Add example to qlhelp

mbaluda · mbaluda · commit bacecb725026 · 2026-01-02T13:32:33.000+01:00
diff --git a/python/ql/src/Security/CWE-1427/PromptInjection.qhelp b/python/ql/src/Security/CWE-1427/PromptInjection.qhelp
@@ -14,11 +14,12 @@ operations that were not intended.</p>
 
 <example>
 <p>In the following examples, the cases marked GOOD show secure prompt construction; whereas in the case marked BAD they may be susceptible to prompt injection.</p>
-<sample src="examples/TODO.py" />
+<sample src="examples/example.py" />
 </example>
 
 <references>
 <li>OWASP: <a href="https://owasp.org/www-community/attacks/PromptInjection">PromptInjection</a>.</li>
+<li>OpenAI: <a href="https://openai.github.io/openai-guardrails-python">Guardrails</a>.</li>
 </references>
 
 </qhelp>
diff --git a/python/ql/src/Security/CWE-1427/examples/example.py b/python/ql/src/Security/CWE-1427/examples/example.py
@@ -0,0 +1,17 @@
+from flask import Flask, request
+from agents import Agent, Runner
+from guardrails import GuardrailAgent
+
+@app.route("/parameter-route")
+def get_input():
+    input = request.args.get("input")
+
+    goodAgent = GuardrailAgent(  # GOOD: AGent created with guardrails automatically configured.
+        config=Path("guardrails_config.json"),
+        name="Assistant",
+        instructions="This prompt is customized for " + input)
+
+    badAgent = Agent(
+        name="Assistant",
+        instructions="This prompt is customized for " + input  # BAD: user input in agent instruction.
+    )
