Improve PromptInjectionMedium.ql & update change-notes

Author: data-douser

actions/ql/lib/change-notes/2026-04-08-prompt-injection-library.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added `PromptInjectionQuery.qll` library and `prompt_injection_sinks.model.yml` models-as-data file for detecting prompt injection (CWE-1427) in GitHub Actions AI inference workflows. Added `prompt-injection` to control check categories in `ControlChecks.qll`.

actions/ql/lib/codeql/actions/security/PromptInjectionQuery.qll

@@ -78,21 +78,30 @@ predicate criticalSeverityPromptInjection(
 }
 
 /**
- * Gets the relevant event for a sink in any externally triggerable context,
- * excluding sinks protected by control checks for the prompt-injection category.
- * This is broader than `getRelevantEventForSink` — it includes non-privileged
- * events like `pull_request` where an attacker can still control event properties
- * (PR title, body, branch name) that flow into AI prompts.
+ * Gets the relevant event for a sink on any externally triggerable event
+ * that is NOT already covered by the critical-severity predicate.
+ * This captures flows on non-privileged events (e.g. `pull_request`),
+ * read-only privileged events (e.g. `pull_request_target` with read permissions),
+ * and any other externally triggerable context that Critical excludes.
+ *
+ * Only actor/association control checks suppress Medium findings because
+ * repository checks do not prevent prompt injection — any user who can
+ * open an issue/PR on the target repo can inject into the prompt content.
  */
 Event getRelevantEventForMediumSeverity(DataFlow::Node sink) {
   exists(LocalJob job |
     job = sink.asExpr().getEnclosingJob() and
     job.getATriggerEvent() = result and
     result.isExternallyTriggerable() and
-    not inPrivilegedContext(sink.asExpr(), result) and
     not result.getName() = "repository_dispatch" and
-    not exists(ControlCheck check | check.protects(sink.asExpr(), result, "prompt-injection"))
-  )
+    // Only actor/association checks suppress medium findings
+    not exists(ControlCheck check |
+      check.protects(sink.asExpr(), result, "prompt-injection") and
+      (check instanceof ActorCheck or check instanceof AssociationCheck)
+    )
+  ) and
+  // Exclude events already reported at critical severity
+  not result = getRelevantEventForPromptInjection(sink)
 }
 
 /**
@@ -123,6 +132,8 @@ private module PromptInjectionConfig implements DataFlow::ConfigSig {
     result = sink.getLocation()
     or
     result = getRelevantEventForPromptInjection(sink).getLocation()
+    or
+    result = getRelevantEventForMediumSeverity(sink).getLocation()
   }
 }
 

actions/ql/src/change-notes/2026-04-08-prompt-injection-queries.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added new experimental queries `actions/prompt-injection/critical` and `actions/prompt-injection/medium` to detect prompt injection vulnerabilities (CWE-1427) in GitHub Actions workflows that pass user-controlled data into AI inference action prompts.

actions/ql/test/query-tests/Security/CWE-1427/.github/workflows/vulnerable11.yml

@@ -0,0 +1,19 @@
+name: AI PR Template Check on pull_request_target
+on:
+  pull_request_target:
+    types: [opened]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - name: AI template check
+        uses: warpdotdev/oz-agent-action@v1
+        with:
+          prompt: |
+            Check this PR against the template:
+            Title: ${{ github.event.pull_request.title }}
+            Body: ${{ github.event.pull_request.body }}