Class: RuboCop::Cop::Prompt::SystemInjection

Inherits:

Base

• Object
• Base
• RuboCop::Cop::Prompt::SystemInjection

Defined in:

lib/rubocop/cop/prompt/system_injection.rb

Overview

Checks for dynamic variable interpolation in SYSTEM heredocs.

This cop identifies code in classes, modules, or methods with “prompt” in their names and ensures that SYSTEM heredocs do not contain dynamic variable interpolations like #user_msg. Dynamic interpolation in system prompts can lead to prompt injection vulnerabilities.

Examples:

# bad
"You are an AI assistant. The user said: \#{user_msg}\n"

# bad
"Process this request: \#{params[:input]}\n"

# good
"You are an AI assistant.\n"

# good (using separate user message)
system_prompt = "You are an AI assistant.\n"
user_message = user_msg

Constant Summary

MSG =

"Avoid dynamic interpolation in SYSTEM heredocs to prevent prompt injection vulnerabilities"

Instance Method Summary

• #on_dstr(node) ⇒ Object

Instance Method Details

#on_dstr(node) ⇒ Object

# File 'lib/rubocop/cop/prompt/system_injection.rb', line 38

def on_dstr(node)
  return unless in_prompt_context?(node)
  return unless system_heredoc?(node)
  return unless has_interpolation?(node)

  add_offense(node)
end