fix(injection_detection): clear error when inline yara_rules miss a requested name#2147
Conversation
|
thanks for the review! one note on the signature check: the commit is DCO signed-off ( |
… requested name _load_rules built the compile sources by indexing yara_rules for every requested name, so a name not present inline raised an opaque KeyError. Validate up front and raise a clear ValueError (fail-closed). +test. Signed-off-by: WatchTree-19 <119982314+WatchTree-19@users.noreply.github.com>
b8fe2a3 to
38752a3
Compare
|
@WatchTree-19, this PR is being closed because it was opened before completing the required contribution workflow. Every PR must link to a triaged issue assigned to the PR author; this PR does not link to such an issue. The PR description must also use our current template, including the Related Issue, Verification, and AI Assistance sections. If AI tools substantially assisted with the contribution, disclose the tool and extent of assistance. The human contributor must review, verify, understand, and take responsibility for every submitted change. If no AI tools were used, select that option in the template. Before submitting another PR:
Please do not reopen this PR. You’re welcome to submit a new one after completing the workflow. See CONTRIBUTING.md and AI_POLICY.md. |
problem
_load_rulesinnemoguardrails/library/injection_detection/actions.pycrashes with an opaqueKeyErrorwhen injection detection is configured with inlineyara_rulesand theinjectionslist names a rule that isn't in those inline rules (e.g. mixing a built-in name likesqliwith an inline custom rule, or a typo):neither
_validate_injection_confignor_extract_injection_configcatches this (name validation is skipped when inline rules are used), so the guardrail dies withKeyError: 'sqli'instead of a clear config error.repro
fix
validate up front and raise a clear, actionable
ValueErrorlisting the missing names (fail-closed, mirroring theValueErrortheyara_pathbranch already raises for unknown rules), then compile directly since every name is now guaranteed present.test
added
test_inline_yara_rules_missing_injection_name_raises_value_error(mirrorstest_load_inline_yara_rules). fails ondevelop(KeyError), passes with the fix; fulltest_injection_detection.py32 pass, ruff clean.found by reading the code. (a maintainer could alternatively hoist the check into
_extract_injection_confignext to the existingyara_pathname validation for earlier failure - happy to move it.)