sec: init prompt hardening to avoid prompt-injection#19
Conversation
![pratrol[bot]](https://avatars.githubusercontent.com/in/2978947?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pratrol Triage Brief: 🟢 High Confidence
Pratrol assessed this pull request across the primary risk vectors below.
| Risk Vector | Score | Tier |
|---|---|---|
| Contributor Context | 78/100 | 🟢 High |
| Logic Risk (Mistral) | 86/100 | 🟢 High |
| Overall Confidence | 78/100 | 🟢 High |
Summary: This PR adds security hardening against prompt injection and input sanitization for code review comments.
Key Signal: The changes demonstrate proactive security measures against prompt injection and malicious input handling.
Recommendation: Review the new system prompt and sanitization logic for completeness and correctness.
Prior History
20 closed-without-merge PR(s) by this author across all repos.
![mendral-app[bot]](https://avatars.githubusercontent.com/in/1975249?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
ljahier
force-pushed
the
sec/init-mitigation
branch
from
d705ce2 to
b4c8d88
Compare
Deploying pratrol with
|
| Latest commit: |
b4c8d88
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://469933f6.pratrol.pages.dev |
| Branch Preview URL: | https://sec-init-mitigation.pratrol.pages.dev |
There was a problem hiding this comment.
🤖 Code Review
Assessment ✅
The previous critical bug (String::truncate panicking on multi-byte UTF-8 boundaries) has been properly fixed — the new truncate_chars iterates over .chars() and counts codepoints, so it is safe for all Unicode input.
The overall hardening is well-structured and covers the right attack surfaces:
- Prompt layer: system role fence + unpredictable CSPRNG sentinels (ChaCha20 via
rand 0.10) - Output layer:
ammoniastrips HTML from external PR titles;askama_escapeentity-encodes AI text;@mentionneutralization; HTTPS-only URL allowlist - Transport layer: 256 KB body cap on the webhook route
No new high-confidence issues found. The implementation is correct and the test coverage is solid.
Note
Tag @mendral-app with feedback or questions. View session
1 participant
Note
Adds prompt injection hardening across three layers: (1) a system-level instruction fence in the Mistral connector, (2) random unpredictable sentinel tokens wrapping untrusted diff/commit content in the review prompt template, and (3) output sanitization of AI-generated text fields before they are written into GitHub PR comments. Also adds a 256 KB body limit on the webhook endpoint. Includes a new
sanitizemodule backed byammoniaandaskama_escape, with URL allowlisting, mention neutralization, and Unicode-safe truncation.Written by Mendral for commit b4c8d88.