Formatting

Author: BazookaMusic

javascript/ql/lib/semmle/javascript/frameworks/Anthropic.qll

@@ -13,16 +13,13 @@ private import javascript
 
 module Anthropic {
   /** Gets a reference to the `Anthropic` client instance. */
-  private API::Node classRef() {
-    result = API::moduleImport("@anthropic-ai/sdk").getInstance()
-  }
+  private API::Node classRef() { result = API::moduleImport("@anthropic-ai/sdk").getInstance() }
 
   /** Gets a reference to the messages.create params (both stable and beta). */
   private API::Node messagesCreateParams() {
     result = classRef().getMember("messages").getMember("create").getParameter(0)
     or
-    result =
-      classRef().getMember("beta").getMember("messages").getMember("create").getParameter(0)
+    result = classRef().getMember("beta").getMember("messages").getMember("create").getParameter(0)
   }
 
   /**
@@ -52,4 +49,4 @@ module Anthropic {
       result = msg.getMember("content")
     )
   }
-}
+}

javascript/ql/lib/semmle/javascript/frameworks/GoogleGenAI.qll

@@ -14,8 +14,7 @@ private import javascript
 module GoogleGenAI {
   /** Gets a reference to the `GoogleGenAI` client instance. */
   private API::Node clientRef() {
-    result =
-      API::moduleImport("@google/genai").getMember("GoogleGenAI").getInstance()
+    result = API::moduleImport("@google/genai").getMember("GoogleGenAI").getInstance()
   }
 
   /**

javascript/ql/lib/semmle/javascript/frameworks/OpenAI.qll

@@ -225,17 +225,11 @@ module AgentSDK {
    */
   API::Node getSystemOrAssistantPromptNode() {
     // Agent({ instructions: (runContext) => returnValue }) — callback form
-    result = moduleRef()
-        .getMember("Agent")
-        .getParameter(0)
-        .getMember("instructions")
-        .getReturn()
+    result = moduleRef().getMember("Agent").getParameter(0).getMember("instructions").getReturn()
     or
     // run(agent, [{ role: "system"/"developer", content: ... }])
     exists(API::Node msg |
-      msg = run()
-          .getParameter(1)
-          .getArrayElement() and
+      msg = run().getParameter(1).getArrayElement() and
       isSystemOrDevMessage(msg)
     |
       result = msg.getMember("content")
@@ -270,18 +264,11 @@ module AgentSDK {
     or
     // GuardrailAgent.create(config, ...) without input/pre_flight guardrails
     exists(API::Node createCall |
-      createCall =
-        moduleRef()
-            .getMember("GuardrailAgent")
-            .getMember("create") and
+      createCall = moduleRef().getMember("GuardrailAgent").getMember("create") and
       result = createCall.getParameter(0) and
       exists(result.getMember("version")) and
-      not exists(
-        result.getMember("input").getMember("guardrails").getArrayElement()
-      ) and
-      not exists(
-        result.getMember("pre_flight").getMember("guardrails").getArrayElement()
-      )
+      not exists(result.getMember("input").getMember("guardrails").getArrayElement()) and
+      not exists(result.getMember("pre_flight").getMember("guardrails").getArrayElement())
     )
   }
 }

javascript/ql/lib/semmle/javascript/frameworks/OpenRouter.qll

@@ -91,7 +91,8 @@ module OpenRouterAgent {
     result = moduleRef().getMember("callModel").getParameter(0)
     or
     // import { OpenRouter } from '@openrouter/agent'; new OpenRouter(...).callModel({ ... })
-    result = moduleRef().getMember("OpenRouter").getInstance().getMember("callModel").getParameter(0)
+    result =
+      moduleRef().getMember("OpenRouter").getInstance().getMember("callModel").getParameter(0)
   }
 
   /**

javascript/ql/lib/semmle/javascript/security/dataflow/SystemPromptInjectionCustomizations.qll

@@ -5,7 +5,6 @@
  */
 
 import javascript
-
 private import semmle.javascript.dataflow.DataFlow
 private import semmle.javascript.Concepts
 private import semmle.javascript.security.dataflow.RemoteFlowSources
@@ -40,8 +39,7 @@ module SystemPromptInjection {
   /**
    * An active threat-model source, considered as a flow source.
    */
-  private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource {
-  }
+  private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource { }
 
   /**
    * A prompt to an AI model, considered as a flow sink.
@@ -51,9 +49,7 @@ module SystemPromptInjection {
   }
 
   private class SinkFromModel extends Sink {
-    SinkFromModel() {
-      this = ModelOutput::getASinkNode("system-prompt-injection").asSink()
-    }
+    SinkFromModel() { this = ModelOutput::getASinkNode("system-prompt-injection").asSink() }
   }
 
   private class PromptContentSink extends Sink {
@@ -73,8 +69,7 @@ module SystemPromptInjection {
   }
 
   private class ConstCompareAsSanitizerGuard extends Sanitizer {
-    ConstCompareAsSanitizerGuard()
-    {
+    ConstCompareAsSanitizerGuard() {
       this = DataFlow::MakeBarrierGuard<ConstCompareBarrierGuard>::getABarrierNode()
     }
   }
@@ -100,14 +95,10 @@ module SystemPromptInjection {
   /**
    * A comparison with a constant, considered as a sanitizer-guard.
    */
-  private class ConstCompareBarrierGuard extends DataFlow::ValueNode
-  {
+  private class ConstCompareBarrierGuard extends DataFlow::ValueNode {
     override EqualityTest astNode;
 
-    ConstCompareBarrierGuard()
-    {
-      astNode.hasOperands(_, any(ConstantString cs))
-    }
+    ConstCompareBarrierGuard() { astNode.hasOperands(_, any(ConstantString cs)) }
 
     predicate blocksExpr(boolean outcome, Expr e) {
       outcome = astNode.getPolarity() and

javascript/ql/src/experimental/semmle/javascript/security/PromptInjection/UserPromptInjectionCustomizations.qll

@@ -5,7 +5,6 @@
  */
 
 import javascript
-
 private import semmle.javascript.dataflow.DataFlow
 private import semmle.javascript.Concepts
 private import semmle.javascript.security.dataflow.RemoteFlowSources
@@ -30,8 +29,7 @@ module UserPromptInjection {
   /**
    * A data flow sink for "user prompt injection" vulnerabilities.
    */
-  abstract class Sink extends DataFlow::Node { 
-  }
+  abstract class Sink extends DataFlow::Node { }
 
   /**
    * A sanitizer for "user prompt injection" vulnerabilities.
@@ -41,8 +39,7 @@ module UserPromptInjection {
   /**
    * An active threat-model source, considered as a flow source.
    */
-  private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource {
-  }
+  private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource { }
 
   /**
    * A prompt to an AI model, considered as a flow sink.
@@ -52,9 +49,7 @@ module UserPromptInjection {
   }
 
   private class SinkFromModel extends Sink {
-    SinkFromModel() {
-      this = ModelOutput::getASinkNode("user-prompt-injection").asSink()
-    }
+    SinkFromModel() { this = ModelOutput::getASinkNode("user-prompt-injection").asSink() }
   }
 
   private class PromptContentSink extends Sink {
@@ -76,14 +71,10 @@ module UserPromptInjection {
   /**
    * A comparison with a constant, considered as a sanitizer-guard.
    */
-  private class ConstCompareBarrierGuard extends DataFlow::ValueNode
-  {
+  private class ConstCompareBarrierGuard extends DataFlow::ValueNode {
     override EqualityTest astNode;
 
-    ConstCompareBarrierGuard()
-    {
-      astNode.hasOperands(_, any(ConstantString cs))
-    }
+    ConstCompareBarrierGuard() { astNode.hasOperands(_, any(ConstantString cs)) }
 
     predicate blocksExpr(boolean outcome, Expr e) {
       outcome = astNode.getPolarity() and
@@ -92,4 +83,4 @@ module UserPromptInjection {
       not e instanceof ConstantString
     }
   }
-}
+}