1. Enable inline expectations for tests

2. Add annotations for sources
2. Fix a modelling issue in the openai library - missing coverage for a legacy method when moving to MaDs and a mistake in the assistants.create models

Author: BazookaMusic

javascript/ql/lib/ext/openai.model.yml

@@ -12,7 +12,9 @@ extensions:
       extensible: sinkModel
     data:
       - ["openai.Client", "Member[responses].Member[create].Argument[0].Member[instructions]", "system-prompt-injection"]
-      - ["openai.Client", "Member[beta].Member[assistants].Member[create,update].Argument[0].Member[instructions]", "system-prompt-injection"]
+      - ["openai.Client", "Member[completions].Member[create].Argument[0].Member[prompt]", "system-prompt-injection"]
+      - ["openai.Client", "Member[beta].Member[assistants].Member[create].Argument[0].Member[instructions]", "system-prompt-injection"]
+      - ["openai.Client", "Member[beta].Member[assistants].Member[update].Argument[1].Member[instructions]", "system-prompt-injection"]
       - ["openai.Client", "Member[beta].Member[threads].Member[runs].Member[create].Argument[1].Member[instructions,additional_instructions]", "system-prompt-injection"]
       - ["@openai/agents", "Member[Agent].Argument[0].Member[instructions,handoffDescription]", "system-prompt-injection"]
       - ["@openai/guardrails", "Member[Agent].Argument[0].Member[instructions,handoffDescription]", "system-prompt-injection"]

javascript/ql/test/Security/CWE-1427/SystemPromptInjection/SystemPromptInjection.expected

@@ -1 +1,2 @@
-Security/CWE-1427/SystemPromptInjection.ql
+query: Security/CWE-1427/SystemPromptInjection.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

javascript/ql/test/Security/CWE-1427/SystemPromptInjection/SystemPromptInjection.qlref

@@ -5,7 +5,7 @@ const { z } = require("zod");
 const app = express();
 
 app.get("/agents", async (req, res) => {
-  const persona = req.query.persona;
+  const persona = req.query.persona; // $ Source
   const query = req.query.query;
 
   // === Agent constructor: instructions as string ===
@@ -30,8 +30,8 @@ app.get("/agents", async (req, res) => {
   const agent3 = new Agent({
     name: "AsyncDynamic",
     instructions: async (runContext) => {
-      return "Talk like a " + persona; // $ Alert[js/system-prompt-injection]
-    },
+      return "Talk like a " + persona;
+    }, // $ Alert[js/system-prompt-injection]
   });
 
   // === Agent constructor: handoffDescription ===

javascript/ql/test/Security/CWE-1427/SystemPromptInjection/agents_test.js

@@ -5,7 +5,7 @@ const app = express();
 const client = new Anthropic();
 
 app.get("/test", async (req, res) => {
-  const persona = req.query.persona;
+  const persona = req.query.persona; // $ Source
   const query = req.query.query;
 
   // === messages.create: system as string ===
@@ -138,14 +138,14 @@ app.get("/test", async (req, res) => {
   // SHOULD ALERT — tainted data goes into system role; barrier on user role
   // must not suppress the system-role taint path.
   const messages2 = [
-    { role: "system", content: "Talk like a " + persona }, // $ Alert[js/system-prompt-injection]
+    { role: "system", content: "Talk like a " + persona },
     { role: "user", content: query },
   ];
   const systemMsg2 = messages2.find((m) => m.role === "system");
   const m7 = await client.messages.create({
     model: "claude-sonnet-4-20250514",
     max_tokens: 1024,
-    system: systemMsg2.content,
+    system: systemMsg2.content, // $ Alert[js/system-prompt-injection]
     messages: [{ role: "user", content: query }],
   });
 

javascript/ql/test/Security/CWE-1427/SystemPromptInjection/anthropic_test.js

@@ -5,7 +5,7 @@ const app = express();
 const ai = new GoogleGenAI({ apiKey: "test-key" });
 
 app.get("/test", async (req, res) => {
-  const persona = req.query.persona;
+  const persona = req.query.persona; // $ Source
   const query = req.query.query;
 
   // === generateContent: systemInstruction ===
@@ -62,18 +62,18 @@ app.get("/test", async (req, res) => {
 
   // === generateImages: prompt ===
 
-  // SHOULD ALERT
+  // SHOULD NOT ALERT - image prompt is a user-prompt-injection sink, not system
   const g5 = await ai.models.generateImages({
     model: "imagen-3.0-generate-002",
-    prompt: "Draw a picture of " + persona, // $ Alert[js/system-prompt-injection]
+    prompt: "Draw a picture of " + persona,
   });
 
   // === editImage: prompt ===
 
-  // SHOULD ALERT
+  // SHOULD NOT ALERT - image prompt is a user-prompt-injection sink, not system
   const g6 = await ai.models.editImage({
     model: "imagen-3.0-capability-001",
-    prompt: "Edit to look like " + persona, // $ Alert[js/system-prompt-injection]
+    prompt: "Edit to look like " + persona,
   });
 
   // === chats.create: systemInstruction ===
@@ -105,7 +105,7 @@ app.get("/test", async (req, res) => {
       systemInstruction: "Talk like a " + persona, // $ Alert[js/system-prompt-injection]
     },
     callbacks: {
-      onmessage: (msg) => {},
+      onmessage: (msg) => { },
     },
   });
 

javascript/ql/test/Security/CWE-1427/SystemPromptInjection/gemini_test.js

@@ -6,7 +6,7 @@ const { createAgent } = require("langchain");
 const app = express();
 
 app.get("/test", async (req, res) => {
-  const persona = req.query.persona;
+  const persona = req.query.persona; // $ Source
   const query = req.query.query;
 
   const chatModel = new ChatOpenAI({ model: "gpt-4" });

javascript/ql/test/Security/CWE-1427/SystemPromptInjection/langchain_test.js

@@ -8,7 +8,7 @@ const client = new OpenAI();
 const azureClient = new AzureOpenAI();
 
 app.get("/test", async (req, res) => {
-  const persona = req.query.persona;
+  const persona = req.query.persona; // $ Source
   const query = req.query.query;
 
   // === OpenAI Responses API ===
@@ -120,18 +120,6 @@ app.get("/test", async (req, res) => {
     prompt: "Talk like a " + persona, // $ Alert[js/system-prompt-injection]
   });
 
-  // === Images API ===
-
-  // images.generate (SHOULD ALERT)
-  const i1 = await client.images.generate({
-    prompt: "Draw a picture of " + persona, // $ Alert[js/system-prompt-injection]
-  });
-
-  // images.edit (SHOULD ALERT)
-  const i2 = await client.images.edit({
-    prompt: "Edit to look like " + persona, // $ Alert[js/system-prompt-injection]
-  });
-
   // === Assistants API (beta) ===
 
   // assistants.create (SHOULD ALERT)
@@ -170,22 +158,6 @@ app.get("/test", async (req, res) => {
     content: query, // OK - user role
   });
 
-  // === Audio API ===
-
-  // audio.transcriptions.create (SHOULD ALERT)
-  const at1 = await client.audio.transcriptions.create({
-    file: "audio.mp3",
-    model: "whisper-1",
-    prompt: "Transcribe about " + persona, // $ Alert[js/system-prompt-injection]
-  });
-
-  // audio.translations.create (SHOULD ALERT)
-  const atl1 = await client.audio.translations.create({
-    file: "audio.mp3",
-    model: "whisper-1",
-    prompt: "Translate about " + persona, // $ Alert[js/system-prompt-injection]
-  });
-
   // === Object assigned to variable first ===
 
   // Should still be caught via data flow

javascript/ql/test/Security/CWE-1427/SystemPromptInjection/openai_test.js

@@ -9,7 +9,7 @@ const client = new OpenRouter();
 const namedClient = new OpenRouterNamed();
 
 app.get("/test", async (req, res) => {
-  const persona = req.query.persona;
+  const persona = req.query.persona; // $ Source
   const query = req.query.query;
 
   // === OpenRouter Client SDK: chat.send ===
@@ -124,7 +124,7 @@ app.get("/test", async (req, res) => {
     name: "lookup",
     description: "Talk like a " + persona, // $ Alert[js/system-prompt-injection]
     inputSchema: {},
-    execute: async () => {},
+    execute: async () => { },
   });
 
   // input array with user role (SHOULD NOT ALERT)