Initial commit: Add agent.ts #2
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![promptfoo-scanner[bot]](https://avatars.githubusercontent.com/in/2172945?s=60&v=4){kind=small}
Comment on lines
+386
to
394
| text: msg.content, | ||
| }, | ||
| ], | ||
| }; | ||
| } else { | ||
| // User messages use input_text type | ||
| return { | ||
| role: msg.role, | ||
| content: [ |
There was a problem hiding this comment.
The new multi-turn conversation support only runs guardrails on the last user message, but passes the full conversation history (including unchecked earlier messages) to all agents. An attacker can inject malicious prompts in earlier messages that will bypass jailbreak detection and prompt injection guardrails.
Suggested Fix
Run guardrails on ALL user messages in the conversation history, not just the last one:
// Extract ALL user messages for guardrails check
const userMessages = conversationHistory
.filter((m) => "role" in m && m.role === "user")
.map((m) => {
if ("content" in m && Array.isArray(m.content) && m.content[0] && "text" in m.content[0]) {
return m.content[0].text;
}
return "";
})
.filter((text) => text.length > 0);
// Check each user message through guardrails
for (const messageText of userMessages) {
const guardrailsResult = await runGuardrails(
messageText,
jailbreakGuardrailConfig,
context
);
if (guardrailsHasTripwire(guardrailsResult)) {
const guardrailsOutput = buildGuardrailFailOutput(guardrailsResult ?? []);
return { ...guardrailsOutput, tracking };
}
}
Comment on lines
+340
to
+363
| result.metadata.usage.promptTokens || | ||
| usage.promptTokens; | ||
| usage.completionTokens = | ||
| result.metadata.usage.completion_tokens || | ||
| result.metadata.usage.completionTokens || | ||
| usage.completionTokens; | ||
| usage.totalTokens = | ||
| result.metadata.usage.total_tokens || | ||
| result.metadata.usage.totalTokens || | ||
| usage.totalTokens; | ||
| } | ||
|
|
||
| // Estimate tokens based on text length if no usage data | ||
| if (usage.totalTokens === 0 && result.finalOutput) { | ||
| const outputLength = | ||
| typeof result.finalOutput === "string" | ||
| ? result.finalOutput.length | ||
| : JSON.stringify(result.finalOutput).length; | ||
| usage.completionTokens = Math.ceil(outputLength / 4); | ||
| usage.promptTokens = 50; // Rough estimate for prompt | ||
| usage.totalTokens = usage.promptTokens + usage.completionTokens; | ||
| } | ||
|
|
||
| // If total not provided, calculate it |
There was a problem hiding this comment.
The new message array input has no validation on array length or individual message sizes. Attackers can submit extremely large message arrays or very long messages, causing excessive OpenAI API costs and potential service degradation through token-based denial of service.
Suggested Fix
Add input size limits before processing:
// Define limits
const MAX_MESSAGES = 50;
const MAX_MESSAGE_LENGTH = 10000;
const MAX_TOTAL_LENGTH = 50000;
if (workflow.messages && workflow.messages.length > 0) {
// Validate message count
if (workflow.messages.length > MAX_MESSAGES) {
throw new Error(`Message history exceeds maximum of ${MAX_MESSAGES} messages`);
}
// Validate lengths
let totalLength = 0;
for (const msg of workflow.messages) {
const msgLength = msg.content?.length || 0;
if (msgLength > MAX_MESSAGE_LENGTH) {
throw new Error(`Message exceeds maximum length of ${MAX_MESSAGE_LENGTH} characters`);
}
totalLength += msgLength;
}
if (totalLength > MAX_TOTAL_LENGTH) {
throw new Error(`Total content exceeds maximum of ${MAX_TOTAL_LENGTH} characters`);
}
conversationHistory = convertToAgentInputItems(workflow.messages);
} else if (workflow.input_as_text) {
if (workflow.input_as_text.length > MAX_MESSAGE_LENGTH) {
throw new Error(`Input exceeds maximum length of ${MAX_MESSAGE_LENGTH} characters`);
}
conversationHistory = [
{ role: "user", content: [{ type: "input_text", text: workflow.input_as_text }] },
];
}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.