cel/prompt: sanitize template delimiters in Render() user input#1311
Conversation
|
@TristonianJones, tagging you as the author of the prompt template feature (#1205) for review. |
|
/gcbrun |
|
Thanks for your response! I believe the PR is ready for merge once the remaining approval is completed. |
|
@Mr-In4inci3le it looks like the sanitizer is possibly causing some unintended test failures for the |
Mr-In4inci3le
force-pushed
the
fix/prompt-template-injection
branch
from
bed3ef5 to
3efa480
Compare
|
@TristonianJones I've investigated the failing TestPromptTemplate tests. These failures are pre-existing on master and unrelated to this PR they fail identically with my changes completely stashed (base commit only). The failures appear to be a CRLF line-ending mismatch in the test fixture files on Windows. I've updated the PR with a cleaner approach: removed sanitizePromptInput() entirely. After reviewing authoring.tmpl, I confirmed that {{.UserPrompt}} renders the value as a literal data string Go's text/template never re-evaluates struct field values as template directives, so the security guarantee is inherent to how the template engine works. No string manipulation is needed. TestRenderSanitizesTemplateDirectives now passes all 4 subtests, confirming injection is correctly prevented by the template engine itself. The pre-existing TestPromptTemplate CRLF failures are present both before and after my changes. |
|
/gcbrun |
Render() passes user-supplied input directly into a text/template
execution without sanitizing Go template action delimiters ({{ and }}).
This allows callers to inject directives such as {{.Persona}} which
execute at render time and expose internal prompt state.
Add sanitizePromptInput() which escapes {{ and }} using Go's template
literal syntax before insertion into promptInst.UserPrompt.
Adds regression tests covering directive execution prevention and
delimiter escaping.
Mr-In4inci3le
force-pushed
the
fix/prompt-template-injection
branch
from
3efa480 to
253cffe
Compare
|
@TristonianJones Updated the PR with a complete fix. All tests now pass locally including TestPromptTemplate (all subtests), TestPromptTemplateFieldPaths, and TestRenderSanitizesTemplateDirectives. Removed sanitizePromptInput() unnecessary since {{.UserPrompt}} in text/template is always treated as literal data, never re-evaluated as template syntax Added normalizeLF() to normalize CRLF→LF in the template and default constants at construction time, ensuring cross-platform consistency Test fixture comparisons also normalize line endings before diffing |
|
/gcbrun |
|
@TristonianJones, I think the checks are all passed can you check once and merge it? |
|
@Mr-In4inci3le I can't seem to tell what changed, could you help me understand why the files look completely replaced? |
|
@Mr-In4inci3le I think the changes highlight a good method for clients of CEL to use for validating that no unrendered variables remain in the output; however, there may be composition cases which users may wish to support, so I'm not sure this is really the appropriate place to check for injection since CEL doesn't do anything but render text -- it doesn't execute the text in any way, and even then the expectation is that inputs (variable and function declarations, persona, etc.) are either trusted or sanitized before use. I don't mind keeping the test with this sort of documentation added to the function as a guide for future users; however, I'm not sure the crlf normalization is necessary. |
|
@TristonianJones One thing to flag TestPromptTemplate and TestPromptTemplateFieldPaths fail locally on my Windows machine due to CRLF line endings in the fixture .txt files vs. LF-only output from Render(). I've confirmed the exact same failures exist on master with my branch completely stashed, so this is pre-existing and unrelated to this PR. |
|
/gcbrun |
|
This patch resolves Google Bug Hunters issue 509909472. |
2 participants
Problem
Render()passes user-supplied input directly into atext/templateexecution without sanitizing Go template action delimiters. A caller passing input such as{{.Persona}}causes the directive to execute as a live template action, exposing internal prompt state fields (Persona,FormatRules,GeneralUsage).Affected:
AuthoringPrompt()andAuthoringPromptWithFieldPaths()when any application passes user-controlled input toRender().Fix
Add
sanitizePromptInput()which escapes{{and}}using Go's template raw-string literal syntax. This is idiomatic fortext/templateand produces identical literal output while preventing directive execution.Tests
Added
TestRenderSanitizesTemplateDirectivescovering:{{.Persona}}rendered as literal, not executed{{.FormatRules}}rendered as literal}}closing delimiter escaped correctly