Add additional Python prompt-injection sinks for uncovered SDK methods

Cover prompt-carrying public API methods that were missing from the
framework models:

- OpenAI: videos.create/create_and_poll/edit/remix/extend (Sora, user),
  beta.realtime.sessions.create instructions (system), and role-filtered
  beta.threads.messages.create content (Assistants API).
- Anthropic: legacy completions.create prompt (user).
- agents: Agent.as_tool tool_description (system).
- Google GenAI: caches.create CreateCachedContentConfig system_instruction
  (system) and contents (user).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: BazookaMusic

python/ql/lib/semmle/python/frameworks/OpenAI.qll

@@ -103,6 +103,18 @@ module OpenAI {
     result = msg.getSubscript("content").getASubscript().getSubscript("text")
   }
 
+  /** Gets the `beta.threads.messages.create` call (Assistants API thread messages). */
+  private API::Node threadMessageCreate() {
+    result =
+      classRef().getMember("beta").getMember("threads").getMember("messages").getMember("create")
+  }
+
+  /** Holds if the `role` keyword of thread-message `call` is a privileged (assistant) role. */
+  private predicate threadRoleIsAssistant(API::Node call) {
+    call.getKeywordParameter("role").getAValueReachingSink().asExpr().(StringLiteral).getText() =
+      "assistant"
+  }
+
   /**
    * Gets role-filtered system/developer/assistant message content sinks that
    * MaD cannot express.
@@ -111,6 +123,10 @@ module OpenAI {
     exists(API::Node msg | msg = [chatMessage(), responsesMessage()] and isSystemOrDevMessage(msg) |
       result = messageContent(msg)
     )
+    or
+    exists(API::Node call | call = threadMessageCreate() and threadRoleIsAssistant(call) |
+      result = call.getKeywordParameter("content")
+    )
   }
 
   /**
@@ -124,6 +140,10 @@ module OpenAI {
       result = messageContent(msg)
     )
     or
+    exists(API::Node call | call = threadMessageCreate() and not threadRoleIsAssistant(call) |
+      result = call.getKeywordParameter("content")
+    )
+    or
     // realtime conversation items, role cannot be statically resolved in general
     result =
       classRef()

python/ql/lib/semmle/python/frameworks/agent.model.yml

@@ -6,6 +6,7 @@ extensions:
       # Agent instructions, handoff descriptions and tool descriptions are system-level prompts
       - ['agents', 'Member[Agent].Argument[instructions:]', 'system-prompt-injection']
       - ['agents', 'Member[Agent].Argument[handoff_description:]', 'system-prompt-injection']
+      - ['agents', 'Member[Agent].ReturnValue.Member[as_tool].Argument[1,tool_description:]', 'system-prompt-injection']
       - ['agents', 'Member[FunctionTool].Argument[description:]', 'system-prompt-injection']
       # The input passed to a run is user-level content
       - ['agents', 'Member[Runner].Member[run,run_sync,run_streamed].Argument[1]', 'user-prompt-injection']

python/ql/lib/semmle/python/frameworks/anthropic.model.yml

@@ -10,6 +10,8 @@ extensions:
       - ['Anthropic', 'Member[beta].Member[messages].Member[create,stream].Argument[system:].ListElement.DictionaryElement[text]', 'system-prompt-injection']
       # The managed agents `system` field is a system-level prompt
       - ['Anthropic', 'Member[beta].Member[agents].Member[create,update].Argument[system:]', 'system-prompt-injection']
+      # The legacy Text Completions API `prompt` is user-level content
+      - ['Anthropic', 'Member[completions].Member[create].Argument[prompt:]', 'user-prompt-injection']
 
   - addsTo:
       pack: codeql/python-all

python/ql/lib/semmle/python/frameworks/google-genai.model.yml

@@ -5,6 +5,9 @@ extensions:
     data:
       # `system_instruction` on the generation config is a system-level prompt
       - ['google.genai', 'Member[types].Member[GenerateContentConfig].Argument[system_instruction:]', 'system-prompt-injection']
+      # Cached content carries a system instruction and user content
+      - ['google.genai', 'Member[types].Member[CreateCachedContentConfig].Argument[system_instruction:]', 'system-prompt-injection']
+      - ['google.genai', 'Member[types].Member[CreateCachedContentConfig].Argument[contents:]', 'user-prompt-injection']
       # User-level content
       - ['GoogleGenAI', 'Member[models].Member[generate_content,generate_content_stream].Argument[contents:]', 'user-prompt-injection']
       - ['GoogleGenAI', 'Member[models].Member[generate_images,generate_videos,edit_image].Argument[prompt:]', 'user-prompt-injection']

python/ql/lib/semmle/python/frameworks/openai.model.yml

@@ -9,11 +9,15 @@ extensions:
       - ['OpenAI', 'Member[beta].Member[assistants].Member[update].Argument[instructions:]', 'system-prompt-injection']
       - ['OpenAI', 'Member[beta].Member[threads].Member[runs].Member[create].Argument[instructions:]', 'system-prompt-injection']
       - ['OpenAI', 'Member[beta].Member[threads].Member[runs].Member[create].Argument[additional_instructions:]', 'system-prompt-injection']
+      # The default system instructions for a realtime session
+      - ['OpenAI', 'Member[beta].Member[realtime].Member[sessions].Member[create].Argument[instructions:]', 'system-prompt-injection']
       # User-level prompts
       - ['OpenAI', 'Member[responses].Member[create].Argument[input:]', 'user-prompt-injection']
       - ['OpenAI', 'Member[completions].Member[create].Argument[prompt:]', 'user-prompt-injection']
       - ['OpenAI', 'Member[images].Member[generate,edit].Argument[prompt:]', 'user-prompt-injection']
       - ['OpenAI', 'Member[audio].Member[transcriptions,translations].Member[create].Argument[prompt:]', 'user-prompt-injection']
+      # Sora video generation prompts are user-level content
+      - ['OpenAI', 'Member[videos].Member[create,create_and_poll,edit,remix,extend].Argument[prompt:]', 'user-prompt-injection']
 
   - addsTo:
       pack: codeql/python-all