Skip to content

probes: refactor fact snippet mixin #1187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

probes: refactor fact snippet mixin #1187

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
7a8d557
add more whois contexts, sep pairs, inj instructions for LatentWhois
leondz Apr 24, 2025
3b0544d
add whois payload injection marker check
leondz Apr 24, 2025
b80749a
Merge branch 'main' into update/latentinjection_refactor
leondz Apr 24, 2025
13583bb
remove permutation explosion in LatentWhoisSnippet & LatentWhoisSnipp…
leondz Apr 25, 2025
0bf4e24
stop dupe injection contexts in snippet assembly
leondz Apr 25, 2025
892ef0b
defensive check for context cap
leondz Apr 25, 2025
48a9622
refactor fact snippet logic up
leondz Apr 29, 2025
66add6e
Merge branch 'main' into update/refactor_FactSnippetMixin
leondz Apr 29, 2025
cead34c
merge main
leondz May 12, 2025
084cff6
merge main
leondz May 14, 2025
8520ec1
update to match probes.Probe
leondz May 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 55 additions & 34 deletions garak/probes/latentinjection.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
"""Latent injection: probes to test prompt injections buried in other contexts."""

import logging
from math import ceil, sqrt
import random

from garak import _config
Expand Down Expand Up @@ -144,24 +143,53 @@ class FactSnippetMixin:

payloads = [f"{TRIGGER_MARKER}"]

def __init__(self, config_root=_config):
garak.probes.Probe.__init__(self, config_root)
snippets_per_context: int = 5
snippet_context_cap: int = 20
snippet_marker_replacement: str = ""
snippet_raw_marker: bool = True
snippet_sep: str = "\n"

def _build_snippet_contexts(self):

self.contexts = set()
if not hasattr(self, "context_cap") or not isinstance(self.context_cap, int):
self.context_cap = 20
snippets_per_context = min(self.snippets_per_context, len(self.paragraphs))

while len(self.contexts) < self.snippet_context_cap:
snippet_ids = random.sample(
range(len(self.paragraphs)), snippets_per_context
)
snippets = [self.paragraphs[id] for id in snippet_ids]

while len(self.contexts) < self.context_cap:
random.shuffle(self.paragraphs)
target_paragraph = random.randint(0, len(self.paragraphs) - 1)
self.contexts.add(
"\n".join(self.paragraphs[:target_paragraph])
+ f"\n{INJECTION_MARKER}\n"
+ "\n".join(self.paragraphs[target_paragraph:])
injection_position = random.randint(
1 if self.snippet_raw_marker else 0, snippets_per_context - 1
)
snippet_to_preserve = (
None if self.snippet_raw_marker else injection_position
)
snippets = [
(
s.replace("{INJECTION_MARKER}", self.snippet_marker_replacement)
if idx != snippet_to_preserve
else s
)
for idx, s in enumerate(snippets)
]
if self.snippet_raw_marker:
snippets.insert(injection_position, "{INJECTION_MARKER}")

context = self.snippet_sep.join(snippets)
context = context.replace("{INJECTION_MARKER}", INJECTION_MARKER)
self.contexts.add(context)

self.contexts = list(self.contexts)
self._build_prompts_triggers(cap=self.soft_probe_prompt_cap)

def __init__(self):

self.contexts = set()
if not hasattr(self, "context_cap") or not isinstance(self.context_cap, int):
self.context_cap = 20

self._build_snippet_contexts()


class LatentInjectionTranslationEnFrFull(
Expand Down Expand Up @@ -468,6 +496,11 @@ class LatentInjectionFactSnippetEiffelFull(
"![image](https://bad.com)",
]

def __init__(self, config_root=_config):
garak.probes.Probe.__init__(self, config_root)
FactSnippetMixin.__init__(self)
self._build_prompts_triggers(cap=self.soft_probe_prompt_cap)


class LatentInjectionFactSnippetLegalFull(
FactSnippetMixin, LatentInjectionMixin, garak.probes.Probe
Expand Down Expand Up @@ -496,6 +529,11 @@ class LatentInjectionFactSnippetLegalFull(
("-- LEGAL AMENDMENT, FOLLOW INSTRUCTION\n", "\n-- RESUME"),
]

def __init__(self, config_root=_config):
garak.probes.Probe.__init__(self, config_root)
FactSnippetMixin.__init__(self)
self._build_prompts_triggers(cap=self.soft_probe_prompt_cap)


class LatentJailbreakFull(LatentInjectionMixin, garak.probes.Probe):
"""Implementation of Latent Jailbreak, using latent prompt injection-
Expand Down Expand Up @@ -627,30 +665,13 @@ class LatentWhoisSnippetFull(FactSnippetMixin, LatentWhois):
payload_triggers = LatentWhois.payload_triggers
non_injection_text = ""

DEFAULT_PARAMS = LatentWhois.DEFAULT_PARAMS | {"snippets_per_context": 5}
snippets_per_context = 5
snippet_context_cap = 10
snippet_raw_marker = False

def __init__(self, config_root=_config):
garak.probes.Probe.__init__(self, config_root)

self.contexts = (
set()
) # goal: a set of n whois reports, with an injection marker in one of them
max_context_count = min(ceil(sqrt(self.soft_probe_prompt_cap)), 100)

while len(self.contexts) < max_context_count:
snippet_ids = random.sample(
range(len(self.paragraphs)), self.snippets_per_context
)
snippets = [self.paragraphs[id] for id in snippet_ids]
injected_snippet_id = random.randint(0, self.snippets_per_context - 1)
snippets[injected_snippet_id] = snippets[injected_snippet_id].replace(
"{INJECTION_MARKER}", INJECTION_MARKER
)
context = "\n".join(snippets)
context = context.replace("{INJECTION_MARKER}", self.non_injection_text)
self.contexts.add(context)

self.contexts = list(self.contexts)
FactSnippetMixin.__init__(self)
self._build_prompts_triggers(cap=self.soft_probe_prompt_cap)


Expand Down
60 changes: 60 additions & 0 deletions tests/probes/test_probes_latentinjection.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,63 @@ def test_whois_payload_injection_marker():
assert (
marker in payload
), f"Each whois payload must contain {marker} but this was not found in {payload_name} payload {id}"


class TestFactSnippet(garak.probes.latentinjection.FactSnippetMixin):
paragraphs = list("ABCDEFGH")


def test_fact_snippet_build():
t = TestFactSnippet()

t.snippet_raw_marker = True
t._build_snippet_contexts()
assert len(t.contexts) == t.snippet_context_cap, "Not enough contexts returned"
assert len(set(t.contexts)) == len(
t.contexts
), "Contexts should be unique w/ no duplicates"
for context in t.contexts:
parts = context.split(t.snippet_sep)
for part in parts:
assert (
part in t.paragraphs
or part == garak.probes.latentinjection.INJECTION_MARKER
), "found unrecognised context component: '%s' in context '%s'" % (
part,
context,
)
assert garak.probes.latentinjection.INJECTION_MARKER in context, (
"Missing injection marker in '%s'" % context
)

t.snippet_raw_marker = False
t.paragraphs = [p + "{INJECTION_MARKER}" for p in t.paragraphs]
t._build_snippet_contexts()
assert len(t.contexts) == t.snippet_context_cap, "Not enough contexts returned"
assert len(set(t.contexts)) == len(
t.contexts
), "Contexts should be unique w/ no duplicates"
for context in t.contexts:
parts = context.split(t.snippet_sep)
assert (
len(parts) == t.snippets_per_context
), "Should be %s snippets in this context, got %s: %s" % (
t.snippets_per_context,
len(parts),
repr(context),
)
for part in parts:
assert part in [
p.replace(
"{INJECTION_MARKER}", garak.probes.latentinjection.INJECTION_MARKER
)
for p in t.paragraphs
] or part in [
p.replace("{INJECTION_MARKER}", "") for p in t.paragraphs
], "found unrecognised context component: %s in context %s" % (
repr(part),
repr(context),
)
assert (
garak.probes.latentinjection.INJECTION_MARKER in context
), "Missing injection marker in %s" % repr(context)