Skip to content

Pensar - auto fix for Unsanitized LLM Prompt Injection Vulnerability in Code Generation System #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pensarapp wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Pensar - auto fix for Unsanitized LLM Prompt Injection Vulnerability in Code Generation System #10

pensarapp wants to merge 1 commit into from

Conversation

@pensarapp
Copy link

@pensarapp pensarapp bot commented Apr 1, 2025

Secured with Pensar

Type Identifier Message Severity Link
Application ML01 The endpoint for updating prompts allows users to supply 'generate_code_prompt' and 'validate_output_prompt' without any sanitization or validation. This unsanitized input can be exploited to manipulate the behavior of the downstream LLM used for code generation, potentially leading to adversarial input manipulation attacks (ML01:2023 Adversarial Input Manipulation in ML Models). An attacker could craft prompts that bypass or skew internal guardrails, leading to harmful code generation or system compromise. high Link

The vulnerability exists in the /prompts endpoint where user-provided inputs (generate_code_prompt and validate_output_prompt) are accepted without any validation or sanitization before being passed to the set_prompts function. This could allow an attacker to manipulate the downstream LLM behavior through adversarial prompts.

Changes made:

  1. Added a validate_prompt function that:

    • Checks if the prompt exceeds a maximum length (8192 characters) to prevent resource exhaustion
    • Checks for prohibited patterns commonly used in prompt injection attacks
    • Returns False if any validation fails, True otherwise

  2. Modified the update_prompts endpoint to:

    • Validate both input prompts before passing them to set_prompts
    • Raise an HTTP 400 error with a descriptive message if validation fails

This approach provides several security benefits:

  • Prevents excessively long prompts that could cause resource exhaustion
  • Blocks common adversarial patterns that might attempt to bypass model guardrails
  • Provides clear error messages to aid in debugging and understanding of validation failures

The solution is minimally invasive, requiring no new dependencies while maintaining compatibility with the existing codebase. The prohibited patterns list can be expanded based on specific application threats and requirements.

@restack-app
Copy link

restack-app bot commented Apr 1, 2025

No applications have been configured for previews targeting branch: master. To do so go to restack console and configure your applications for previews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants