feat: add security utilities and input validation#156
Open
CrazyDubya wants to merge 2 commits into
Open
Conversation
Add comprehensive security and validation utilities for TinyTroupe: **New Features:** - Custom exception hierarchy (TinyTroupeException, SecurityException, etc.) - Input sanitization to prevent injection attacks - Prompt/response length validation - JSON structure validation - LLM response validation **Security Enhancements:** - Blocks script tags, javascript protocol, event handlers, iframes - Input length limits and truncation - Type checking and required field validation - Token-based response length limits **Testing:** - Comprehensive unit tests for all validation functions - Verified XSS prevention, input sanitization, and length validation **Files Added:** - tinytroupe/exceptions.py (custom exceptions) - tinytroupe/security_utils.py (validation functions) - tests/unit/test_validation.py (15 test cases) **Impact:** Improves security posture and input handling for production use
|
@CrazyDubya please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.
Contributor License AgreementContribution License AgreementThis Contribution License Agreement (“Agreement”) is agreed to by the party signing below (“You”),
|
Fixed 3 critical security vulnerabilities identified by automated review: 1. [CRITICAL] Truncate-After-Validation Bypass - FIXED - Now truncates input FIRST, then validates - Ensures validation is performed on the actual string that will be returned 2. [HIGH] Length Calculation Bypass - FIXED - Changed from floor division (//) to conservative ceiling division - Changed comparison from > to >= to catch boundary cases - Prevents token limit circumvention at exact boundaries 3. [HIGH] Regex Pattern Bypass - FIXED - Added re.DOTALL flag for comprehensive pattern matching - Added vbscript: and data: protocols to dangerous patterns - Enhanced coverage against protocol-based attacks **Security Improvements:** - Proper truncate-then-validate order prevents bypass techniques - Conservative token estimation prevents boundary circumvention - Enhanced regex coverage with additional protocols and flags **Testing:** - Verified truncate-then-validate prevents malicious content in truncated strings - Confirmed boundary case rejection with >= comparison - Validated additional protocol blocks (vbscript, data) **Impact:** Critical security vulnerability fixes for production readiness
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Enhancements: Input Validation and Sanitization
Added comprehensive security utilities and custom exception hierarchy:
Security Protections:
Testing:
Files Added: 3 files (+218 lines, -106 lines)
Impact: Significantly improved security posture for production use
This extracts security improvements from the closed PR #153 as a focused, reviewable enhancement.