/ql/lib/ext/google-genai.model.yml

@@ -0,0 +1,23 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: typeModel
+    data:
+      - ["google-genai.Client", "@google/genai", "Member[GoogleGenAI].Instance"]
+
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["google-genai.Client", "Member[models].Member[generateContent,generateContentStream].Argument[0].Member[config].Member[systemInstruction]", "system-prompt-injection"]
+      - ["google-genai.Client", "Member[chats].Member[create].Argument[0].Member[config].Member[systemInstruction]", "system-prompt-injection"]
+      - ["google-genai.Client", "Member[chats].Member[create].ReturnValue.Member[sendMessage].Argument[0].Member[config].Member[systemInstruction]", "system-prompt-injection"]
+      - ["google-genai.Client", "Member[live].Member[connect].Argument[0].Member[config].Member[systemInstruction]", "system-prompt-injection"]
+      - ["google-genai.Client", "Member[models].Member[generateContent,generateContentStream].Argument[0].Member[contents]", "user-prompt-injection"]
+      - ["google-genai.Client", "Member[models].Member[generateImages].Argument[0].Member[prompt]", "user-prompt-injection"]
+      - ["google-genai.Client", "Member[models].Member[editImage].Argument[0].Member[prompt]", "user-prompt-injection"]
+      - ["google-genai.Client", "Member[models].Member[generateVideos].Argument[0].Member[prompt]", "user-prompt-injection"]
+      - ["google-genai.Client", "Member[chats].Member[create].ReturnValue.Member[sendMessage,sendMessageStream].Argument[0].Member[message]", "user-prompt-injection"]
+      - ["google-genai.Client", "Member[chats].Member[create].ReturnValue.Member[sendMessage,sendMessageStream].Argument[0].Member[content]", "user-prompt-injection"]
+      - ["google-genai.Client", "Member[models].Member[embedContent].Argument[0].Member[content]", "user-prompt-injection"]
+      - ["google-genai.Client", "Member[interactions].Member[create].Argument[0].Member[input]", "user-prompt-injection"]

javascript/ql/lib/ext/langchain.model.yml

@@ -0,0 +1,48 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: typeModel
+    data:
+      - ["langchain.ChatModel", "@langchain/openai", "Member[ChatOpenAI].Instance"]
+      - ["langchain.ChatModel", "@langchain/anthropic", "Member[ChatAnthropic].Instance"]
+      - ["langchain.ChatModel", "@langchain/google-genai", "Member[ChatGoogleGenerativeAI].Instance"]
+      - ["langchain.ChatModel", "@langchain/mistralai", "Member[ChatMistralAI].Instance"]
+      - ["langchain.ChatModel", "@langchain/groq", "Member[ChatGroq].Instance"]
+      - ["langchain.ChatModel", "@langchain/cohere", "Member[ChatCohere].Instance"]
+      - ["langchain.ChatModel", "@langchain/community/chat_models/fireworks", "Member[ChatFireworks].Instance"]
+      - ["langchain.ChatModel", "@langchain/ollama", "Member[ChatOllama].Instance"]
+      - ["langchain.ChatModel", "@langchain/aws", "Member[BedrockChat,ChatBedrockConverse].Instance"]
+      - ["langchain.ChatModel", "@langchain/community/chat_models/togetherai", "Member[ChatTogetherAI].Instance"]
+      - ["langchain.ChatModel", "@langchain/xai", "Member[ChatXAI].Instance"]
+      - ["langchain.ChatModel", "@langchain/openrouter", "Member[ChatOpenRouter].Instance"]
+      - ["langchain.ChatModel", "langchain", "Member[initChatModel].ReturnValue.Awaited"]
+      - ["langchain.AgentExecutor", "langchain/agents", "Member[AgentExecutor].Instance"]
+      - ["langchain.AgentExecutor", "langchain/agents", "Member[AgentExecutor].Member[fromAgentAndTools].ReturnValue"]
+      - ["langchain.Agent", "langchain", "Member[createAgent].ReturnValue"]
+      - ["langchain.LLMChain", "langchain/chains", "Member[LLMChain].Instance"]
+
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["@langchain/core/messages", "Member[HumanMessage].Argument[0]", "user-prompt-injection"]
+      - ["@langchain/core/messages", "Member[HumanMessage].Argument[0].Member[content]", "user-prompt-injection"]
+      - ["langchain", "Member[HumanMessage].Argument[0]", "user-prompt-injection"]
+      - ["langchain", "Member[HumanMessage].Argument[0].Member[content]", "user-prompt-injection"]
+      - ["@langchain/core/messages", "Member[SystemMessage].Argument[0]", "system-prompt-injection"]
+      - ["@langchain/core/messages", "Member[SystemMessage].Argument[0].Member[content]", "system-prompt-injection"]
+      - ["langchain", "Member[SystemMessage].Argument[0]", "system-prompt-injection"]
+      - ["langchain", "Member[SystemMessage].Argument[0].Member[content]", "system-prompt-injection"]
+      - ["langchain.ChatModel", "Member[invoke].Argument[0]", "user-prompt-injection"]
+      - ["langchain.ChatModel", "Member[stream].Argument[0]", "user-prompt-injection"]
+      - ["langchain.ChatModel", "Member[call].Argument[0]", "user-prompt-injection"]
+      - ["langchain.ChatModel", "Member[predict].Argument[0]", "user-prompt-injection"]
+      - ["langchain.ChatModel", "Member[batch].Argument[0].ArrayElement", "user-prompt-injection"]
+      - ["langchain.ChatModel", "Member[generate].Argument[0].ArrayElement.ArrayElement", "user-prompt-injection"]
+      - ["langchain.AgentExecutor", "Member[invoke].Argument[0].Member[input]", "user-prompt-injection"]
+      - ["langchain.Agent", "Member[invoke].Argument[0].Member[messages].ArrayElement.Member[content]", "user-prompt-injection"]
+      - ["langchain.Agent", "Member[stream].Argument[0].Member[messages].ArrayElement.Member[content]", "user-prompt-injection"]
+      - ["langchain", "Member[createAgent].Argument[0].Member[systemPrompt]", "system-prompt-injection"]
+      - ["langchain.LLMChain", "Member[call,invoke].Argument[0].Member[input]", "user-prompt-injection"]
+      - ["@langchain/core/prompts", "Member[ChatPromptTemplate].Member[fromMessages].Argument[0].ArrayElement.ArrayElement", "user-prompt-injection"]
+      - ["@langchain/core/prompts", "Member[PromptTemplate].Instance.Member[format].Argument[0]", "user-prompt-injection"]

javascript/ql/lib/ext/openai.model.yml

@@ -0,0 +1,28 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: typeModel
+    data:
+      - ["openai.Client", "openai", "Instance"]
+      - ["openai.Client", "openai", "Member[OpenAI,AzureOpenAI].Instance"]
+      - ["openai.Client", "@openai/guardrails", "Member[GuardrailsOpenAI,GuardrailsAzureOpenAI].Member[create].ReturnValue.Awaited"]
+
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["openai.Client", "Member[responses].Member[create].Argument[0].Member[instructions]", "system-prompt-injection"]
+      - ["openai.Client", "Member[beta].Member[assistants].Member[create,update].Argument[0].Member[instructions]", "system-prompt-injection"]
+      - ["openai.Client", "Member[beta].Member[threads].Member[runs].Member[create].Argument[1].Member[instructions,additional_instructions]", "system-prompt-injection"]
+      - ["@openai/agents", "Member[Agent].Argument[0].Member[instructions,handoffDescription]", "system-prompt-injection"]
+      - ["@openai/guardrails", "Member[Agent].Argument[0].Member[instructions,handoffDescription]", "system-prompt-injection"]
+      - ["@openai/agents", "Member[Agent].Instance.Member[asTool].Argument[0].Member[toolDescription]", "system-prompt-injection"]
+      - ["@openai/guardrails", "Member[Agent].Instance.Member[asTool].Argument[0].Member[toolDescription]", "system-prompt-injection"]
+      - ["@openai/agents", "Member[tool].Argument[0].Member[description]", "system-prompt-injection"]
+      - ["@openai/guardrails", "Member[tool].Argument[0].Member[description]", "system-prompt-injection"]
+      - ["@openai/guardrails", "Member[GuardrailAgent].Member[create].Argument[2]", "system-prompt-injection"]
+      - ["openai.Client", "Member[responses].Member[create].Argument[0].Member[input]", "user-prompt-injection"]
+      - ["openai.Client", "Member[completions].Member[create].Argument[0].Member[prompt]", "user-prompt-injection"]
+      - ["openai.Client", "Member[images].Member[generate,edit].Argument[0].Member[prompt]", "user-prompt-injection"]
+      - ["openai.Client", "Member[embeddings].Member[create].Argument[0].Member[input]", "user-prompt-injection"]
+      - ["openai.Client", "Member[audio].Member[transcriptions,translations].Member[create].Argument[0].Member[prompt]", "user-prompt-injection"]

javascript/ql/src/experimental/semmle/javascript/frameworks/Anthropic.qll

@@ -1,89 +1,55 @@
 /**
  * Provides classes modeling security-relevant aspects of the `@anthropic-ai/sdk` package.
  * See https://github.com/anthropics/anthropic-sdk-typescript
+ *
+ * Structurally typed sinks (system, beta.agents) have been moved to
+ * Models as Data: javascript/ql/lib/ext/anthropic.model.yml
+ *
+ * This file retains only role-filtered message sinks that require inspecting
+ * a sibling `role` property, which MaD cannot express.
  */
 
 private import javascript
 
 module Anthropic {
   /** Gets a reference to the `Anthropic` client instance. */
-  API::Node classRef() {
-    // Default export: import Anthropic from '@anthropic-ai/sdk'; new Anthropic()
+  private API::Node classRef() {
     result = API::moduleImport("@anthropic-ai/sdk").getInstance()
   }
 
-  /** Gets a reference to a sink for the system prompt in the Anthropic messages API. */
+  /** Gets a reference to the messages.create params (both stable and beta). */
+  private API::Node messagesCreateParams() {
+    result = classRef().getMember("messages").getMember("create").getParameter(0)
+    or
+    result =
+      classRef().getMember("beta").getMember("messages").getMember("create").getParameter(0)
+  }
+
+  /**
+   * Gets role-filtered system/assistant message sinks.
+   * These require checking a sibling `role` property and cannot be expressed in MaD.
+   */
   API::Node getSystemOrAssistantPromptNode() {
-    exists(API::Node createParams |
-      // client.messages.create({ ... })
-      createParams = classRef()
-          .getMember("messages")
-          .getMember("create")
-          .getParameter(0)
-      or
-      // client.beta.messages.create({ ... })
-      createParams = classRef()
-          .getMember("beta")
-          .getMember("messages")
-          .getMember("create")
-          .getParameter(0)
+    // messages: [{ role: "assistant", content: "..." }]
+    exists(API::Node msg |
+      msg = messagesCreateParams().getMember("messages").getArrayElement() and
+      msg.getMember("role").asSink().mayHaveStringValue("assistant")
     |
-      // system: "string"
-      result = createParams.getMember("system")
-      or
-      // system: [{ type: "text", text: "..." }]
-      result = createParams.getMember("system").getArrayElement().getMember("text")
-      or
-      // messages: [{ role: "assistant", content: "..." }]
-      // Injecting content into what the model said from external sources is very likely an injection.
-      exists(API::Node msg |
-        msg = createParams.getMember("messages").getArrayElement() and
-        msg.getMember("role").asSink().mayHaveStringValue("assistant")
-      |
-        result = msg.getMember("content")
-      )
+      result = msg.getMember("content")
     )
-    or
-    // client.beta.agents.create({ system: "..." })
-    result = classRef()
-        .getMember("beta")
-        .getMember("agents")
-        .getMember("create")
-        .getParameter(0)
-        .getMember("system")
-    or
-    // client.beta.agents.update(agentId, { system: "..." })
-    result = classRef()
-        .getMember("beta")
-        .getMember("agents")
-        .getMember("update")
-        .getParameter(1)
-        .getMember("system")
   }
 
-  /** Gets a reference to nodes where potential user input can land. */
+  /**
+   * Gets role-filtered user message sinks.
+   * These require checking a sibling `role` property and cannot be expressed in MaD.
+   */
   API::Node getUserPromptNode() {
-    exists(API::Node createParams |
-      // client.messages.create({ ... })
-      createParams = classRef()
-          .getMember("messages")
-          .getMember("create")
-          .getParameter(0)
-      or
-      // client.beta.messages.create({ ... })
-      createParams = classRef()
-          .getMember("beta")
-          .getMember("messages")
-          .getMember("create")
-          .getParameter(0)
+    // messages: [{ role: "user", content: "..." }]
+    exists(API::Node msg |
+      msg = messagesCreateParams().getMember("messages").getArrayElement() and
+      not msg.getMember("role").asSink().mayHaveStringValue("assistant")
     |
-      // messages: [{ role: "user", content: "..." }]
-      exists(API::Node msg |
-        msg = createParams.getMember("messages").getArrayElement() and
-        not msg.getMember("role").asSink().mayHaveStringValue("assistant")
-      |
-        result = msg.getMember("content")
-      )
+      result = msg.getMember("content")
     )
   }
 }