security: implement comprehensive prompt injection prevention and input sanitization

[nik-kale]

Summary

Implements comprehensive input sanitization and prompt injection prevention to protect against LLM manipulation attacks. Features configurable strictness levels and integrates seamlessly into the planning workflow.

Changes

• Enhanced sanitizer.py with advanced prompt injection detection:
  • Critical patterns: "ignore previous instructions", role overrides, forget commands
  • Moderate patterns: Role injection (system:/user:/assistant:), instruction tokens, code blocks
  • Permissive patterns: Minimal blocking for less sensitive deployments
• Added PromptInjectionError exception for blocked attacks
• Integrated sanitization into Architect.plan() method
• Added configurable sanitization modes: strict, moderate, permissive
• Added block_on_injection flag to control blocking behavior
• Comprehensive test suite with 30+ test cases covering:
  • All injection pattern types
  • Different sanitization modes
  • Integration with planner
  • URL validation (SSRF prevention)
  • Path validation (traversal prevention)
  • Shell injection detection
  • Sensitive data redaction

Type of Change

• New feature (non-breaking change adding functionality)
• Bug fix (non-breaking change fixing an issue)
• Breaking change (fix or feature causing existing functionality to change)
• Security patch

Problem

The original implementation had placeholder sanitization that didn't actually prevent prompt injection attacks. Malicious users could:

• Override system prompts with "ignore previous instructions"
• Inject role tokens to impersonate system/assistant
• Use special instruction tokens ([INST], <|im_start|>) to manipulate behavior
• Embed code blocks to trick the LLM into executing malicious logic

Solution

Multi-layered defense:

1. Pattern detection: Regex patterns for known injection techniques
2. Configurable strictness: Choose security level based on deployment context
3. Sanitization options: Block (raise exception) or sanitize (remove patterns)
4. Minimal content enforcement: Ensure goals remain meaningful after sanitization
5. Unicode filtering: Remove unusual Unicode that might confuse models

Configuration Examples

Strict mode (recommended for production):

config = PlannerConfig(
    sanitization_mode="strict",
    block_on_injection=True
)

Moderate mode (balanced):

config = PlannerConfig(
    sanitization_mode="moderate",
    block_on_injection=False  # Sanitize instead of blocking
)

Permissive mode (trusted environments):

config = PlannerConfig(
    sanitization_mode="permissive",
    block_on_injection=False
)

Testing

• 30+ test cases covering all attack vectors
• Tests verify both blocking and sanitization modes
• Integration tests with Architect planner
• No false positives on normal workflow descriptions

Security Impact

Prevents entire class of attacks:

• ✅ Prompt injection
• ✅ Role override attempts
• ✅ Instruction token injection
• ✅ Code block injection
• ✅ System prompt leakage attempts

Checklist

• Code follows project style guidelines
• Self-review completed
• Comments added for complex logic
• Documentation updated (inline docstrings)
• No new warnings introduced
• Tests added and passing (30+ test cases)

Related Issues

Addresses security roadmap item: "Implement input sanitization for prompt injection prevention"

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.