@pugi/cli 0.1.0-beta.8 → 0.1.0-beta.87

package/dist/core/security/injection-scanner.js

@@ -0,0 +1,367 @@
+/**
+ * Prompt-injection scanner — TypeScript implementation of external
+ * `injection_patterns.rs` (Apache-2.0, external).
+ *
+ * Upstream source:
+ *  `_primitives/_rust/kei-memory/src/injection_patterns.rs`
+ *  from https://github.com/an internal mirror.
+ *
+ * Scope of the port:
+ *  - Pattern TABLES are ported verbatim (regex + invisible-codepoint
+ *    set + ChatML tags + role-prefix patterns). The substring/secret
+ *    rows (curl-with-bearer, aws_secret keyword, api_key URL, openssh
+ *    PEM markers, long-base64 blob heuristic) are KEPT in this port —
+ *    they harden writes through memory/audit paths against accidental
+ *    credential pasting.
+ *  - Detection logic is rewritten in TypeScript. The Rust upstream
+ *    uses `regex::Regex` + a separate `injection_guard.rs` that owns
+ *    the "should I block?" decision. Pugi's port collapses both
+ *    responsibilities into a single function (`scanForInjection`)
+ *    because the caller surfaces (audit-trail, file-tools) only need
+ *    the findings list — they do not block writes today (CEO sign-off
+ *    gate, separate PR).
+ *
+ * Severity model:
+ *  The upstream `Block` / `Warn` enum is mirrored as a Pugi field on
+ *  each finding so a future PR can wire hard-block behavior without
+ *  re-shaping the call sites.
+ *
+ * What this is NOT:
+ *  - An LLM-output safety filter. This scans CONTENT BOUND FOR DISK
+ *    (audit payloads + file writes / edits) for accidental or
+ *    adversarial prompt-injection markers.
+ *  - A secrets scanner. Real secrets detection lives in
+ *    `scripts/secret-scanner.mjs` (release gate). The few credential
+ *    heuristics here exist because the upstream Rust treats memory
+ *    persistence as a credential-exfil surface too.
+ *
+ * See bundled LICENSE notices.0 attribution.
+ */
+/**
+ * Maximum captured-match length recorded in a finding. Bounds the
+ * worst-case row size in the audit JSONL stream. Set to 128 because
+ * the longest legitimate pattern match (`long_base64_line`) would be
+ * 1024+ bytes — the operator can re-scan the source content for the
+ * full blob if they need it; we only need enough context to triage.
+ */
+export const MAX_MATCH_CAPTURE = 128;
+function clampMatch(matched) {
+    if (matched.length <= MAX_MATCH_CAPTURE)
+        return matched;
+    return `${matched.slice(0, MAX_MATCH_CAPTURE)}…`;
+}
+/**
+ * Invisible / bidi / zero-width unicode codepoints ported verbatim
+ * from `INVISIBLE_CHARS` in the upstream Rust. Each one is a known
+ * vehicle for hiding prompt-override text from a casual reader.
+ */
+export const INVISIBLE_CHARS = [
+    '​', // ZERO WIDTH SPACE
+    '‌', // ZERO WIDTH NON-JOINER
+    '‍', // ZERO WIDTH JOINER
+    '‎', // LEFT-TO-RIGHT MARK
+    '‏', // RIGHT-TO-LEFT MARK
+    '‪', // LEFT-TO-RIGHT EMBEDDING
+    '‫', // RIGHT-TO-LEFT EMBEDDING
+    '‬', // POP DIRECTIONAL FORMATTING
+    '‭', // LEFT-TO-RIGHT OVERRIDE
+    '‮', // RIGHT-TO-LEFT OVERRIDE
+    '⁠', // WORD JOINER
+    '', // BYTE ORDER MARK / ZERO WIDTH NO-BREAK SPACE
+];
+/**
+ * Pre-built Set for O(1) codepoint membership tests. The scanner walks
+ * the input once and probes this set per character — cheaper than a
+ * regex with 12 alternation branches.
+ */
+const INVISIBLE_CHAR_SET = new Set(INVISIBLE_CHARS);
+/**
+ * Threshold above which a single base64-looking line is flagged.
+ * Matches the upstream `BASE64_BLOB_BYTES` constant so the heuristic
+ * stays aligned with the Rust spec. The regex below hardcodes the
+ * same value for compile-time clarity.
+ */
+export const BASE64_BLOB_BYTES = 1024;
+/**
+ * PEM begin marker built at runtime so the literal dashes do not
+ * trigger over-eager secret-scanners in this very source file (same
+ * concern as the upstream `pem_dashes()` helper).
+ */
+function pemMarker(label) {
+    const d = '-'.repeat(5);
+    return `${d}BEGIN ${label}${d}`;
+}
+/**
+ * Escape regex metachars in a literal string. We avoid pulling a
+ * dependency just for this — the set of metachars is small and
+ * well-known.
+ */
+function escapeRegex(literal) {
+    return literal.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+/**
+ * Prompt-override patterns. Ported verbatim from
+ * `prompt_override_patterns()` in the upstream Rust. The regex
+ * strings are the same modulo Rust's `(?im)` inline flags being
+ * expressed as `i` + `m` on the TS `RegExp`.
+ */
+const PROMPT_OVERRIDE_PATTERNS = [
+    {
+        id: 'prompt_override_ignore_previous',
+        kind: 'override-prompt',
+        re: /ignore\s+previous\s+instructions/gi,
+        severity: 'block',
+        source: 'promptguard:override',
+    },
+    {
+        id: 'prompt_override_you_are_now',
+        kind: 'override-prompt',
+        re: /you\s+are\s+now\b/gi,
+        severity: 'block',
+        source: 'promptguard:roleplay',
+    },
+    {
+        id: 'prompt_override_disregard',
+        kind: 'override-prompt',
+        re: /disregard\s+(all|prior|above)/gi,
+        severity: 'block',
+        source: 'promptguard:override',
+    },
+    {
+        id: 'system_role_prefix',
+        kind: 'override-prompt',
+        re: /^\s*system\s*:/gim,
+        severity: 'block',
+        source: 'promptguard:role-prefix',
+    },
+    {
+        id: 'chatml_im_start',
+        kind: 'tag-injection',
+        re: /<\|im_start\|>/g,
+        severity: 'block',
+        source: 'chatml:tag',
+    },
+    {
+        id: 'chatml_endoftext',
+        kind: 'tag-injection',
+        re: /<\|endoftext\|>/g,
+        severity: 'block',
+        source: 'chatml:tag',
+    },
+];
+/**
+ * Secret-shaped patterns. Ported from `secret_patterns()`. The PEM
+ * markers are built at runtime so they do not show up verbatim in
+ * this file's bytes (anti-self-trigger).
+ */
+function buildSecretPatterns() {
+    const openssh = escapeRegex(pemMarker('OPENSSH PRIVATE KEY'));
+    const rsa = escapeRegex(pemMarker('RSA PRIVATE KEY'));
+    return [
+        {
+            id: 'ssh_openssh_private',
+            kind: 'secret-marker',
+            re: new RegExp(openssh, 'g'),
+            severity: 'block',
+            source: 'secret:openssh',
+        },
+        {
+            id: 'ssh_rsa_private',
+            kind: 'secret-marker',
+            re: new RegExp(rsa, 'g'),
+            severity: 'block',
+            source: 'secret:rsa',
+        },
+        {
+            // Upstream P2.1.b audit upgraded this to Block tier — long
+            // base64 blobs on a memory-write path are a direct exfil
+            // surface for attestation / key blobs pasted into transcripts.
+            id: 'long_base64_line',
+            kind: 'secret-marker',
+            re: new RegExp(`^[A-Za-z0-9+/=]{${BASE64_BLOB_BYTES},}$`, 'gm'),
+            severity: 'block',
+            source: 'heuristic:base64-blob',
+        },
+    ];
+}
+/**
+ * Substring/heuristic patterns. Ported from `build_substring_table()`.
+ * Each row demands ALL needles be present in the LOWERCASED copy of
+ * the input (AND semantics) — keeps false-positives low.
+ */
+const SUBSTRING_PATTERNS = [
+    {
+        id: 'curl_with_bearer',
+        kind: 'secret-marker',
+        needles: ['bearer ', '://'],
+        severity: 'block',
+        source: 'exfil:curl-bearer',
+    },
+    {
+        id: 'aws_secret_keyword',
+        kind: 'secret-marker',
+        needles: ['aws_secret'],
+        severity: 'block',
+        source: 'secret:aws',
+    },
+    {
+        id: 'api_key_url',
+        kind: 'secret-marker',
+        needles: ['api_key=', '://'],
+        severity: 'block',
+        source: 'exfil:api-key-url',
+    },
+];
+let REGEX_TABLE = null;
+function regexPatterns() {
+    if (REGEX_TABLE === null) {
+        REGEX_TABLE = [...PROMPT_OVERRIDE_PATTERNS, ...buildSecretPatterns()];
+    }
+    return REGEX_TABLE;
+}
+/**
+ * Maximum input size we scan. Above this we sample the first
+ * MAX_SCAN_BYTES bytes and tag the result as `truncated: true`. This
+ * keeps a 10 MB log payload from stalling the audit append path.
+ *
+ * The threshold is deliberately generous (256 KB) — the typical audit
+ * `data` payload is a few hundred bytes (a single `tool_call` envelope)
+ * and a file write of an HTML page is well under the cap. The cutoff
+ * exists only for pathological cases.
+ */
+export const MAX_SCAN_BYTES = 256 * 1024;
+/**
+ * Scan a string for prompt-injection / invisible-unicode / secret
+ * markers. Returns the empty array when clean. Never throws —
+ * malformed input (e.g. lone surrogates) falls through to the regex
+ * engine and produces zero or more findings, never an exception.
+ *
+ * Pure function. Safe to call from a hot path (audit-trail append,
+ * file-tools writeTool) without worrying about side effects.
+ */
+export function scanForInjection(text) {
+    if (typeof text !== 'string' || text.length === 0)
+        return [];
+    const findings = [];
+    const scanText = text.length > MAX_SCAN_BYTES ? text.slice(0, MAX_SCAN_BYTES) : text;
+    // 1. Invisible unicode scan: O(n) single pass with a Set lookup.
+    //   We collect per-codepoint hits rather than collapsing them so
+    //   the operator can see how many bidi marks are present (high
+    //   counts strongly suggest adversarial intent).
+    for (let i = 0; i < scanText.length; i += 1) {
+        const ch = scanText[i];
+        if (ch === undefined)
+            continue;
+        if (INVISIBLE_CHAR_SET.has(ch)) {
+            const code = ch.charCodeAt(0).toString(16).toUpperCase().padStart(4, '0');
+            findings.push({
+                kind: 'invisible-unicode',
+                id: `invisible_unicode_U+${code}`,
+                severity: 'warn',
+                matched: ch,
+                offset: i,
+                source: `unicode:invisible:U+${code}`,
+            });
+        }
+    }
+    // 2. Regex table scan. Each pattern uses the `g` flag so we walk
+    //   every occurrence — a single text can carry multiple ChatML
+    //   tags or override phrases and the operator needs to see all of
+    //   them, not just the first.
+    for (const pattern of regexPatterns()) {
+        // Re-set lastIndex defensively in case a prior call left the
+        // regex's stateful cursor mid-string.
+        pattern.re.lastIndex = 0;
+        let match;
+        while ((match = pattern.re.exec(scanText)) !== null) {
+            findings.push({
+                kind: pattern.kind,
+                id: pattern.id,
+                severity: pattern.severity,
+                matched: clampMatch(match[0]),
+                offset: match.index,
+                source: pattern.source,
+            });
+            // Guard against zero-width matches infinite-looping (e.g. a
+            // regex that matches the empty string would never advance).
+            if (match.index === pattern.re.lastIndex) {
+                pattern.re.lastIndex += 1;
+            }
+        }
+    }
+    // 3. Substring/heuristic scan. AND semantics: every needle must
+    //   appear in the lowercased copy. We record the FIRST needle's
+    //   offset because that is the most actionable index for the
+    //   operator (the others may be hundreds of bytes away).
+    const lower = scanText.toLowerCase();
+    for (const pattern of SUBSTRING_PATTERNS) {
+        const offsets = pattern.needles.map((n) => lower.indexOf(n));
+        if (offsets.every((o) => o >= 0)) {
+            const firstOffset = Math.min(...offsets);
+            // Reconstruct a useful matched snippet — the needles can be
+            // far apart so we cap at the first needle plus a window.
+            const snippetEnd = Math.min(firstOffset + MAX_MATCH_CAPTURE, scanText.length);
+            findings.push({
+                kind: pattern.kind,
+                id: pattern.id,
+                severity: pattern.severity,
+                matched: clampMatch(scanText.slice(firstOffset, snippetEnd)),
+                offset: firstOffset,
+                source: pattern.source,
+            });
+        }
+    }
+    return findings;
+}
+export function summarizeFindings(findings) {
+    let score = 0;
+    const kindSet = new Set();
+    for (const f of findings) {
+        if (f.severity === 'block')
+            score += 1;
+        kindSet.add(f.kind);
+    }
+    return {
+        score,
+        total: findings.length,
+        kinds: Array.from(kindSet).sort(),
+    };
+}
+/**
+ * Recursively walk a JSON-shaped value and concatenate every string
+ * found. Used by audit-trail to fold the entire `data` payload into a
+ * single scannable surface — a tool_result with a deeply nested error
+ * object could otherwise hide an override prompt one level deep.
+ *
+ * Cycles are broken by a WeakSet — a payload that round-trips through
+ * a session struct is safe to scan even when it has back-references.
+ */
+export function collectStrings(value, seen = new WeakSet()) {
+    if (value === null || value === undefined)
+        return [];
+    if (typeof value === 'string')
+        return [value];
+    if (typeof value === 'number' || typeof value === 'boolean' || typeof value === 'bigint') {
+        return [];
+    }
+    if (typeof value !== 'object')
+        return [];
+    if (seen.has(value))
+        return [];
+    seen.add(value);
+    const out = [];
+    if (Array.isArray(value)) {
+        for (const item of value) {
+            out.push(...collectStrings(item, seen));
+        }
+        return out;
+    }
+    for (const key of Object.keys(value)) {
+        // Scan the KEY too — a deliberately-crafted payload could hide
+        // an override phrase as an object key.
+        out.push(key);
+        out.push(...collectStrings(value[key], seen));
+    }
+    return out;
+}
+//# sourceMappingURL=injection-scanner.js.map