Python: information-flow control prompt injection defense#5331
Python: information-flow control prompt injection defense#5331eavanvalkenburg wants to merge 4 commits intomainfrom
Conversation
* fides integration * documentation * documentation * documentation * human-approval on policy violation * numenous hyena 'works' * IFC based implementation * minor edits in documentation * rebasing the branch and running the email example * Add security tests for IFC middleware * Fix Role.TOOL NameError in approval handling * tiered labelling scheme * 3 tier labelling scheme in middleware * Adapt security middleware to list[Content] tool results * Refactor SecureAgentConfig as context provider and address Copilot review comments * Update FIDES docs to reflect context provider pattern and update code for ContextProvider rename * Fix security examples: use OpenAIChatClient instead of non-existent AzureOpenAIChatClient * Address PR review: consolidate security modules, remove ContentLineage, update docs * remove unrelated files * remove comment from _tools.py and rename decision file * Fix CI failures: Bandit B110, broken md links, hosted approval passthrough * apply template to decision doc 0024 * minor fixes to decision doc 0024 --------- Co-authored-by: Aashish <t-akolluri@microsoft.com>
* Python: follow up FIDES security flow Refine the secure approval path, mark the security classes with the FIDES experimental feature label, and clean up the related docs/tests. Also fix workspace-level validation regressions uncovered while running the full Python check suite. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Python: remove FIDES GitHub MCP sample Drop the GitHub MCP security sample from the FIDES follow-up branch while keeping the remaining security docs and samples intact. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR brings the Python FIDES information-flow control (integrity + confidentiality) prompt-injection/data-exfiltration defense closer to main, adding core security primitives/middleware, DevUI support for policy-violation approvals, and end-to-end samples/docs/tests.
Changes:
- Adds FIDES security samples and documentation (quick start + developer guide + implementation summary + ADR).
- Extends DevUI mapping/execution to round-trip policy-violation metadata through approval events.
- Adjusts core function-invocation plumbing and test suites to support the new approval/policy flow and keep validation green.
Reviewed changes
Copilot reviewed 14 out of 16 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| python/samples/02-agents/security/repo_confidentiality_example.py | New sample demonstrating confidentiality labels + exfiltration prevention. |
| python/samples/02-agents/security/email_security_example.py | New sample demonstrating integrity taint handling + quarantined processing. |
| python/samples/02-agents/security/README.md | New quick-start documentation for SecureAgentConfig/FIDES patterns. |
| python/samples/02-agents/security/FIDES_DEVELOPER_GUIDE.md | New deep-dive developer guide for the FIDES model and APIs. |
| python/packages/core/tests/test_security.py | New comprehensive unit tests for labeling/middleware/policy enforcement. |
| python/packages/core/agent_framework/_tools.py | Updates tool invocation + approval replacement behavior for policy approvals. |
| python/packages/core/agent_framework/init.py | Exports new FIDES/security APIs and ai_function alias. |
| python/packages/core/agent_framework/_feature_stage.py | Adds ExperimentalFeature.FIDES. |
| python/packages/core/agent_framework/observability.py | Hardens finish_reason attribute handling. |
| python/packages/devui/agent_framework_devui/_mapper.py | Emits policy violation details in approval request events when present. |
| python/packages/devui/agent_framework_devui/_executor.py | Preserves policy-violation metadata on approval responses. |
| python/packages/devui/tests/devui/test_ui_memory_regression.py | Skips the test when CDP websocket URL cannot be obtained. |
| python/packages/foundry/tests/foundry/test_foundry_embedding_client.py | Makes env patching deterministic via clear=True. |
| docs/features/FIDES_IMPLEMENTATION_SUMMARY.md | Adds an implementation summary for FIDES components/deliverables. |
| docs/decisions/0024-prompt-injection-defense.md | New ADR documenting the design rationale and tradeoffs. |
* updated import naming and comment from review * Add approval replay None call-id test Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Automated Code Review
Reviewers: 1 | Confidence: 88%
✗ Design Approach
The approval-flow work mostly moves in the right direction—matching approved results by
call_idis a solid improvement—but one new piece of the design is too brittle:_replace_approval_contents_with_resultsnow detects “placeholder” tool results by searching for the magic substring[APPROVAL_PENDING]insidefunction_result.result. In this framework,function_result.resultis just arbitrary tool output (python/packages/core/agent_framework/_types.py:809-865), so using it as control-flow state leaks middleware implementation details into the generic content model and can misfire on legitimate tool output. That should be modeled as structured state instead of string matching. I found two design-level problems in the new security layer. The feature’s isolation model depends on module-global mutable state for per-invocation context, so it will behave correctly only as long as one tool invocation runs at a time in a process. In the existing async tool pipeline, that assumption does not hold: overlapping runs can clober each other’s security context, and separately configured agents can silently overwrite each other’s quarantine client. The main design problem is in the new DevUI policy-approval path: the mapper now emitspolicy_violationmetadata, but the existing pending-approval state and submit flow still only preserverequest_idandfunction_call, so legitimate UI approvals will drop the metadata while_executornow tries to rebuild security-sensitive state from client input. That is both incomplete and a step away from the existing server-validated approval model. I also saw one test change that weakens coverage by turning DevTools startup failures into skips rather than failures. That means the example does not actually exercise the cross-turn security behavior it claims to demonstrate, and it teaches readers the wrong integration pattern for any policy that depends on accumulated conversation state.
Flagged Issues
-
python/samples/02-agents/security/email_security_example.pyexpects security context to carry across two independentagent.run()calls, but core agent code creates a new session whensession=is omitted (_agents.py:1185-187,1406-1408). Scenario 2 will not run in the tainted context from scenario 1. Reuse a singleAgentSessionor collapse into one run.
Suggestions
- Represent pending-approval tool results with explicit metadata or a dedicated content shape, then replace them by
call_idusing that structured marker instead of inspectingfunction_result.resulttext. - Keep the quarantine chat client on
SecureAgentConfig/middleware state and havequarantined_llm()obtain it from the current invocation context, preserving per-agent isolation. - Reuse a single
AgentSessionin the email sample's CLI scenario so the second step actually demonstrates policy enforcement after untrusted content has entered the conversation.
Automated review by eavanvalkenburg's agents
| "security_label": { | ||
| "integrity": "trusted" if email["is_internal"] else "untrusted", | ||
| "confidentiality": "private", | ||
| } |
There was a problem hiding this comment.
nit: is it possible to also discuss how these additional properties are consumed downstream?
There was a problem hiding this comment.
Added a description on how the labels are used.
| - **Automatic Detection**: Middleware checks integrity label after each tool call | ||
| - **Automatic Storage**: UNTRUSTED results/items stored in variable store | ||
| - **Transparent Replacement**: LLM context receives `VariableReferenceContent` | ||
| - **Context Label Protection**: Hidden content does NOT taint context label |
There was a problem hiding this comment.
nit: it's unclear from reading the ADR and this to understand how these work. Could we provide more details?
There was a problem hiding this comment.
Included a small paragraph with the main purpose of automated hiding.
| FunctionInvocationLayer, | ||
| FunctionTool, | ||
| ToolTypes, | ||
| ai_function, |
There was a problem hiding this comment.
Didn't we rename this to tool?
|
|
||
|
|
||
| @experimental(feature_id=ExperimentalFeature.FIDES) | ||
| class LabeledMessage(Message): |
There was a problem hiding this comment.
nit: Should the name be more explicit? For example, SecurityLabeledMessage? This mainly has two advantages:
- Make it clear that this type contains the security label.
- Reserve the LabeledMessage name in case we have some other labeled messages in the future.
| Args: | ||
| role: The message role (user, assistant, system, tool). | ||
| content: The message content. | ||
| security_label: The security label. If None, inferred from role. |
There was a problem hiding this comment.
nit: should we make this param required?
There was a problem hiding this comment.
I don't think it is necessary. There are clear defaults for each of them. The user and system prompt are trusted, the assistant message is trusted based on the initial trusted context and tool messages default to untrusted.
| """ | ||
| return self._message_labels.get(message_index) | ||
|
|
||
| def label_messages(self, messages: list[dict[str, Any]]) -> list[LabeledMessage]: |
There was a problem hiding this comment.
I don't see this used anywhere. And why is this in this middleware that is a function middleware?
There was a problem hiding this comment.
You are right. These were helper messages for the developer and are not used internally. Removed them for now as the developer does not need to explicitly label messages.
| label: ContentLabel, | ||
| function_name: str, | ||
| ) -> Content: | ||
| """Replace an untrusted Content item with a variable-reference placeholder. |
There was a problem hiding this comment.
I am slightly confused about this. If the result of the function is hidden, how do we expect the LLM/agent to proceed? And if we expect the LLM/agent to not proceed, why would the tool be given to the LLM/agent in the first place?
This may be related to the security boundary.
There was a problem hiding this comment.
If the security label for the tool result is untrusted, then it is hidden inside a variable before adding it to the conversation history. This prevents the LLM's context from being tainted and exposed to potentially malicious data. For all the task, we do expect the LLM to proceed. For many operations, the LLM can simply pass the variable reference and the untrusted content will be exposed only inside the tool (Data-Independent tasks, Page 11). If the LLM has to look at the untrusted content to make decisions about the next tool call (Data-dependent tasks), then it can use the inspect_variable() tool call but this taints the context.
| agent = Agent( | ||
| client=client, | ||
| name="assistant", | ||
| middleware=[label_tracker, policy], # Apply both middlewares |
There was a problem hiding this comment.
Should the agent have tools for the middleware to take effect?
But again, if a tool cannot be trusted, why would it be given to the agent in the first place?
There was a problem hiding this comment.
The implementation of the tool is always trusted, it is the content that the tool fetches could be untrusted for e.g., external emails, webcontent or anything where an adversary can potentially insert prompt injection instructions.
| attacks. You CANNOT see or operate on the actual content directly. Here's how to work | ||
| with hidden content: | ||
|
|
||
| ### Using `quarantined_llm` (PREFERRED): |
There was a problem hiding this comment.
Question: is this just shifting the risk to another client?
There was a problem hiding this comment.
No, the quarantined_llm() as the name suggests does not have access to any tool calls. It can only perform data processing operations such as summarizing, parsing, extracting content. It takes untrusted content hidden inside variables as input, inspects it, operates on it and generates untrusted content which is again hidden inside variables as output. This ensures that the context of the planner LLM is not tainted. If the planner LLM absolutely needs to inspect the variable to decide the next tool call, then it uses the inspect_variable tool call which taints the context to untrusted. Any further tool call that is not allowed in an untrusted context will be either blocked or sent for human approval depending on the params. This is similar to the use of Dual LLM pattern https://www.agentic-patterns.com/patterns/dual-llm-pattern/
| Use this tool ONLY when you absolutely need to see the raw content to make a decision | ||
| about what to do next. This exposes potentially unsafe content. |
There was a problem hiding this comment.
Question: there are still no determinism and security guarantee as promised in the ADR? Prompt injection can reverse this instruction, or differently models may follow the instruction differently.
There was a problem hiding this comment.
A model can interpret the instructions differently but it does not affect the security. The determinism and security guarantees are enforced by the security policies on each tool call. If the policy is violated (for e.g., because a model chose to use inspect_variable() for operating on untrusted data and therefore tainting the context) then the security falls back to the baseline of requesting a human approval with the attached message that this tool call is performed as a result of untrusted data being exposed to the model.
There was a problem hiding this comment.
Automated Code Review
Reviewers: 4 | Confidence: 90%
✗ Correctness
The main code changes in
_tools.pyimprove approval-flow robustness (null-checks, call_id-based matching instead of positional indexing, empty message cleanup). Theobservability.pyfix is correct and necessary. However, there is one concrete regression: the normal success path of_auto_invoke_functionsilently dropsadditional_propertiespropagation from the function call to the function result, while every other code path in the same function (no-middleware direct execution, MiddlewareTermination, Exception, and error paths) continues to propagate them. This inconsistency means the same function behaves differently depending on whether middleware is present and whether execution succeds or fails. The_parse_github_mcp_labelsfunction in security.py contains a correctness bug: it uses lexicographic string comparison (field_conf.value > most_restrictive_confidentiality.value) to determine the most restrictive confidentiality label. Because"private" < "public"in Python string ordering (since'r' < 'u'), PRIVATE confidentiality from GitHub MCP labels is incorrectly treated as less restrictive than PUBLIC, causing PRIVATE data to remain labeled PUBLIC. This occurs at two locations (lines 764 and 782). The rest of the codebase (e.g.,combine_labels,check_confidentiality_allowed) correctly uses a priority dict for this comparison.
✗ Security Reliability
The _tools.py changes improve approval-flow robustness (call_id-based matching instead of positional, null-safety on approved_function_call) and add security middleware integration points. Two reliability concerns: (1) the normal middleware success path silently drops additional_properties that error/termination paths still propagate, creating inconsistent metadata on function results; (2) placeholder replacement uses a magic string sentinel '[APPROVAL_PENDING]' in tool-result text, which is fragile—a structured Content attribute would be safer. The observability fix for non-string finish_reason is correct and needed. Two security-relevant bugs found in the new security.py module: (1) The GitHub MCP label parser uses lexicographic string comparison for confidentiality levels, causing PRIVATE content to be misclassified as PUBLIC because "private" < "public" lexicographically. This undermines confidentiality protections for GitHub MCP-sourced data. (2) Thread-local storage (
threading.local()) is used to pass the middleware instance to async security tools, butthreading.local()does not isolate concurrent asyncio coroutines on the same thread, risking cross-coroutine middleware leakage. The production code changes add policy-violation metadata plumbing through the approval flow. The _executor.py change spreads untrusted client-supplied dict data (**policy_violation_data) intoadditional_properties, which allows a malicious client to inject arbitrary keys or override thepolicy_violation: Trueflag. The _mapper.py changes safely extract specific keys. Test changes and foundry test fix are fine.
✗ Test Coverage
The PR introduces significant new logic in
_tools.py— placeholder[APPROVAL_PENDING]replacement, empty-message cleanup,function_approval_requestpassthrough from middleware, andcall_idnull validation — but none of these new code paths have corresponding unit tests intest_function_invocation_logic.py. The observabilityisinstance(finish_reason, str)guard also lacks a test for non-string finish_reason values. Whiletest_security.pyis listed as a new file, it does not exist on disk and presumably appears in a later chunk; the gaps noted here are in the core_tools.pyapproval flow, which should be tested independently of the security module. The security module contains a correctness bug in_parse_github_mcp_labelswhere confidentiality levels are compared via string ordering ("private" < "public" alphabetically) instead of the intended hierarchy (PUBLIC < PRIVATE < USER_IDENTITY), causing PRIVATE data to not be recognized as more restrictive than PUBLIC. No test file for the security module exists on disk — test_security.py is listed as a changed file but appears in another chunk, so its coverage cannot be verified here. A test specifically covering_parse_github_mcp_labelswith PRIVATE fields would catch this bug. The new test_security.py file is extensive (~2578 lines) and covers the major security subsystems well: label creation/serialization, combine_labels, ContentVariableStore, middleware label tracking, policy enforcement, auto-hiding, tiered label propagation, confidentiality checks, and quarantined LM. Three test coverage gaps stand out: (1) the devui _executor.py and _mapper.py changes add policy_violation extraction and mapping logic with zero corresponding tests, (2) test_audit_log_recording only asserts the initial empty state and never triggers a violation to verify recording, and (3) the new _replace_approval_contents_with_results tests in test_function_invocation_logic.py are well-structured and cover the key call-id-matching fix thoroughly.
✗ Design Approach
That is a contract regression rather than a local bug: the framework already treats
additional_propertiesas the extensibility channel onContent, and the rest of_auto_invoke_functionstill preserves it. With middleware enabled, result metadata now disappears only on the success path, which is especially risky for any higher-level features that depend on result labels or other propagated metadata. First, it stores per-invocation middleware state in a thread-local even though the core tool loop executes function calls concurrently withasyncio.gather, so concurrent tool calls can read or clear each other’s security context. Second, the GitHub MCP label parser derives confidentiality ordering from enum string values instead of the explicit confidentiality lattice used elsewhere, which can silently downgrade private content during label propagation. I also found the new memory-test skip broad enough to hide real browser/DevTools startup regressions instead of isolating a known unsupported environment. I found two design-level problems in the new security samples. First, the email demo assumes the security context stays tainted across two separateagent.run(...)calls, but the core agent only preserves provider/history state when you reuse an explicit session, so the second step does not reliably demonstrate the policy boundary it claims to show. Second, both samples hardcodegpt-4o-minias the quarantine Foundry model even thoughFoundryChatClienttreatsmodelas a deployment name, which makes the samples depend on a very specific project setup instead of a configurable quarantine deployment.
Flagged Issues
- The
[APPROVAL_PENDING]placeholder replacement logic in_replace_approval_contents_with_results(lines 1872–1882 of_tools.py) is entirely new behavior that modifies message contents in-place, but has zero test coverage across all test files.
Suggestions
- Narrow the memory regression test skip — converting the generic DevTools timeout into
pytest.skip()masks browser-launch and remote-debugging regressions this test is supposed to catch. Skip only for a narrowly identified unsupported-environment condition. - Reuse an explicit session in the email sample (e.g.,
session = agent.create_session()passed to bothagent.run()calls) so the second step genuinely demonstrates cross-turn policy enforcement. - Make the quarantine deployment configurable (e.g.,
FOUNDRY_QUARANTINE_MODELenv var with fallback toFOUNDRY_MODEL) and update documentation to reference deployment names rather than a literalgpt-4o-ministring. - Add unit tests for
quarantined_llmboth with and without a quarantine client configured, verifying the response is labeled UNTRUSTED andtool_choice='none'is passed.
Automated review by moonbox3's agents
| # Second pass: Remove messages that are now empty after content removal | ||
| # We need to iterate in reverse to safely remove by index | ||
| messages_to_remove: list[int] = [] | ||
| for msg_idx, msg in enumerate(messages): | ||
| if not msg.contents: | ||
| messages_to_remove.append(msg_idx) | ||
| for msg_idx in reversed(messages_to_remove): | ||
| messages.pop(msg_idx) |
There was a problem hiding this comment.
Missing test coverage: The second pass that removes messages with empty contents lists is new logic. No existing test verifies that messages left empty after content removal are pruned from the messages list.
Motivation and Context
This draft PR brings the Python information-flow control prompt injection defense work from
feature/python-fidestowardmainfor review and integration.Description
Contribution Checklist