-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
.Net: Fix #6030 - Mitigating Prompt Injection in Liquid Templates #6048
Merged
dmytrostruk
merged 24 commits into
microsoft:feature-prompty
from
LittleLittleCloud:u/xiaoyun/fix#6030
May 7, 2024
Merged
.Net: Fix #6030 - Mitigating Prompt Injection in Liquid Templates #6048
dmytrostruk
merged 24 commits into
microsoft:feature-prompty
from
LittleLittleCloud:u/xiaoyun/fix#6030
May 7, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
markwallace-microsoft
added
.NET
Issue or Pull requests regarding .NET code
kernel
Issues or pull requests impacting the core kernel
documentation
labels
Apr 29, 2024
dmytrostruk
reviewed
Apr 30, 2024
...ests/LiquidTemplateTest.ItDoesNotRendersUserMessagesWhenAllowUnsafeIsFalseAsync.verified.txt
Outdated
Show resolved
Hide resolved
dotnet/src/Extensions/PromptTemplates.Liquid/LiquidPromptTemplate.cs
Outdated
Show resolved
Hide resolved
dotnet/src/Extensions/PromptTemplates.Liquid/LiquidPromptTemplate.cs
Outdated
Show resolved
Hide resolved
dotnet/src/Extensions/PromptTemplates.Liquid/LiquidPromptTemplateFactory.cs
Outdated
Show resolved
Hide resolved
dotnet/src/Extensions/PromptTemplates.Liquid/LiquidPromptTemplate.cs
Outdated
Show resolved
Hide resolved
dotnet/src/Extensions/PromptTemplates.Liquid/LiquidPromptTemplate.cs
Outdated
Show resolved
Hide resolved
dotnet/src/Extensions/PromptTemplates.Liquid/LiquidPromptTemplate.cs
Outdated
Show resolved
Hide resolved
...romptTemplates.Liquid.UnitTests/LiquidTemplateTest.ItRendersAndCanBeParsedAsync.verified.txt
Outdated
Show resolved
Hide resolved
Why is that necessary? And why is that ok? Why are we in a position to effectively ban "Ġ"? |
This comment was marked as outdated.
This comment was marked as outdated.
4 tasks
LittleLittleCloud
changed the title
.Net: Fix #6030
.Net: Fix #6030 - Mitigating Prompt Injection in Liquid Templates
May 3, 2024
always encoding rendered result in liquid template
markwallace-microsoft
approved these changes
May 3, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
kernel.core
kernel
Issues or pull requests impacting the core kernel
.NET
Issue or Pull requests regarding .NET code
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation and Context
#6030
Description
In this implementation, theĠ
will be reserved in liquid template which is used to replace:
in all input variables when unsafe content is not allowed.The encoding process for input variables when unsafe content is not allowed is- replace all:
toĠ
// this is the extra step comparing with HandlerBar Template- Encode xml usingHttpUtility.HtmlEncode
The decoding process is- replace allĠ
to:
This PR introduces a new process to mitigate potential prompt injection attacks from input variables when using liquid templates. Here's a breakdown of the steps:
Before rendering, each input variable undergoes a transformation: all occurrences of
:
are replaced with:
. This ensures that message tags likesystem:
,user:
, orassistant:
are not present ifAllowUnsafeContent
is set tofalse
. No replacement occurs ifAllowUnsafeContent
istrue
.After rendering, each message content is processed based on the
AllowUnsafeContent
setting. If it'sfalse
, all:
instances are reverted back to:
, followed by callinghtml_encode
on each message content. IfAllowUnsafeContent
istrue
, onlyhtml_encode
is called. This additional encoding step is necessary becauseChatPromptParser
always decodes XML message content, requiring the liquid template to undergo an extra encoding step to ensure the rendered content matches the original before rendering.Contribution Checklist