dataforge/agents_and_robots
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

feat: crear pkg/sanitize para deteccion de prompt injection

Browse Source 
Nuevo paquete puro (sin I/O) que detecta patrones de prompt injection
en mensajes de usuario antes de enviarlos al LLM.

- patterns.go: 15 patrones en ingles y español (delimitadores de sistema,
  override de instrucciones, exfiltracion de prompt, jailbreak, evasion base64)
- sanitize.go: funcion Sanitize() con 3 modos (warn, strip, reject),
  filtro por severidad minima y patrones deshabilitables
- Tipos: Pattern, Severity, Mode, Options, Warning, Result

Todo puro: string in → Result out. Los side effects (logging, rechazo)
ocurren en el caller (runtime.go).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Enmanuel
2026-03-07 19:34:24 +00:00
parent 987ac09a09
commit e8dd7c41ed
2 changed files with 275 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/sanitize/patterns.go
+139
View File
@@ -0,0 +1,139 @@
// Package sanitize provides pure functions to detect and neutralize
// prompt injection patterns in user messages before they reach the LLM.
package sanitize
import "regexp"
// Pattern represents a known prompt injection pattern with metadata.
type Pattern struct {
Name string // short identifier (e.g. "system-delimiter")
Description string // human-readable explanation
Regex *regexp.Regexp // compiled pattern
Severity Severity // how dangerous this pattern is
}
// Severity indicates the threat level of a detected pattern.
type Severity int
const (
SeverityLow Severity = iota // informational, unlikely to succeed
SeverityMedium // known injection technique
SeverityHigh // active attempt to override system instructions
)
func (s Severity) String() string {
switch s {
case SeverityLow:
return "low"
case SeverityMedium:
return "medium"
case SeverityHigh:
return "high"
default:
return "unknown"
}
}
// DefaultPatterns returns the built-in set of prompt injection patterns.
// All patterns are case-insensitive.
func DefaultPatterns() []Pattern {
return []Pattern{
// ── System delimiter injection ──────────────────────────────────
{
Name: "system-delimiter",
Description: "Attempt to inject system/assistant role delimiters",
Regex: regexp.MustCompile(`(?i)<\|(?:system|assistant|user|im_start|im_end)\|>`),
Severity: SeverityHigh,
},
{
Name: "inst-delimiter",
Description: "Attempt to inject [INST] or [/INST] delimiters",
Regex: regexp.MustCompile(`(?i)\[/?INST\]`),
Severity: SeverityHigh,
},
{
Name: "xml-role-tag",
Description: "Attempt to inject XML-style role tags",
Regex: regexp.MustCompile(`(?i)</?(?:system|assistant|human|user)(?:\s[^>]*)?>`),
Severity: SeverityHigh,
},
// ── Instruction override ───────────────────────────────────────
{
Name: "ignore-instructions",
Description: "Attempt to override previous instructions",
Regex: regexp.MustCompile(`(?i)(?:ignore|disregard|forget|override|bypass)\s+(?:all\s+)?(?:previous|prior|above|earlier|your|the|system)\s+(?:instructions?|rules?|prompts?|guidelines?|constraints?|directives?)`),
Severity: SeverityHigh,
},
{
Name: "new-instructions",
Description: "Attempt to inject new system-level instructions",
Regex: regexp.MustCompile(`(?i)(?:new|updated?|revised?|actual|real)\s+(?:system\s+)?instructions?:\s`),
Severity: SeverityHigh,
},
{
Name: "you-are-now",
Description: "Attempt to redefine the bot's identity",
Regex: regexp.MustCompile(`(?i)(?:you\s+are\s+now|from\s+now\s+on\s+you\s+are|act\s+as\s+if\s+you\s+were|pretend\s+(?:to\s+be|you\s+are))\s`),
Severity: SeverityMedium,
},
// ── Prompt exfiltration ────────────────────────────────────────
{
Name: "exfiltrate-prompt",
Description: "Attempt to extract the system prompt",
Regex: regexp.MustCompile(`(?i)(?:repeat|show|display|print|output|reveal|tell\s+me|give\s+me|show\s+me|what\s+(?:is|are))\s+(?:your\s+)?(?:system\s+)?(?:prompt|instructions?|rules?|guidelines?|initial\s+message)`),
Severity: SeverityMedium,
},
// ── Developer mode / jailbreak ─────────────────────────────────
{
Name: "developer-mode",
Description: "Attempt to enable a fictional unrestricted mode",
Regex: regexp.MustCompile(`(?i)(?:enable|activate|enter|switch\s+to)\s+(?:developer|debug|admin|god|sudo|unrestricted|jailbreak|dan)\s+mode`),
Severity: SeverityHigh,
},
{
Name: "do-anything-now",
Description: "DAN (Do Anything Now) jailbreak pattern",
Regex: regexp.MustCompile(`(?i)(?:do\s+anything\s+now|DAN\s+mode|you\s+(?:can|must)\s+do\s+anything)`),
Severity: SeverityHigh,
},
// ── Tool abuse hints ───────────────────────────────────────────
{
Name: "tool-abuse-ssh",
Description: "Attempt to execute dangerous commands via SSH",
Regex: regexp.MustCompile(`(?i)(?:use|call|execute|run)\s+(?:the\s+)?(?:ssh|command)\s+tool\s+(?:to\s+)?(?:run|execute|do)\s`),
Severity: SeverityLow,
},
// ── Encoding evasion ───────────────────────────────────────────
{
Name: "base64-instruction",
Description: "Base64-encoded instruction injection",
Regex: regexp.MustCompile(`(?i)(?:decode|execute|interpret|run)\s+(?:this\s+)?(?:base64|b64|encoded)[\s:]+[A-Za-z0-9+/]{20,}={0,2}`),
Severity: SeverityMedium,
},
// ── Spanish variants ───────────────────────────────────────────
{
Name: "ignore-instructions-es",
Description: "Spanish: attempt to override instructions",
Regex: regexp.MustCompile(`(?i)(?:ignora|olvida|descarta)\s+(?:todas?\s+)?(?:las?\s+)?(?:instrucciones?|reglas?|directivas?|restricciones?)\s+(?:anteriores?|previas?|del\s+sistema)`),
Severity: SeverityHigh,
},
{
Name: "you-are-now-es",
Description: "Spanish: attempt to redefine identity",
Regex: regexp.MustCompile(`(?i)(?:ahora\s+eres|a\s+partir\s+de\s+ahora\s+eres|finge\s+(?:ser|que\s+eres)|actua\s+como\s+si\s+fueras)\s`),
Severity: SeverityMedium,
},
{
Name: "exfiltrate-prompt-es",
Description: "Spanish: attempt to extract system prompt",
Regex: regexp.MustCompile(`(?i)(?:repite|muestra|muestrame|dime|dame|cual\s+es)\s+(?:tus?\s+)?(?:prompt|instrucciones?|reglas?|mensaje\s+(?:de\s+sistema|inicial))`),
Severity: SeverityMedium,
},
}
}