Add first version prompt injection query python openai agents sdk

Author: knewbury01

python/ql/lib/semmle/python/Frameworks.qll

@@ -54,6 +54,7 @@ private import semmle.python.frameworks.Multidict
 private import semmle.python.frameworks.Mysql
 private import semmle.python.frameworks.MySQLdb
 private import semmle.python.frameworks.Numpy
+private import semmle.python.frameworks.OpenAI
 private import semmle.python.frameworks.Opml
 private import semmle.python.frameworks.Oracledb
 private import semmle.python.frameworks.Pandas

python/ql/lib/semmle/python/frameworks/OpenAI.qll

@@ -0,0 +1,20 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `openAI`Agents SDK package.
+ * See https://github.com/openai/openai-agents-python.
+ */
+
+private import python
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides models for Agent (instances of the `agents.Agent` class).
+ *
+ * See https://github.com/openai/openai-agents-python.
+ */
+module Agent {
+  /** Gets a reference to the `agents.Agent` class. */
+  API::Node classRef() { result = API::moduleImport("agents").getMember("Agent") }
+
+  /** Gets a reference to a potential property of `agents.Agent` called instructions which refers to the system prompt. */
+  API::Node sink() { result = classRef().getACall().getKeywordParameter("instructions") }
+}

python/ql/lib/semmle/python/security/dataflow/PromptInjectionCustomizations.qll

@@ -0,0 +1,37 @@
+import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.BarrierGuards
+private import semmle.python.frameworks.OpenAI
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "prompt injection"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module PromptInjection {
+  /**
+   * A data flow source for "prompt injection" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for "prompt injection" vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for "prompt injection" vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * An active threat-model source, considered as a flow source.
+   */
+  private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource { }
+
+  class SystemPromptSink extends Sink {
+    SystemPromptSink() { this = Agent::sink().asSink() }
+  }
+}

python/ql/lib/semmle/python/security/dataflow/PromptInjectionQuery.qll

@@ -0,0 +1,20 @@
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import PromptInjectionCustomizations::PromptInjection
+
+private module PromptInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof Source }
+
+  predicate isSink(DataFlow::Node node) {
+    node instanceof Sink
+    //any()
+  }
+
+  predicate isBarrierIn(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+}
+
+/** Global taint-tracking for detecting "prompt injection" vulnerabilities. */
+module PromptInjectionFlow = TaintTracking::Global<PromptInjectionConfig>;

python/ql/src/Security/CWE-1427/PromptInjection.qhelp

@@ -0,0 +1,25 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Prompts can be constructed to bypass the original purposes of an agent and lead to sensitive data leak or 
+operations that were not intended.
+</p>
+</overview>
+
+<recommendation>
+Sanitize user input and also avoid using user input in developer or system level prompts.
+</recommendation>
+
+<example>
+<p>In the following examples, the cases marked GOOD show secure prompt construction; whereas in the case marked BAD they may be susceptible to prompt injection.</p>
+<sample src="examples/TODO.py" />
+</example>
+
+<references>
+<li>OWASP: <a href="https://owasp.org/www-community/attacks/PromptInjection">PromptInjection</a>.</li>
+</references>
+
+</qhelp>

python/ql/src/Security/CWE-1427/PromptInjection.ql

@@ -0,0 +1,20 @@
+/**
+ * @name User input used in developer message and or system prompt
+ * @description User input used in developer message and or system prompt can allow for Prompt Injection attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 5.0
+ * @precision high
+ * @id py/prompt-injection
+ * @tags security
+ *       external/cwe/cwe-1427
+ */
+
+import python
+import semmle.python.security.dataflow.PromptInjectionQuery
+import PromptInjectionFlow::PathGraph
+
+from PromptInjectionFlow::PathNode source, PromptInjectionFlow::PathNode sink
+where PromptInjectionFlow::flowPath(source, sink)
+select sink.getNode(), source, sink, "This prompt construction depends on a $@.", source.getNode(),
+  "user-provided value"

python/ql/test/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.expected

@@ -0,0 +1,18 @@
+edges
+| agent_instructions.py:2:26:2:32 | ControlFlowNode for ImportMember | agent_instructions.py:2:26:2:32 | ControlFlowNode for request | provenance |  |
+| agent_instructions.py:2:26:2:32 | ControlFlowNode for request | agent_instructions.py:7:13:7:19 | ControlFlowNode for request | provenance |  |
+| agent_instructions.py:7:5:7:9 | ControlFlowNode for input | agent_instructions.py:9:50:9:89 | ControlFlowNode for BinaryExpr | provenance |  |
+| agent_instructions.py:7:13:7:19 | ControlFlowNode for request | agent_instructions.py:7:13:7:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
+| agent_instructions.py:7:13:7:24 | ControlFlowNode for Attribute | agent_instructions.py:7:13:7:37 | ControlFlowNode for Attribute() | provenance | dict.get |
+| agent_instructions.py:7:13:7:37 | ControlFlowNode for Attribute() | agent_instructions.py:7:5:7:9 | ControlFlowNode for input | provenance |  |
+nodes
+| agent_instructions.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
+| agent_instructions.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| agent_instructions.py:7:5:7:9 | ControlFlowNode for input | semmle.label | ControlFlowNode for input |
+| agent_instructions.py:7:13:7:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| agent_instructions.py:7:13:7:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| agent_instructions.py:7:13:7:37 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| agent_instructions.py:9:50:9:89 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+subpaths
+#select
+| agent_instructions.py:9:50:9:89 | ControlFlowNode for BinaryExpr | agent_instructions.py:2:26:2:32 | ControlFlowNode for ImportMember | agent_instructions.py:9:50:9:89 | ControlFlowNode for BinaryExpr | This prompt construction depends on a $@. | agent_instructions.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |

python/ql/test/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.qlref

@@ -0,0 +1 @@
+query: Security/CWE-1427/PromptInjection.ql

python/ql/test/query-tests/Security/CWE-1427-PromptInjection/agent_instructions.py

@@ -0,0 +1,12 @@
+from agents import Agent, Runner
+from flask import Flask, request # $ Source=flask
+app = Flask(__name__)
+
+@app.route("/parameter-route")
+def get_input():
+    input = request.args.get("input")
+
+    agent = Agent(name="Assistant", instructions="This prompt is customized for " + input) # $Alert[py/prompt-injection]
+
+    result = Runner.run_sync(agent, "This is a user message.")
+    print(result.final_output)