feat(plugins): ai-prompt-guard plugin #12230
Conversation
github-actions
bot
added
chore
team-eng-enablement
added
the
author/community
There was a problem hiding this comment.
I'm wondering if this plugin can be just part of the ai-proxy plugin. The functionality of this plugin, aside from its name, seems not strictly related to AI workload.
So I would suggest we either move this to the ai-proxy plugin, or properly implement this
as a WAF feature.
|
@fffonion Oh right sorry it's missing from the design... This is separate so that it can be applied to e.g. a whole runtime group / Kong control plane, and govern all configured models... Or to apply to one consumer to limit their AI usage. |
…ith skip_transformation instruction for ai-proxy
| if conf.deny_patterns and #conf.deny_patterns > 0 then | ||
| for i, v in ipairs(conf.deny_patterns) do | ||
| -- check each denylist; if prompt matches it, deny immediately | ||
| local m, err = ngx.re.match(user_prompt, v) |
There was a problem hiding this comment.
Prefer ngx.re.find over ngx.re.match when you don't care about capturing anything in the pattern and just need to know if it matches or not:
if ngx.re.find("subject", "pattern", "jo") then
print("it matched!")
end
| for i, v in ipairs(conf.deny_patterns) do | ||
| -- check each denylist; if prompt matches it, deny immediately | ||
| local m, err = ngx.re.match(user_prompt, v) | ||
| if err then return do_internal_server_error("bad regex execution for: " .. v) end |
There was a problem hiding this comment.
Let's make this condition unreachable at runtime by using a custom validator for {allow,deny}_patterns in your plugin's schema.lua file:
local function is_valid_regex(s)
local _, _, err = ngx.re.find("", s)
if err then
return nil, "invalid regex: " .. err
end
return true
end
assert(is_valid_regex("^(.*"))ERROR: t.lua:10: invalid regex: pcre_compile() failed: missing ) in "^(.*"
|
This is all being addressed in #12337 |
Summary
This commit offers another plugin that extends the functionality of "AI Proxy" in #12207.
It compares the user's
llm/v1/chatorllm/v1/completionsrequest against a series of regular expressions, in two config arrays:If the request matches any regex pattern in deny, the caller is 400'd.
If any allow is specified, by the request matches none of them, the caller is also 400'd.
Engineering design document is available for this feature, but it is quite simple. Comprehensive tests supplied.
This reason for its development, is that many of our users would like to block specific prompts, words, phrases, or otherwise more tightly control how an AI / LLM model is used, if being called via Kong, and this applies especially with the
AI Proxyplugin that will simplify this process.Checklist
changelog/unreleased/kongorskip-changeloglabel added on PR if changelog is unnecessary. README.md