Mitigate issue #5872 (Prompt injection -> RCE in PAL chain) #6003
Conversation
|
I just got here from a Twitter link that a colleague sent me (https://twitter.com/llm_sec/status/1668711587287375876?s=20). I'm only a causal observer (not a Langchain user or contributor), but I thought it might be good to drop these links in case you're unaware of the ways that attackers can escape from AST-based Python "sandboxes": https://hacktricks.boitatech.com.br/misc/basic-python/bypass-python-sandboxes The strategies in these links aren't exhaustive, but hopefully illustrate that this style of sandboxing makes attacks more complex without defeating them entirely. |
|
Thanks for the PR, @boazwasserman! The PAL chain is indeed unsafe. It seems you've got enough experience to be aware of the points that @qxcv (thanks for the links btw!) is making. I don't think we could really get to enterprise-level security purely via AST validations, even if that were our main focus. My inclination is still to add these checks in to make it a bit harder to succeed in a naive prompt injection attack. If someone were to want to use this chain in production, it ought to be isolated further as well. To counter a false sense of security, we could log in the PythonREPL (called in |
|
Thanks for the inputs! |
|
@orraz-labs is attempting to deploy a commit to the LangChain Team on Vercel. A member of the Team first needs to authorize it. |
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
boazwasserman
changed the title
|
Is there any updates?
As you can see, the vulnerability is not yet closed. |
|
@L0Z1K good catch! I was missing an edge case. Fixed it now |
hinthornw
requested review from
dev2049 and
hwchase17
and removed request for
dev2049
dosubot
bot
added
the
🤖:bug
| @@ -33,6 +96,8 @@ class PALChain(Chain): | |||
| python_locals: Optional[Dict[str, Any]] = None | |||
| output_key: str = "result" #: :meta private: | |||
| return_intermediate_steps: bool = False | |||
| code_validations: PALValidation = PALValidation() | |||
There was a problem hiding this comment.
| code_validations: PALValidation = PALValidation() | |
| code_validations: PALValidation = Field(default_factory=PALValidation) |
hinthornw
merged commit 8ba9835
into
langchain-ai:wfh/prompt_injection
Some docstring / small nits to #6003 --------- Co-authored-by: BoazWasserman <49598618+boazwasserman@users.noreply.github.com> Co-authored-by: HippoTerrific <49598618+HippoTerrific@users.noreply.github.com> Co-authored-by: Or Raz <orraz1994@gmail.com>
Some docstring / small nits to langchain-ai#6003 --------- Co-authored-by: BoazWasserman <49598618+boazwasserman@users.noreply.github.com> Co-authored-by: HippoTerrific <49598618+HippoTerrific@users.noreply.github.com> Co-authored-by: Or Raz <orraz1994@gmail.com>
Adds some selective security controls to the PAL chain:
This is done mostly by static analysis of the code using the ast library.
Also added tests to the pal chain.
Fixes #5872
@vowelparrot