Skip to content

Sanitize Tags Unicode Block on Message creation#3920

Merged
amed-xyz merged 4 commits intomainfrom
amed/unicode-tags-sanitization
Aug 8, 2025
Merged

Sanitize Tags Unicode Block on Message creation#3920
amed-xyz merged 4 commits intomainfrom
amed/unicode-tags-sanitization

Conversation

@amed-xyz
Copy link
Collaborator

@amed-xyz amed-xyz commented Aug 7, 2025
edited
Loading

What

Mitigate Unicode-based prompt injection attacks where attackers embed invisible Unicode characters to smuggle hidden commands, past user inspection and into LLM processing.

The specific threat this is addressing:

  • Complete ASCII mirror: Invisible versions of all ASCII characters (a-z, A-Z, 0-9, symbols)
  • Completely invisible: Designed to be unrendered by tag-unaware implementations
  • LLM readable: Training data included these characters, tokenizers process them

How

Sanitize text input at the single point where all text messages enter the system (CLI, Desktop, etc) i.e. the Message::with_text() function.

@amed-xyz amed-xyz self-assigned this Aug 7, 2025
@DOsinga DOsinga self-requested a review August 7, 2025 16:36
DOsinga
DOsinga approved these changes Aug 7, 2025
View reviewed changes
Copy link
Collaborator

@DOsinga DOsinga left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice. you know what, though, I would just drop the sanitize_needed flag for now. we can talk to @spencrmartin about what we should do in the UI when this happens and then calculate backwards from there in a follow up PR. what do you think?

@amed-xyz amed-xyz marked this pull request as ready for review August 7, 2025 17:20
@amed-xyz amed-xyz force-pushed the amed/unicode-tags-sanitization branch from 8b1f65b to 5629291 Compare August 7, 2025 17:25
michaelneale
michaelneale approved these changes Aug 8, 2025
View reviewed changes
Copy link
Collaborator

@michaelneale michaelneale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice one, good catch

@amed-xyz amed-xyz merged commit 48c9af0 into main Aug 8, 2025
11 checks passed
@amed-xyz amed-xyz deleted the amed/unicode-tags-sanitization branch August 8, 2025 16:06
katzdave added a commit that referenced this pull request Aug 8, 2025
@katzdave
Merge branch 'main' of github.com:block/goose into dkatz/token-counting
624557a 
* 'main' of github.com:block/goose:
  remove fallback routing to hub/home for unknown routes (#3954)
  Use cross in linux bundle workflow (#3950)
  fix: disable signing for release branches until we figure out keys for this flow (#3951)
  Sanitize Tags Unicode Block (#3920)
  Add a message about DCO to CONTRIBUTING.md (#3741)
  Move hardcoded LLM prompts to template files (#3934)
  docs: migrate streamable config to consolidated component (#3936)
  feat: streamline list args on cli (#3937)
  mcp/developer: Refactor to use tokio SplitStream (#3894)
  feat: first time automated ollama install experience and openrouter (#3881)
  chore: rmcp 0.5.0 (#3935)
  add gpt-5 to openai provider format (#3924)
  added gpt5 context limit (#3927)
  show status of osx codesigning and increase timeout (#3926)
  Bump auto-compact threshold to 80% (#3925)
  FIX: gemini tool call hanging (#3898)
  feat(deps): upgrade rmcp to 0.4.1 (#3918)
  Fix dark mode rendering of config form and centered providers grid for wider screens. (#3837)
  fix: extension list not refreshing after installing from deeplink (#3878)
katzdave added a commit that referenced this pull request Aug 8, 2025
@katzdave
Merge branch 'main' of github.com:block/goose into dkatz/config3
5daf181 
* 'main' of github.com:block/goose:
  remove fallback routing to hub/home for unknown routes (#3954)
  Use cross in linux bundle workflow (#3950)
  fix: disable signing for release branches until we figure out keys for this flow (#3951)
  Sanitize Tags Unicode Block (#3920)
  Add a message about DCO to CONTRIBUTING.md (#3741)
  Move hardcoded LLM prompts to template files (#3934)
  docs: migrate streamable config to consolidated component (#3936)
  feat: streamline list args on cli (#3937)
  mcp/developer: Refactor to use tokio SplitStream (#3894)
  feat: first time automated ollama install experience and openrouter (#3881)
  chore: rmcp 0.5.0 (#3935)
  add gpt-5 to openai provider format (#3924)
  added gpt5 context limit (#3927)
  show status of osx codesigning and increase timeout (#3926)
  Bump auto-compact threshold to 80% (#3925)
This was referenced Aug 8, 2025
Merged
Merged
@amed-xyz amed-xyz changed the title Sanitize Tags Unicode Block Sanitize Tags Unicode Block on Message creation Aug 12, 2025
@alexhancock alexhancock mentioned this pull request Aug 13, 2025
Merged
@amed-xyz amed-xyz mentioned this pull request Aug 15, 2025
Merged
ayax79 pushed a commit to ayax79/goose that referenced this pull request Aug 21, 2025
@amed-xyz
Sanitize Tags Unicode Block (block#3920)
115e483 
Signed-off-by: Jack Wright <jack.wright@nike.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelneale michaelneale michaelneale approved these changes

@DOsinga DOsinga DOsinga approved these changes

Assignees

@amed-xyz amed-xyz

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@amed-xyz @michaelneale @DOsinga