DEV Community

BotGuard
BotGuard

Posted on • Originally published at botguard.dev

Document-Level Prompt Injection in RAG Systems

#rag #security #promptinjection #ai

A single, cleverly crafted PDF document can bring down an entire RAG system, hijacking the behavior of AI agents and causing unforeseen consequences.

The Problem 

import PyPDF2
import torch
from transformers import AutoModelForSeq2SeqLM, AutoTokenizer

# Load the PDF document
def load_document(file_path):
    pdf_file_obj = open(file_path, 'rb')
    pdf_reader = PyPDF2.PdfFileReader(pdf_file_obj)
    text = ''
    for page in range(pdf_reader.numPages):
        text += pdf_reader.getPage(page).extractText()
    pdf_file_obj.close()
    return text

# Load the RAG model and tokenizer
model = AutoModelForSeq2SeqLM.from_pretrained('facebook/rag-token-base')
tokenizer = AutoTokenizer.from_pretrained('facebook/rag-token-base')

# Retrieve the document text and pass it to the RAG model
document_text = load_document('example.pdf')
inputs = tokenizer(document_text, return_tensors='pt')
outputs = model.generate(**inputs)
print(outputs)
Enter fullscreen mode Exit fullscreen mode

In this vulnerable example, an attacker can embed hidden instructions within a PDF document that, when retrieved by the RAG system, will hijack the behavior of the AI agent. The attacker crafts the document to contain camouflaged injection text, which is then extracted by the load_document function and passed to the RAG model. The output of the model will be influenced by the injected text, potentially leading to undesirable outcomes. For instance, the attacker could inject text that causes the model to reveal sensitive information or perform actions that compromise the security of the system.

Why It Happens

The root cause of this vulnerability lies in the fact that RAG systems rely on retrieving and processing large amounts of text data from various sources, including documents. When these documents contain hidden instructions or malicious text, the RAG model can inadvertently pick up on these cues and alter its behavior. This is particularly problematic in systems that use seq2seq models, as they are designed to generate text based on the input they receive. If the input contains malicious text, the output will likely reflect this. Furthermore, the use of pre-trained models and tokenizers can exacerbate the issue, as these models may have been trained on data that contains similar malicious patterns.

The lack of proper input validation and sanitization is another contributing factor to this vulnerability. In the example code, the load_document function extracts text from the PDF document without performing any checks or filtering. This allows the attacker to inject malicious text into the document, which is then passed to the RAG model without any scrutiny. To make matters worse, the use of black-box models and tokenizers can make it difficult to detect and prevent such attacks, as the internal workings of these models are not always transparent.

The consequences of this vulnerability can be severe, ranging from data breaches to system compromise. In a worst-case scenario, an attacker could use this vulnerability to gain control over the entire RAG system, allowing them to manipulate the behavior of AI agents and compromise the security of the system. Therefore, it is essential to address this vulnerability and implement proper security measures to prevent such attacks.

The Fix 

import PyPDF2
import torch
from transformers import AutoModelForSeq2SeqLM, AutoTokenizer
from botguard import AI_agent_security  # Import the AI security tool

# Load the PDF document with input validation and sanitization
def load_document(file_path):
    # Check if the file is a valid PDF document
    if not file_path.endswith('.pdf'):
        raise ValueError('Invalid file type')

    # Extract text from the PDF document
    pdf_file_obj = open(file_path, 'rb')
    pdf_reader = PyPDF2.PdfFileReader(pdf_file_obj)
    text = ''
    for page in range(pdf_reader.numPages):
        text += pdf_reader.getPage(page).extractText()
    pdf_file_obj.close()

    # Sanitize the extracted text to prevent injections
    text = text.replace('\n', ' ').replace('\t', ' ')
    text = text.strip()

    return text

# Load the RAG model and tokenizer with an LLM firewall
model = AutoModelForSeq2SeqLM.from_pretrained('facebook/rag-token-base')
tokenizer = AutoTokenizer.from_pretrained('facebook/rag-token-base')
model = AI_security_platform(model)  # Wrap the model with an AI security platform

# Retrieve the document text and pass it to the RAG model
document_text = load_document('example.pdf')
inputs = tokenizer(document_text, return_tensors='pt')
outputs = model.generate(**inputs)
print(outputs)
Enter fullscreen mode Exit fullscreen mode

In this fixed example, we have added input validation and sanitization to the load_document function to prevent malicious text from being injected into the RAG model. We have also wrapped the RAG model with an AI_security_platform to provide an additional layer of security. This platform can detect and prevent malicious activity, such as document-level prompt injection, and ensure the security of the RAG system.

FAQ

Q: What is document-level prompt injection, and how does it affect RAG systems?
A: Document-level prompt injection is a type of attack where an attacker embeds hidden instructions within a document that, when retrieved by a RAG system, can hijack the behavior of AI agents. This can lead to undesirable outcomes, such as revealing sensitive information or compromising the security of the system.
Q: How can I prevent document-level prompt injection attacks on my RAG system?
A: To prevent such attacks, it is essential to implement proper input validation and sanitization, as well as use an AI security tool, such as an LLM firewall, to detect and prevent malicious activity. Additionally, wrapping your RAG model with an AI security platform can provide an extra layer of security.
Q: What is the role of an AI security platform in preventing document-level prompt injection attacks?
A: An AI security platform can detect and prevent malicious activity, such as document-level prompt injection, by monitoring the input and output of the RAG model and blocking any suspicious activity. This can help ensure the security of the RAG system and prevent attacks.

Conclusion

In conclusion, document-level prompt injection is a serious vulnerability that can compromise the security of RAG systems. To prevent such attacks, it is essential to implement proper input validation and sanitization, as well as use an AI security tool, such as an LLM firewall, to detect and prevent malicious activity. With the help of a unified AI security platform like BotGuard, which provides a one-stop security shield for chatbots, agents, MCP, and RAG, you can ensure the security of your entire AI stack. One shield for your entire AI stack — chatbots, agents, MCP, and RAG. BotGuard drops in under 15ms with no code changes required.

Top comments (0)