t-ron 0.90.0 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178

//! Safety — Prompt injection detection.

use serde::{Deserialize, Serialize};

/// Result of a prompt injection detection check.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct InjectionResult {
    pub safe: bool,
    pub confidence: f64,
    pub detected_patterns: Vec<String>,
}

/// Detects common prompt-injection attempts in user or agent input.
///
/// **Limitation:** The current detection relies on baseline substring and
/// heuristic pattern matching. These rules catch common injection
/// templates but are inherently bypassable by adversarial rephrasing,
/// encoding tricks, or novel attack vectors. In production deployments
/// this detector should be supplemented with ML-based classification
/// (e.g., a fine-tuned transformer trained on injection corpora) to
/// achieve robust coverage.
///
/// NOTE: Current detection patterns are baseline substring heuristics intended as a
/// first layer of defense. Production deployments should supplement these with
/// ML-based detection (e.g., classifier trained on prompt injection datasets).
/// A named pattern matcher: label + detection function.
type PatternMatcher = (String, Box<dyn Fn(&str) -> bool + Send + Sync>);

pub struct PromptInjectionDetector {
    /// Pattern label + substring/heuristic pairs.
    patterns: Vec<PatternMatcher>,
}

impl PromptInjectionDetector {
    /// Build a detector with the default set of heuristics.
    #[must_use]
    pub fn new() -> Self {
        let patterns: Vec<PatternMatcher> = vec![
            (
                "ignore_previous_instructions".into(),
                Box::new(|s: &str| {
                    let l = s.to_lowercase();
                    l.contains("ignore previous instructions")
                        || l.contains("ignore all previous")
                        || l.contains("disregard previous")
                        || l.contains("forget previous instructions")
                        || l.contains("ignore your instructions")
                }),
            ),
            (
                "system_prompt_leak".into(),
                Box::new(|s: &str| {
                    let l = s.to_lowercase();
                    l.contains("system prompt:")
                        || l.contains("system message:")
                        || l.contains("reveal your system prompt")
                        || l.contains("show me your instructions")
                        || l.contains("print your system prompt")
                }),
            ),
            (
                "role_confusion".into(),
                Box::new(|s: &str| {
                    let l = s.to_lowercase();
                    l.contains("you are now")
                        || l.contains("act as a")
                        || l.contains("pretend you are")
                        || l.contains("roleplay as")
                        || l.contains("switch to role")
                }),
            ),
            (
                "excessive_special_chars".into(),
                Box::new(|s: &str| {
                    let char_count = s.chars().count();
                    if char_count < 20 {
                        return false;
                    }
                    let special: usize = s
                        .chars()
                        .filter(|c| {
                            !c.is_alphanumeric() && !c.is_whitespace() && *c != '.' && *c != ','
                        })
                        .count();
                    let ratio = special as f64 / char_count as f64;
                    ratio > 0.4
                }),
            ),
            (
                "base64_payload".into(),
                Box::new(|s: &str| {
                    // Heuristic: long runs of base64 characters with padding
                    let char_count = s.chars().count();
                    if char_count < 40 {
                        return false;
                    }
                    let base64_chars: usize = s
                        .chars()
                        .filter(|c| {
                            c.is_ascii_alphanumeric() || *c == '+' || *c == '/' || *c == '='
                        })
                        .count();
                    let ratio = base64_chars as f64 / char_count as f64;
                    ratio > 0.85 && s.contains('=')
                }),
            ),
            (
                "delimiter_injection".into(),
                Box::new(|s: &str| {
                    let l = s.to_lowercase();
                    l.contains("```system") || l.contains("---system") || l.contains("[system]")
                }),
            ),
        ];

        Self { patterns }
    }

    /// Strip Unicode zero-width and directional override characters that can
    /// be used to hide injection patterns from substring matching.
    fn normalize_input(input: &str) -> String {
        input
            .chars()
            .filter(|c| {
                !matches!(
                    *c,
                    '\u{200B}' // Zero-Width Space
                    | '\u{200C}' // Zero-Width Non-Joiner
                    | '\u{200D}' // Zero-Width Joiner
                    | '\u{200E}' // Left-to-Right Mark
                    | '\u{200F}' // Right-to-Left Mark
                    | '\u{202A}' // Left-to-Right Embedding
                    | '\u{202B}' // Right-to-Left Embedding
                    | '\u{202C}' // Pop Directional Formatting
                    | '\u{202D}' // Left-to-Right Override
                    | '\u{202E}' // Right-to-Left Override
                    | '\u{2060}' // Word Joiner
                    | '\u{2061}'..='\u{2064}' // Invisible operators
                    | '\u{FEFF}' // BOM / Zero-Width No-Break Space
                    | '\u{FE00}'..='\u{FE0F}' // Variation selectors
                )
            })
            .collect()
    }

    /// Check a string for prompt-injection patterns.
    #[must_use]
    pub fn check_input(&self, input: &str) -> InjectionResult {
        // Normalize: strip zero-width/invisible characters before matching
        let normalized = Self::normalize_input(input);
        let mut detected: Vec<String> = Vec::new();

        for (label, check_fn) in &self.patterns {
            if check_fn(&normalized) {
                detected.push(label.clone());
            }
        }

        let confidence = if detected.is_empty() {
            0.0
        } else {
            // More patterns matched = higher confidence
            (detected.len() as f64 * 0.25).min(1.0)
        };

        InjectionResult {
            safe: detected.is_empty(),
            confidence,
            detected_patterns: detected,
        }
    }
}

impl Default for PromptInjectionDetector {
    fn default() -> Self {
        Self::new()
    }
}