-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prompt injection which leads to arbitrary code execution in langchain.chains.PALChain
#5872
Comments
One could argue that the entire PAL chain is vulnerable to RCE because, well, it generates and executes code according to the user input. |
Exactly, the entire PALChain is facing this kind of RCE problem because it just execute the generated python code. For all implemented prompt templates, take
to execute arbitrary code. Maybe a sanitizer is needed in |
Nice catch! |
Thanks for your reply. Yes! I agree that the developers will patch this problem and it is the best way to solve this RCE vuln. But from my perspective, for PALchain, it seems not a long-term solution to just let users add constrains to avoid these kind of issues because first, users are not sure if these constraints will compromise functional integrity. Second like lots of pyjail challenges in CTF, people are likely to come up with many strange ideas to break the constraints. That is, for users, they need to construct different constraints each time they design a prompt which is not convenient, and it's hard to find such a catch-all constraint without breaking functionality. |
Adds some selective security controls to the PAL chain: 1. Prevent imports 2. Prevent arbitrary execution commands 3. Enforce execution time limit (prevents DOS and long sessions where the flow is hijacked like remote shell) 4. Enforce the existence of the solution expression in the code This is done mostly by static analysis of the code using the ast library. Also added tests to the pal chain. Fixes #5872 @vowelparrot --------- Co-authored-by: HippoTerrific <49598618+HippoTerrific@users.noreply.github.com> Co-authored-by: Or Raz <orraz1994@gmail.com>
Thanks for the issue report, for developing the mitigations PR, and for the productive discussion all around! Closing the loop, to update any watchers with the latest developments: Specifically:
With that, I believe it should be safe to mark this issue as resolved. Please let us know if there's anything we might have missed, and thanks again for all the help! |
System Info
langchain version:
0.0.194
os:
ubuntu 20.04
python:
3.9.13
Who can help?
No response
Information
Related Components
Reproduction
from_math_prompt
like:pal_chain = PALChain.from_math_prompt(llm, verbose=True)
pal_chain.run(prompt)
Influence:
![image](https://private-user-images.githubusercontent.com/57178900/244314465-7119fccf-93d0-4ce9-8096-edb1a193ce7b.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA3MTI1ODEsIm5iZiI6MTcyMDcxMjI4MSwicGF0aCI6Ii81NzE3ODkwMC8yNDQzMTQ0NjUtNzExOWZjY2YtOTNkMC00Y2U5LTgwOTYtZWRiMWExOTNjZTdiLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzExVDE1MzgwMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTdmZTE0YTY2NDNlZTQyYTlmOTA5ODA5NmVmYjczMmNlZGNhOWU3YWY5MzZkODI0YzQ3YmExNmY3YzMxNjJhNWEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.nGQGZ7wZzk8xdyMvqAwXEWMXCY3KXDwwpsW1eXBkOnE)
Expected behavior
Expected: No code is execued or just calculate the valid part 1+1.
Suggestion: Add a sanitizer to check the sensitive code.
Although the code is generated by llm, from my perspective, we'd better not execute it directly without any checking. Because the prompt is always exposed to users which can lead to remote code execution.
The text was updated successfully, but these errors were encountered: