palaryn 0.1.0 → 0.3.2

package/src/dlp/prompt-injection-patterns.ts

@@ -0,0 +1,302 @@
+import { DLPPattern } from './patterns';
+
+/**
+ * Prompt injection detection patterns.
+ *
+ * Organized into categories:
+ *   1. Direct instruction override (high)
+ *   2. Role manipulation (medium)
+ *   3. Jailbreak keywords (high)
+ *   4. System prompt extraction (high)
+ *   5. Delimiter injection (high)
+ *   6. Context manipulation (medium)
+ *   7. Authority impersonation (high)
+ *   8. Indirect injection (high)
+ *   9. Encoding indicators (medium)
+ *  10. Synonym variants (high)
+ *  11. Prompt leakage requests (high)
+ *  12. Obfuscation markers (medium)
+ *  13. Multi-turn manipulation (medium)
+ *
+ * All patterns use the /gi flags for global, case-insensitive matching.
+ * Pattern names are prefixed with `prompt_injection_` for namespacing.
+ */
+export const PROMPT_INJECTION_PATTERNS: DLPPattern[] = [
+  // -----------------------------------------------------------------------
+  // Category 1: Direct instruction override (high)
+  // -----------------------------------------------------------------------
+  {
+    name: 'prompt_injection_ignore_previous',
+    pattern: /ignore\s+(?:all\s+)?previous\s+instructions/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_disregard_rules',
+    pattern: /disregard\s+(?:all\s+)?(?:above|previous|prior)\s+(?:rules|instructions|guidelines|directives)/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_forget_instructions',
+    pattern: /forget\s+(?:all\s+)?(?:your|the|previous|prior)\s+instructions/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_override_instructions',
+    pattern: /override\s+(?:all\s+)?(?:your|the|previous|prior)\s+(?:instructions|rules|guidelines)/gi,
+    severity: 'high',
+  },
+
+  // -----------------------------------------------------------------------
+  // Category 2: Role manipulation (medium)
+  // -----------------------------------------------------------------------
+  {
+    name: 'prompt_injection_you_are_now',
+    pattern: /you\s+are\s+now\s+(?:a|an|the)\s+/gi,
+    severity: 'medium',
+  },
+  {
+    name: 'prompt_injection_act_as',
+    pattern: /(?:act|behave|function)\s+as\s+(?:a|an|if\s+you\s+(?:are|were))\s+/gi,
+    severity: 'medium',
+  },
+  {
+    name: 'prompt_injection_pretend_to_be',
+    pattern: /pretend\s+(?:to\s+be|you\s+are)\s+/gi,
+    severity: 'medium',
+  },
+  {
+    name: 'prompt_injection_roleplay_as',
+    pattern: /roleplay\s+as\s+/gi,
+    severity: 'medium',
+  },
+
+  // -----------------------------------------------------------------------
+  // Category 3: Jailbreak keywords (high)
+  // -----------------------------------------------------------------------
+  {
+    // FIX: ReDoS-safe version. Original had unbounded `.*?` causing
+    // catastrophic backtracking. Now uses bounded `.{0,40}` with no nested quantifiers.
+    name: 'prompt_injection_dan_jailbreak',
+    pattern: /\bD\s*A\s*N\b.{0,40}do\s+anything\s+now/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_do_anything_now',
+    pattern: /do\s+anything\s+now/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_developer_mode',
+    pattern: /(?:enter|enable|activate|switch\s+to)\s+developer\s+mode/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_no_restrictions',
+    pattern: /(?:without|no|remove\s+all|disable\s+all)\s+(?:any\s+)?restrictions/gi,
+    severity: 'high',
+  },
+
+  // -----------------------------------------------------------------------
+  // Category 4: System prompt extraction (high)
+  // -----------------------------------------------------------------------
+  {
+    name: 'prompt_injection_show_system_prompt',
+    pattern: /(?:show|display|reveal|print|output)\s+(?:me\s+)?(?:your|the)\s+system\s+prompt/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_repeat_above',
+    pattern: /repeat\s+(?:everything|all\s+the\s+text|the\s+text|all)\s+above/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_what_are_instructions',
+    pattern: /what\s+are\s+your\s+(?:instructions|rules|guidelines|directives)/gi,
+    severity: 'high',
+  },
+
+  // -----------------------------------------------------------------------
+  // Category 5: Delimiter injection (high)
+  // -----------------------------------------------------------------------
+  {
+    name: 'prompt_injection_im_start_delimiter',
+    pattern: /<\|im_start\|>/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_system_delimiter',
+    pattern: /###\s*System\s*:/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_inst_delimiter',
+    pattern: /\[INST\]/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_system_tag',
+    pattern: /<system>/gi,
+    severity: 'high',
+  },
+
+  // -----------------------------------------------------------------------
+  // Category 6: Context manipulation (medium)
+  // -----------------------------------------------------------------------
+  {
+    name: 'prompt_injection_hypothetical_scenario',
+    pattern: /in\s+this\s+hypothetical\s+scenario/gi,
+    severity: 'medium',
+  },
+  {
+    name: 'prompt_injection_educational_purposes',
+    pattern: /for\s+educational\s+purposes\s+only/gi,
+    severity: 'medium',
+  },
+
+  // -----------------------------------------------------------------------
+  // Category 7: Authority impersonation (high)
+  // -----------------------------------------------------------------------
+  {
+    name: 'prompt_injection_authority_developer',
+    pattern: /(?:as\s+your|i\s+am\s+(?:your|the))\s+(?:developer|creator|programmer|admin|administrator|owner)/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_admin_override',
+    pattern: /(?:admin|administrator|root)\s+(?:override|access|mode|command)/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_maintenance_mode',
+    pattern: /(?:enter|enable|activate|switch\s+to)\s+(?:maintenance|debug|test|unsafe)\s+mode/gi,
+    severity: 'high',
+  },
+
+  // -----------------------------------------------------------------------
+  // Category 8: Indirect injection (high)
+  // -----------------------------------------------------------------------
+  {
+    name: 'prompt_injection_indirect_when_user',
+    pattern: /when\s+(?:the\s+)?user\s+asks?\s+[\w\s]{1,40},?\s*(?:do|say|respond|reply|tell|output)\b/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_indirect_if_anyone',
+    pattern: /if\s+(?:anyone|somebody|someone|the\s+user)\s+asks?,?\s*(?:say|tell|respond|reply)\b/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_indirect_new_instructions',
+    pattern: /(?:new|updated|revised|replacement)\s+(?:system\s+)?instructions?\s*:/gi,
+    severity: 'high',
+  },
+
+  // -----------------------------------------------------------------------
+  // Category 9: Encoding indicators (medium)
+  // -----------------------------------------------------------------------
+  {
+    name: 'prompt_injection_decode_base64',
+    pattern: /(?:decode|interpret|execute|run|eval)\s+(?:the\s+following\s+)?(?:base64|rot13|hex|binary)/gi,
+    severity: 'medium',
+  },
+  {
+    name: 'prompt_injection_encode_request',
+    pattern: /(?:base64|rot13|hex)\s+(?:encode|decode|convert)\s+(?:this|the\s+following)/gi,
+    severity: 'medium',
+  },
+
+  // -----------------------------------------------------------------------
+  // Category 10: Synonym variants (high)
+  // -----------------------------------------------------------------------
+  {
+    name: 'prompt_injection_bypass_instructions',
+    pattern: /bypass\s+(?:all\s+)?(?:your|the|previous|prior|above|earlier)\s+(?:instructions|rules|guidelines|constraints|restrictions)/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_skip_instructions',
+    pattern: /(?:skip|drop|abandon|dismiss)\s+(?:all\s+)?(?:your|the|previous|prior|above|earlier)\s+(?:instructions|rules|guidelines|constraints)/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_new_rules',
+    pattern: /(?:your|the)\s+new\s+(?:instructions|rules|guidelines|directives)\s+are/gi,
+    severity: 'high',
+  },
+
+  // -----------------------------------------------------------------------
+  // Category 11: Prompt leakage requests (high)
+  // -----------------------------------------------------------------------
+  {
+    name: 'prompt_injection_show_rules',
+    pattern: /(?:show|tell|give|list|display)\s+(?:me\s+)?(?:your|the)\s+(?:rules|instructions|guidelines|directives|constraints)/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_print_config',
+    pattern: /(?:print|output|dump|display)\s+(?:your|the)\s+(?:config|configuration|settings|prompt|system\s+message)/gi,
+    severity: 'high',
+  },
+
+  // -----------------------------------------------------------------------
+  // Category 12: Obfuscation markers (medium)
+  // -----------------------------------------------------------------------
+  {
+    name: 'prompt_injection_read_vertically',
+    pattern: /(?:read|interpret)\s+(?:this\s+)?(?:vertically|diagonally|backwards|in\s+reverse)/gi,
+    severity: 'medium',
+  },
+  {
+    name: 'prompt_injection_first_letter',
+    pattern: /(?:first|last|initial)\s+(?:letter|character|char)\s+of\s+each\s+(?:word|line|sentence)/gi,
+    severity: 'medium',
+  },
+  {
+    name: 'prompt_injection_split_across',
+    pattern: /(?:split|spread|distributed?)\s+across\s+(?:messages?|lines?|parts?|chunks?)/gi,
+    severity: 'medium',
+  },
+
+  // -----------------------------------------------------------------------
+  // Category 13: Multi-turn manipulation (medium)
+  // -----------------------------------------------------------------------
+  {
+    name: 'prompt_injection_remember_later',
+    pattern: /remember\s+this\s+(?:for\s+later|instruction|rule|command)/gi,
+    severity: 'medium',
+  },
+  {
+    name: 'prompt_injection_next_conversation',
+    pattern: /in\s+(?:our|the)\s+next\s+(?:conversation|session|chat|interaction)/gi,
+    severity: 'medium',
+  },
+];
+
+// ---------------------------------------------------------------------------
+// Output-side prompt injection patterns
+// ---------------------------------------------------------------------------
+
+/**
+ * Patterns for detecting prompt injection artifacts in model output.
+ * These indicate the model may have been manipulated and is leaking
+ * system prompt content or following injected instructions.
+ *
+ * Scanned during postExecute DLP on response bodies.
+ */
+export const OUTPUT_INJECTION_PATTERNS: DLPPattern[] = [
+  {
+    name: 'prompt_injection_output_system_leak',
+    pattern: /(?:my\s+(?:system\s+)?instructions\s+(?:are|say|tell)|i\s+was\s+(?:told|instructed|programmed)\s+to)/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_output_prompt_reflection',
+    pattern: /(?:here\s+(?:are|is)\s+my\s+(?:rules|instructions|system\s+prompt|prompt)|as\s+(?:instructed|directed|told)(?:\s+by\s+my\s+(?:system|developer))?\s*:)/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_output_role_break',
+    pattern: /(?:i\s+(?:am\s+)?now\s+(?:operating|running|acting)\s+(?:in|as)\s+(?:\w+\s+)?mode|(?:developer|unrestricted|DAN)\s+mode\s+(?:enabled|activated|on))/gi,
+    severity: 'high',
+  },
+];

package/src/dlp/regex-backend.ts

@@ -0,0 +1,181 @@
+import { DLPBackend, DLPDetection } from './interfaces';
+import { DLPPattern, SECRET_PATTERNS, PII_PATTERNS } from './patterns';
+
+export interface RegexBackendConfig {
+  /** Enable secret pattern detection. Default true. */
+  secrets_detection?: boolean;
+  /** Enable PII pattern detection. Default true. */
+  pii_detection?: boolean;
+}
+
+/**
+ * Zero-width and invisible Unicode characters that can be used to evade
+ * regex-based secret detection (e.g. embedding \u200b inside "AKIA...").
+ */
+const ZERO_WIDTH_RE = /[\u200B\u200C\u200D\u200E\u200F\uFEFF\u00AD\u034F\u061C\u180E\u2060\u2061\u2062\u2063\u2064\u2066\u2067\u2068\u2069\u206A\u206B\u206C\u206D\u206E\u206F]/g;
+
+/**
+ * Common Unicode homoglyphs that look like ASCII characters but would bypass
+ * regex patterns designed for ASCII. Maps Cyrillic/Greek/other lookalikes to
+ * their ASCII equivalents.
+ */
+const HOMOGLYPH_MAP: Record<string, string> = {
+  '\u0410': 'A', '\u0412': 'B', '\u0421': 'C', '\u0415': 'E', '\u041D': 'H',
+  '\u041A': 'K', '\u041C': 'M', '\u041E': 'O', '\u0420': 'P', '\u0422': 'T',
+  '\u0425': 'X', '\u0430': 'a', '\u0435': 'e', '\u043E': 'o', '\u0440': 'p',
+  '\u0441': 'c', '\u0443': 'y', '\u0445': 'x', '\u04BB': 'h',
+  '\u0391': 'A', '\u0392': 'B', '\u0395': 'E', '\u0397': 'H', '\u0399': 'I',
+  '\u039A': 'K', '\u039C': 'M', '\u039D': 'N', '\u039F': 'O', '\u03A1': 'P',
+  '\u03A4': 'T', '\u03A7': 'X', '\u03B1': 'a', '\u03BF': 'o',
+  '\u2010': '-', '\u2011': '-', '\u2012': '-', '\u2013': '-', '\u2014': '-',
+  '\uFF21': 'A', '\uFF22': 'B', '\uFF23': 'C', '\uFF24': 'D', '\uFF25': 'E',
+};
+
+const HOMOGLYPH_RE = new RegExp('[' + Object.keys(HOMOGLYPH_MAP).join('') + ']', 'g');
+
+/**
+ * Regex to detect potential Base64-encoded strings.
+ * Matches strings of at least 20 characters using the Base64 alphabet,
+ * optionally followed by 1-2 padding '=' characters.
+ */
+const BASE64_RE = /[A-Za-z0-9+/]{20,}={0,2}/g;
+
+/**
+ * Extract and decode potential Base64-encoded strings from the input.
+ * Returns the decoded strings concatenated with newlines, or empty string
+ * if no valid Base64 content was found.
+ */
+function decodeBase64Content(value: string): string {
+  BASE64_RE.lastIndex = 0;
+  const decoded: string[] = [];
+  let m: RegExpExecArray | null;
+  while ((m = BASE64_RE.exec(value)) !== null) {
+    try {
+      const candidate = m[0];
+      const buf = Buffer.from(candidate, 'base64');
+      const text = buf.toString('utf-8');
+      // Only include decoded content that looks like printable text
+      // (at least 80% printable ASCII characters) to avoid noise
+      const printable = text.replace(/[^\x20-\x7E]/g, '');
+      if (printable.length >= text.length * 0.8 && text.length >= 8) {
+        decoded.push(text);
+      }
+    } catch {
+      // Not valid Base64, skip
+    }
+  }
+  BASE64_RE.lastIndex = 0;
+  return decoded.join('\n');
+}
+
+/**
+ * Normalize input to defeat common DLP evasion techniques:
+ * 1. NFC Unicode normalization (canonical decomposition + composition)
+ * 2. Strip zero-width / invisible characters
+ * 3. Replace common Unicode homoglyphs with ASCII equivalents
+ */
+function normalizeForDLP(value: string): string {
+  // Step 1: NFC normalization
+  let normalized = value.normalize('NFC');
+
+  // Step 2: Strip zero-width characters
+  normalized = normalized.replace(ZERO_WIDTH_RE, '');
+
+  // Step 3: Replace homoglyphs with ASCII equivalents
+  normalized = normalized.replace(HOMOGLYPH_RE, (ch) => HOMOGLYPH_MAP[ch] || ch);
+
+  return normalized;
+}
+
+/**
+ * Regex-based DLP backend that uses the same patterns as the built-in DLPScanner.
+ *
+ * This backend is extracted as a standalone DLPBackend implementation so it can
+ * be composed with other backends (e.g. TruffleHog) via the CompositeDLPScanner.
+ * The original DLPScanner remains unchanged and fully functional on its own.
+ */
+export class RegexDLPBackend implements DLPBackend {
+  readonly name = 'regex';
+
+  private readonly secretsEnabled: boolean;
+  private readonly piiEnabled: boolean;
+
+  constructor(config?: RegexBackendConfig) {
+    this.secretsEnabled = config?.secrets_detection ?? true;
+    this.piiEnabled = config?.pii_detection ?? true;
+  }
+
+  /**
+   * Scan a string for secrets and PII using regex patterns.
+   *
+   * Input is normalized before scanning to defeat evasion techniques
+   * (zero-width chars, Unicode homoglyphs, NFC normalization).
+   *
+   * Every regex with the /g flag has its lastIndex reset before and after
+   * testing to avoid state leaking between calls.
+   */
+  scanString(value: string): DLPDetection[] {
+    const normalized = normalizeForDLP(value);
+    const detections: DLPDetection[] = [];
+
+    if (this.secretsEnabled) {
+      this.scanPatterns(normalized, SECRET_PATTERNS, detections);
+    }
+
+    if (this.piiEnabled) {
+      this.scanPatterns(normalized, PII_PATTERNS, detections);
+    }
+
+    // Decode and scan Base64-encoded content to catch encoded secrets
+    const decodedBase64 = decodeBase64Content(normalized);
+    if (decodedBase64) {
+      const base64Detections: DLPDetection[] = [];
+      if (this.secretsEnabled) {
+        this.scanPatterns(decodedBase64, SECRET_PATTERNS, base64Detections);
+      }
+      if (this.piiEnabled) {
+        this.scanPatterns(decodedBase64, PII_PATTERNS, base64Detections);
+      }
+      // Add Base64 detections with a prefix to indicate they were found in encoded content
+      for (const det of base64Detections) {
+        // Avoid duplicate detections already found in the raw content
+        const isDuplicate = detections.some(
+          (d) => d.pattern_name === det.pattern_name && d.match === det.match,
+        );
+        if (!isDuplicate) {
+          detections.push({
+            ...det,
+            pattern_name: `base64:${det.pattern_name}`,
+          });
+        }
+      }
+    }
+
+    return detections;
+  }
+
+  private scanPatterns(
+    value: string,
+    patterns: DLPPattern[],
+    detections: DLPDetection[],
+  ): void {
+    for (const pat of patterns) {
+      pat.pattern.lastIndex = 0;
+      let m: RegExpExecArray | null;
+      while ((m = pat.pattern.exec(value)) !== null) {
+        detections.push({
+          pattern_name: pat.name,
+          severity: pat.severity,
+          match: m[0],
+          start: m.index,
+          end: m.index + m[0].length,
+        });
+        // Prevent infinite loops on zero-length matches
+        if (m[0].length === 0) {
+          pat.pattern.lastIndex++;
+        }
+      }
+      pat.pattern.lastIndex = 0;
+    }
+  }
+}