github
diff --git a/‎python/ql/integration-tests/query-suite/not_included_in_qls.expected‎
Lines changed: 2 additions & 1 deletion b/‎python/ql/integration-tests/query-suite/not_included_in_qls.expected‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎python/ql/lib/change-notes/2026-06-18-prompt-injection-models.md‎
Lines changed: 4 additions & 0 deletions b/‎python/ql/lib/change-notes/2026-06-18-prompt-injection-models.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎python/ql/lib/semmle/python/frameworks/agent.model.yml‎
Lines changed: 7 additions & 1 deletion b/‎python/ql/lib/semmle/python/frameworks/agent.model.yml‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎python/ql/lib/semmle/python/frameworks/anthropic.model.yml‎
Lines changed: 5 additions & 6 deletions b/‎python/ql/lib/semmle/python/frameworks/anthropic.model.yml‎
Lines changed: 5 additions & 6 deletions
diff --git a/‎python/ql/lib/semmle/python/frameworks/google-genai.model.yml‎
Lines changed: 18 additions & 0 deletions b/‎python/ql/lib/semmle/python/frameworks/google-genai.model.yml‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎python/ql/lib/semmle/python/frameworks/langchain.model.yml‎
Lines changed: 31 additions & 0 deletions b/‎python/ql/lib/semmle/python/frameworks/langchain.model.yml‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎python/ql/lib/semmle/python/frameworks/openai.model.yml‎
Lines changed: 11 additions & 4 deletions b/‎python/ql/lib/semmle/python/frameworks/openai.model.yml‎
Lines changed: 11 additions & 4 deletions
diff --git a/‎python/ql/lib/semmle/python/frameworks/openrouter.model.yml‎
Lines changed: 13 additions & 0 deletions b/‎python/ql/lib/semmle/python/frameworks/openrouter.model.yml‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎python/ql/src/change-notes/2026-06-18-prompt-injection-queries.md‎
Lines changed: 4 additions & 0 deletions b/‎python/ql/src/change-notes/2026-06-18-prompt-injection-queries.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎python/ql/src/experimental/Security/CWE-1427/PromptInjection.qhelp‎
Lines changed: 0 additions & 24 deletions b/‎python/ql/src/experimental/Security/CWE-1427/PromptInjection.qhelp‎
Lines changed: 0 additions & 24 deletions
@@ -87,7 +87,8 @@ ql/python/ql/src/experimental/Security/CWE-079/EmailXss.ql
 ql/python/ql/src/experimental/Security/CWE-091/XsltInjection.ql
 ql/python/ql/src/experimental/Security/CWE-094/Js2Py.ql
 ql/python/ql/src/experimental/Security/CWE-1236/CsvInjection.ql
-ql/python/ql/src/experimental/Security/CWE-1427/PromptInjection.ql
+ql/python/ql/src/experimental/Security/CWE-1427/SystemPromptInjection.ql
+ql/python/ql/src/experimental/Security/CWE-1427/UserPromptInjection.ql
 ql/python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidation.ql
 ql/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql
 ql/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql
 
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added prompt-injection sink models (`system-prompt-injection` and `user-prompt-injection` kinds) for the `openai`, `agents`, `anthropic`, `google-genai`, `openrouter` and `langchain` frameworks.
@@ -3,4 +3,10 @@ extensions:
       pack: codeql/python-all
       extensible: sinkModel
     data:
-      - ['agents', 'Member[Agent].Argument[instructions:]', 'prompt-injection']
+      # Agent instructions, handoff descriptions and tool descriptions are system-level prompts
+      - ['agents', 'Member[Agent].Argument[instructions:]', 'system-prompt-injection']
+      - ['agents', 'Member[Agent].Argument[handoff_description:]', 'system-prompt-injection']
+      - ['agents', 'Member[FunctionTool].Argument[description:]', 'system-prompt-injection']
+      # The input passed to a run is user-level content
+      - ['agents', 'Member[Runner].Member[run,run_sync,run_streamed].Argument[1]', 'user-prompt-injection']
+      - ['agents', 'Member[Runner].Member[run,run_sync,run_streamed].Argument[input:]', 'user-prompt-injection']
@@ -3,12 +3,11 @@ extensions:
       pack: codeql/python-all
       extensible: sinkModel
     data:
-      - ['Anthropic', 'Member[messages].Member[create].Argument[system:]', 'prompt-injection']
-      - ['Anthropic', 'Member[messages].Member[stream].Argument[system:]', 'prompt-injection']
-      - ['Anthropic', 'Member[beta].Member[messages].Member[create].Argument[system:]', 'prompt-injection']
-      - ['Anthropic', 'Member[messages].Member[create].Argument[messages:].ListElement.DictionaryElement[content]', 'prompt-injection']
-      - ['Anthropic', 'Member[messages].Member[stream].Argument[messages:].ListElement.DictionaryElement[content]', 'prompt-injection']
-      - ['Anthropic', 'Member[beta].Member[messages].Member[create].Argument[messages:].ListElement.DictionaryElement[content]', 'prompt-injection']
+      # The `system` field is a system-level prompt
+      - ['Anthropic', 'Member[messages].Member[create,stream].Argument[system:]', 'system-prompt-injection']
+      - ['Anthropic', 'Member[messages].Member[create,stream].Argument[system:].ListElement.DictionaryElement[text]', 'system-prompt-injection']
+      - ['Anthropic', 'Member[beta].Member[messages].Member[create,stream].Argument[system:]', 'system-prompt-injection']
+      - ['Anthropic', 'Member[beta].Member[messages].Member[create,stream].Argument[system:].ListElement.DictionaryElement[text]', 'system-prompt-injection']
 
   - addsTo:
       pack: codeql/python-all
 
@@ -0,0 +1,18 @@
+extensions:
+  - addsTo:
+      pack: codeql/python-all
+      extensible: sinkModel
+    data:
+      # `system_instruction` on the generation config is a system-level prompt
+      - ['google.genai', 'Member[types].Member[GenerateContentConfig].Argument[system_instruction:]', 'system-prompt-injection']
+      # User-level content
+      - ['GoogleGenAI', 'Member[models].Member[generate_content,generate_content_stream].Argument[contents:]', 'user-prompt-injection']
+      - ['GoogleGenAI', 'Member[models].Member[generate_images,generate_videos].Argument[prompt:]', 'user-prompt-injection']
+      - ['GoogleGenAI', 'Member[chats].Member[create].ReturnValue.Member[send_message,send_message_stream].Argument[0]', 'user-prompt-injection']
+      - ['GoogleGenAI', 'Member[chats].Member[create].ReturnValue.Member[send_message,send_message_stream].Argument[message:]', 'user-prompt-injection']
+
+  - addsTo:
+      pack: codeql/python-all
+      extensible: typeModel
+    data:
+      - ['GoogleGenAI', 'google.genai', 'Member[Client].ReturnValue']
@@ -0,0 +1,31 @@
+extensions:
+  - addsTo:
+      pack: codeql/python-all
+      extensible: sinkModel
+    data:
+      # Message constructors. The first positional argument or the `content` keyword
+      # carries the message text.
+      - ['langchain_core.messages', 'Member[SystemMessage].Argument[0]', 'system-prompt-injection']
+      - ['langchain_core.messages', 'Member[SystemMessage].Argument[content:]', 'system-prompt-injection']
+      - ['langchain.schema', 'Member[SystemMessage].Argument[0]', 'system-prompt-injection']
+      - ['langchain.schema', 'Member[SystemMessage].Argument[content:]', 'system-prompt-injection']
+      - ['langchain_core.messages', 'Member[HumanMessage].Argument[0]', 'user-prompt-injection']
+      - ['langchain_core.messages', 'Member[HumanMessage].Argument[content:]', 'user-prompt-injection']
+      - ['langchain.schema', 'Member[HumanMessage].Argument[0]', 'user-prompt-injection']
+      - ['langchain.schema', 'Member[HumanMessage].Argument[content:]', 'user-prompt-injection']
+      # Invoking a chat model with user input.
+      - ['LangChainChatModel', 'Member[invoke,stream,predict,call].Argument[0]', 'user-prompt-injection']
+      - ['LangChainChatModel', 'Member[batch].Argument[0].ListElement', 'user-prompt-injection']
+
+  - addsTo:
+      pack: codeql/python-all
+      extensible: typeModel
+    data:
+      - ['LangChainChatModel', 'langchain_openai', 'Member[ChatOpenAI,AzureChatOpenAI].ReturnValue']
+      - ['LangChainChatModel', 'langchain_anthropic', 'Member[ChatAnthropic].ReturnValue']
+      - ['LangChainChatModel', 'langchain_google_genai', 'Member[ChatGoogleGenerativeAI].ReturnValue']
+      - ['LangChainChatModel', 'langchain_mistralai', 'Member[ChatMistralAI].ReturnValue']
+      - ['LangChainChatModel', 'langchain_groq', 'Member[ChatGroq].ReturnValue']
+      - ['LangChainChatModel', 'langchain_cohere', 'Member[ChatCohere].ReturnValue']
+      - ['LangChainChatModel', 'langchain_ollama', 'Member[ChatOllama].ReturnValue']
+      - ['LangChainChatModel', 'langchain_aws', 'Member[ChatBedrock,ChatBedrockConverse].ReturnValue']
@@ -3,10 +3,17 @@ extensions:
       pack: codeql/python-all
       extensible: sinkModel
     data:
-      - ['OpenAI', 'Member[beta].Member[assistants].Member[create].Argument[instructions:]', 'prompt-injection']
-      - ['OpenAI', 'Member[chat].Member[completions].Member[create].Argument[messages:].ListElement.DictionaryElement[content]', 'prompt-injection']
-      - ['OpenAI', 'Member[responses].Member[create].Argument[instructions:]', 'prompt-injection']
-      - ['OpenAI', 'Member[responses].Member[create].Argument[input:]', 'prompt-injection']
+      # System-level prompts and instructions
+      - ['OpenAI', 'Member[responses].Member[create].Argument[instructions:]', 'system-prompt-injection']
+      - ['OpenAI', 'Member[beta].Member[assistants].Member[create].Argument[instructions:]', 'system-prompt-injection']
+      - ['OpenAI', 'Member[beta].Member[assistants].Member[update].Argument[instructions:]', 'system-prompt-injection']
+      - ['OpenAI', 'Member[beta].Member[threads].Member[runs].Member[create].Argument[instructions:]', 'system-prompt-injection']
+      - ['OpenAI', 'Member[beta].Member[threads].Member[runs].Member[create].Argument[additional_instructions:]', 'system-prompt-injection']
+      # User-level prompts
+      - ['OpenAI', 'Member[responses].Member[create].Argument[input:]', 'user-prompt-injection']
+      - ['OpenAI', 'Member[completions].Member[create].Argument[prompt:]', 'user-prompt-injection']
+      - ['OpenAI', 'Member[images].Member[generate,edit].Argument[prompt:]', 'user-prompt-injection']
+      - ['OpenAI', 'Member[audio].Member[transcriptions,translations].Member[create].Argument[prompt:]', 'user-prompt-injection']
 
   - addsTo:
       pack: codeql/python-all
 
@@ -0,0 +1,13 @@
+extensions:
+  - addsTo:
+      pack: codeql/python-all
+      extensible: sinkModel
+    data:
+      # Embeddings input is user-level content
+      - ['OpenRouter', 'Member[embeddings].Member[create].Argument[input:]', 'user-prompt-injection']
+
+  - addsTo:
+      pack: codeql/python-all
+      extensible: typeModel
+    data:
+      - ['OpenRouter', 'openrouter', 'Member[OpenRouter].ReturnValue']
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Replaced the experimental `py/prompt-injection` query with two new experimental queries, `py/system-prompt-injection` and `py/user-prompt-injection`, to distinguish untrusted data flowing into system-level prompts and tool descriptions from data flowing into user-role prompts. The queries model the `openai`, `agents`, `anthropic`, `google-genai`, `openrouter` and `langchain` frameworks.
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added prompt-injection sink models (`system-prompt-injection` and `user-prompt-injection` kinds) for the `openai`, `agents`, `anthropic`, `google-genai`, `openrouter` and `langchain` frameworks.