Skip to content

Classifier model command injection detection in tool calls #6599

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dorien-koelemeijer merged 15 commits into from
Jan 27, 2026
Merged

Classifier model command injection detection in tool calls #6599

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
fec954d
first commit - still messy, needs to be cleaned up
dorien-koelemeijer Jan 16, 2026
15cd7f2
save wip - fixes to be made, average confidence score determination i…
dorien-koelemeijer Jan 19, 2026
1b29b0a
Specify 'model_type' in model mapping dict so we can distinguish betw…
dorien-koelemeijer Jan 19, 2026
03632f7
formatting changes (not sure why)
dorien-koelemeijer Jan 19, 2026
5da2df0
Frontend change to allow OSS users to provide endpoint and token for …
dorien-koelemeijer Jan 19, 2026
700f9a6
mini cleanup
dorien-koelemeijer Jan 20, 2026
88f83da
fix log levels
dorien-koelemeijer Jan 21, 2026
d28e74f
minor fix - copilot comments
dorien-koelemeijer Jan 21, 2026
d79a6bd
fmt
dorien-koelemeijer Jan 21, 2026
0aa9cf4
Fix build failures
dorien-koelemeijer Jan 21, 2026
b28ae56
fix
dorien-koelemeijer Jan 21, 2026
a540bf2
Only evaluate developer__shell tool calls
dorien-koelemeijer Jan 21, 2026
b13dfcb
small fixes
dorien-koelemeijer Jan 22, 2026
4bc98a7
revert some changes to make code review little easier
dorien-koelemeijer Jan 22, 2026
028effb
more cleanup - not tested yet
dorien-koelemeijer Jan 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 27 additions & 16 deletions crates/goose/src/security/classification_client.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ type ClassificationResponse = Vec<Vec<ClassificationLabel>>;
#[derive(Debug, Deserialize, Clone)]
pub struct ModelEndpointInfo {
pub endpoint: String,
pub model_type: Option<String>,
#[serde(flatten)]
pub extra_params: HashMap<String, serde_json::Value>,
}
Expand Down Expand Up @@ -75,7 +76,7 @@ impl ClassificationClient {
model_name
))?;

tracing::info!(
tracing::debug!(
model_name = %model_name,
endpoint = %model_info.endpoint,
extra_params = ?model_info.extra_params,
Expand All @@ -90,6 +91,30 @@ impl ClassificationClient {
)
}

pub fn from_model_type(model_type: &str, timeout_ms: Option<u64>) -> Result<Self> {
let mapping = serde_json::from_str::<ModelMappingConfig>(
&std::env::var("SECURITY_ML_MODEL_MAPPING")
.context("SECURITY_ML_MODEL_MAPPING environment variable not set")?,
)
.context("Failed to parse SECURITY_ML_MODEL_MAPPING JSON")?;

let (_, model_info) = mapping
.models
.iter()
.find(|(_, info)| info.model_type.as_deref() == Some(model_type))
.context(format!(
"No model with type '{}' found in SECURITY_ML_MODEL_MAPPING",
model_type
))?;

Self::new(
model_info.endpoint.clone(),
timeout_ms,
None,
Some(model_info.extra_params.clone()),
)
}
Comment on lines +94 to +116
Copy link

Copilot AI Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new from_model_type method lacks test coverage. Consider adding tests for: 1) successfully finding a model by type, 2) handling cases where no model with the specified type exists, 3) handling invalid JSON in SECURITY_ML_MODEL_MAPPING.

Copilot uses AI. Check for mistakes.

pub fn from_endpoint(
endpoint_url: String,
timeout_ms: Option<u64>,
Expand All @@ -104,7 +129,7 @@ impl ClassificationClient {
.map(|t| t.trim().to_string())
.filter(|t| !t.is_empty());

tracing::info!(
tracing::debug!(
endpoint = %endpoint_url,
has_token = auth_token.is_some(),
"Creating classification client from endpoint"
Expand All @@ -114,12 +139,6 @@ impl ClassificationClient {
}

pub async fn classify(&self, text: &str) -> Result<f32> {
tracing::debug!(
endpoint = %self.endpoint_url,
text_length = text.len(),
"Sending classification request"
);

let parameters = self
.extra_params
.as_ref()
Expand Down Expand Up @@ -197,14 +216,6 @@ impl ClassificationClient {
}
};

tracing::info!(
injection_score = %injection_score,
top_label = %top_label.label,
top_score = %top_label.score,
normalized = !is_probabilities,
"Classification complete"
);

Ok(injection_score)
}

Expand Down
10 changes: 5 additions & 5 deletions crates/goose/src/security/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,14 +69,14 @@ impl SecurityManager {
Ok(s) => {
tracing::info!(
counter.goose.prompt_injection_scanner_enabled = 1,
"🔓 Security scanner initialized with ML-based detection"
"Security scanner initialized with ML-based detection"
);
s
}
Err(e) => {
let error_chain = format!("{:#}", e);
tracing::warn!(
"⚠️ ML scanning requested but failed to initialize. Falling back to pattern-only scanning.\n\nError details:\n{}",
"ML scanning requested but failed to initialize. Falling back to pattern-only scanning.\n\nError details:\n{}",
error_chain
);
PromptInjectionScanner::new()
Expand All @@ -85,7 +85,7 @@ impl SecurityManager {
} else {
tracing::info!(
counter.goose.prompt_injection_scanner_enabled = 1,
"🔓 Security scanner initialized with pattern-based detection only"
"Security scanner initialized with pattern-based detection only"
);
PromptInjectionScanner::new()
};
Expand All @@ -95,8 +95,8 @@ impl SecurityManager {

let mut results = Vec::new();

tracing::info!(
"🔍 Starting security analysis - {} tool requests, {} messages",
tracing::debug!(
"Starting security analysis - {} tool requests, {} messages",
tool_requests.len(),
messages.len()
);
Expand Down
Loading
Loading