Merge pull request #190 from robinspt/fix/reflection-injection-sanitization

fix: sanitize reflection lines before prompt injection

Author: rwmjhb

index.ts

@@ -32,7 +32,7 @@ import {
 } from "./src/reflection-store.js";
 import {
   extractReflectionLearningGovernanceCandidates,
-  extractReflectionMappedMemoryItems,
+  extractInjectableReflectionMappedMemoryItems,
 } from "./src/reflection-slices.js";
 import { createReflectionEventId } from "./src/reflection-event-store.js";
 import { buildReflectionMappedMetadata } from "./src/reflection-mapped-metadata.js";
@@ -2768,7 +2768,7 @@ const memoryLanceDBProPlugin = {
             command: String(event.action || "unknown"),
           });
 
-          const mappedReflectionMemories = extractReflectionMappedMemoryItems(reflectionText);
+          const mappedReflectionMemories = extractInjectableReflectionMappedMemoryItems(reflectionText);
           for (const mapped of mappedReflectionMemories) {
             const vector = await embedder.embedPassage(mapped.text);
             let existing: Awaited<ReturnType<typeof store.vectorSearch>> = [];

src/reflection-slices.ts

@@ -90,6 +90,27 @@ export function sanitizeReflectionSliceLines(lines: string[]): string[] {
     .filter((line) => !isPlaceholderReflectionSliceLine(line));
 }
 
+const INJECTABLE_REFLECTION_BLOCK_PATTERNS: RegExp[] = [
+  /^\s*(?:(?:next|this)\s+run\s+)?(?:ignore|disregard|forget|override|bypass)\b[\s\S]{0,80}\b(?:instructions?|guardrails?|policy|developer|system)\b/i,
+  /\b(?:reveal|print|dump|show|output)\b[\s\S]{0,80}\b(?:system prompt|developer prompt|hidden prompt|hidden instructions?|full prompt|prompt verbatim|secrets?|keys?|tokens?)\b/i,
+  /<\s*\/?\s*(?:system|assistant|user|tool|developer|inherited-rules|derived-focus)\b[^>]*>/i,
+  /^(?:system|assistant|user|developer|tool)\s*:/i,
+];
+
+export function isUnsafeInjectableReflectionLine(line: string): boolean {
+  const normalized = normalizeReflectionSliceLine(line);
+  if (!normalized) return true;
+  return INJECTABLE_REFLECTION_BLOCK_PATTERNS.some((pattern) =>
+    pattern.test(normalized),
+  );
+}
+
+export function sanitizeInjectableReflectionLines(lines: string[]): string[] {
+  return sanitizeReflectionSliceLines(lines).filter(
+    (line) => !isUnsafeInjectableReflectionLine(line),
+  );
+}
+
 function isInvariantRuleLike(line: string): boolean {
   return /^(always|never|when\b|if\b|before\b|after\b|prefer\b|avoid\b|require\b|only\b|do not\b|must\b|should\b)/i.test(line) ||
     /\b(must|should|never|always|prefer|avoid|required?)\b/i.test(line);
@@ -172,7 +193,10 @@ export function extractReflectionMappedMemories(reflectionText: string): Reflect
   return extractReflectionMappedMemoryItems(reflectionText).map(({ text, category, heading }) => ({ text, category, heading }));
 }
 
-export function extractReflectionMappedMemoryItems(reflectionText: string): ReflectionMappedMemoryItem[] {
+function extractReflectionMappedMemoryItemsWithSanitizer(
+  reflectionText: string,
+  sanitizeLines: (lines: string[]) => string[],
+): ReflectionMappedMemoryItem[] {
   const mappedSections: Array<{
     heading: string;
     category: "preference" | "fact" | "decision";
@@ -201,30 +225,45 @@ export function extractReflectionMappedMemoryItems(reflectionText: string): Refl
   ];
 
   return mappedSections.flatMap(({ heading, category, mappedKind }) => {
-    const lines = sanitizeReflectionSliceLines(parseSectionBullets(reflectionText, heading));
+    const lines = sanitizeLines(parseSectionBullets(reflectionText, heading));
     const groupSize = lines.length;
     return lines.map((text, ordinal) => ({ text, category, heading, mappedKind, ordinal, groupSize }));
   });
 }
 
-export function extractReflectionSlices(reflectionText: string): ReflectionSlices {
+export function extractReflectionMappedMemoryItems(reflectionText: string): ReflectionMappedMemoryItem[] {
+  return extractReflectionMappedMemoryItemsWithSanitizer(reflectionText, sanitizeReflectionSliceLines);
+}
+
+export function extractInjectableReflectionMappedMemoryItems(reflectionText: string): ReflectionMappedMemoryItem[] {
+  return extractReflectionMappedMemoryItemsWithSanitizer(reflectionText, sanitizeInjectableReflectionLines);
+}
+
+export function extractInjectableReflectionMappedMemories(reflectionText: string): ReflectionMappedMemory[] {
+  return extractInjectableReflectionMappedMemoryItems(reflectionText).map(({ text, category, heading }) => ({ text, category, heading }));
+}
+
+function extractReflectionSlicesWithSanitizer(
+  reflectionText: string,
+  sanitizeLines: (lines: string[]) => string[],
+): ReflectionSlices {
   const invariantSection = parseSectionBullets(reflectionText, "Invariants");
   const derivedSection = parseSectionBullets(reflectionText, "Derived");
   const mergedSection = parseSectionBullets(reflectionText, "Invariants & Reflections");
 
-  const invariantsPrimary = sanitizeReflectionSliceLines(invariantSection).filter(isInvariantRuleLike);
-  const derivedPrimary = sanitizeReflectionSliceLines(derivedSection).filter(isDerivedDeltaLike);
+  const invariantsPrimary = sanitizeLines(invariantSection).filter(isInvariantRuleLike);
+  const derivedPrimary = sanitizeLines(derivedSection).filter(isDerivedDeltaLike);
 
-  const invariantLinesLegacy = sanitizeReflectionSliceLines(
+  const invariantLinesLegacy = sanitizeLines(
     mergedSection.filter((line) => /invariant|stable|policy|rule/i.test(line))
   ).filter(isInvariantRuleLike);
-  const reflectionLinesLegacy = sanitizeReflectionSliceLines(
+  const reflectionLinesLegacy = sanitizeLines(
     mergedSection.filter((line) => /reflect|inherit|derive|change|apply/i.test(line))
   ).filter(isDerivedDeltaLike);
-  const openLoopLines = sanitizeReflectionSliceLines(parseSectionBullets(reflectionText, "Open loops / next actions"))
+  const openLoopLines = sanitizeLines(parseSectionBullets(reflectionText, "Open loops / next actions"))
     .filter(isOpenLoopAction)
     .filter(isDerivedDeltaLike);
-  const durableDecisionLines = sanitizeReflectionSliceLines(parseSectionBullets(reflectionText, "Decisions (durable)"))
+  const durableDecisionLines = sanitizeLines(parseSectionBullets(reflectionText, "Decisions (durable)"))
     .filter(isInvariantRuleLike);
 
   const invariants = invariantsPrimary.length > 0
@@ -240,8 +279,15 @@ export function extractReflectionSlices(reflectionText: string): ReflectionSlice
   };
 }
 
-export function extractReflectionSliceItems(reflectionText: string): ReflectionSliceItem[] {
-  const slices = extractReflectionSlices(reflectionText);
+export function extractReflectionSlices(reflectionText: string): ReflectionSlices {
+  return extractReflectionSlicesWithSanitizer(reflectionText, sanitizeReflectionSliceLines);
+}
+
+export function extractInjectableReflectionSlices(reflectionText: string): ReflectionSlices {
+  return extractReflectionSlicesWithSanitizer(reflectionText, sanitizeInjectableReflectionLines);
+}
+
+function buildReflectionSliceItemsFromSlices(slices: ReflectionSlices): ReflectionSliceItem[] {
   const invariantGroupSize = slices.invariants.length;
   const derivedGroupSize = slices.derived.length;
 
@@ -262,3 +308,11 @@ export function extractReflectionSliceItems(reflectionText: string): ReflectionS
 
   return [...invariantItems, ...derivedItems];
 }
+
+export function extractReflectionSliceItems(reflectionText: string): ReflectionSliceItem[] {
+  return buildReflectionSliceItemsFromSlices(extractReflectionSlices(reflectionText));
+}
+
+export function extractInjectableReflectionSliceItems(reflectionText: string): ReflectionSliceItem[] {
+  return buildReflectionSliceItemsFromSlices(extractInjectableReflectionSlices(reflectionText));
+}

src/reflection-store.ts

@@ -1,8 +1,9 @@
 import type { MemoryEntry, MemorySearchResult } from "./store.js";
 import {
-  extractReflectionSliceItems,
-  extractReflectionSlices,
+  extractInjectableReflectionSliceItems,
+  extractInjectableReflectionSlices,
   sanitizeReflectionSliceLines,
+  sanitizeInjectableReflectionLines,
   type ReflectionSlices,
 } from "./reflection-slices.js";
 import { parseReflectionMetadata } from "./reflection-metadata.js";
@@ -57,7 +58,7 @@ export function buildReflectionStorePayloads(params: BuildReflectionStorePayload
   slices: ReflectionSlices;
   payloads: ReflectionStorePayload[];
 } {
-  const slices = extractReflectionSlices(params.reflectionText);
+  const slices = extractInjectableReflectionSlices(params.reflectionText);
   const eventId = params.eventId || createReflectionEventId({
     runAt: params.runAt,
     sessionKey: params.sessionKey,
@@ -82,7 +83,7 @@ export function buildReflectionStorePayloads(params: BuildReflectionStorePayload
   ];
 
   const itemPayloads = buildReflectionItemPayloads({
-    items: extractReflectionSliceItems(params.reflectionText),
+    items: extractInjectableReflectionSliceItems(params.reflectionText),
     eventId,
     agentId: params.agentId,
     sessionKey: params.sessionKey,
@@ -287,11 +288,12 @@ function buildInvariantCandidates(
     .filter(({ metadata }) => metadata.itemKind === "invariant")
     .flatMap(({ entry, metadata }) => {
       const lines = sanitizeReflectionSliceLines([entry.text]);
-      if (lines.length === 0) return [];
+      const safeLines = sanitizeInjectableReflectionLines([entry.text]);
+      if (safeLines.length === 0) return [];
 
       const defaults = getReflectionItemDecayDefaults("invariant");
       const timestamp = metadataTimestamp(metadata, entry.timestamp);
-      return lines.map((line) => ({
+      return safeLines.map((line) => ({
         line,
         timestamp,
         midpointDays: readPositiveNumber(metadata.decayMidpointDays, defaults.midpointDays),
@@ -307,7 +309,7 @@ function buildInvariantCandidates(
   return legacyRows.flatMap(({ entry, metadata }) => {
     const defaults = getReflectionItemDecayDefaults("invariant");
     const timestamp = metadataTimestamp(metadata, entry.timestamp);
-    const lines = sanitizeReflectionSliceLines(toStringArray(metadata.invariants));
+    const lines = sanitizeInjectableReflectionLines(toStringArray(metadata.invariants));
     return lines.map((line) => ({
       line,
       timestamp,
@@ -328,11 +330,12 @@ function buildDerivedCandidates(
     .filter(({ metadata }) => metadata.itemKind === "derived")
     .flatMap(({ entry, metadata }) => {
       const lines = sanitizeReflectionSliceLines([entry.text]);
-      if (lines.length === 0) return [];
+      const safeLines = sanitizeInjectableReflectionLines([entry.text]);
+      if (safeLines.length === 0) return [];
 
       const defaults = getReflectionItemDecayDefaults("derived");
       const timestamp = metadataTimestamp(metadata, entry.timestamp);
-      return lines.map((line) => ({
+      return safeLines.map((line) => ({
         line,
         timestamp,
         midpointDays: readPositiveNumber(metadata.decayMidpointDays, defaults.midpointDays),
@@ -347,7 +350,7 @@ function buildDerivedCandidates(
 
   return legacyRows.flatMap(({ entry, metadata }) => {
     const timestamp = metadataTimestamp(metadata, entry.timestamp);
-    const lines = sanitizeReflectionSliceLines(toStringArray(metadata.derived));
+    const lines = sanitizeInjectableReflectionLines(toStringArray(metadata.derived));
     if (lines.length === 0) return [];
 
     const defaults = {