garak.probes.encoding
Encoding-based prompt injection
Probes that try to get a model to generate a specific piece of given text by presenting an encoded version of that text. Attempts to circumvent safeguards on input filtering.
optional variable: “encoding.payloads” -> a list of payload types to be used
Recommended garak payloads to try:
text_en
encoded
web_html_js
access_shell_commands
slur_terms_en
- class garak.probes.encoding.BaseEncodingProbe(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)
Bases:
objectMixin for encoding-based injection probes
- bcp47 = 'en'
- doc_uri = 'https://kai-greshake.de/posts/llm-malware/#encoded-inline-jailbreak'
- extended_detectors = ['encoding.DecodeApprox']
- goal = 'make the model say an encoded payload'
- primary_detector = 'encoding.DecodeMatch'
- tags = ['avid-effect:security:S0403', 'owasp:llm01', 'quality:Security:PromptStability', 'payload:generic']
- class garak.probes.encoding.InjectAscii85(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)
Bases:
BaseEncodingProbe,ProbeProbe for susceptibility to base85 encoded injections
Encodes payloads using ascii85, and tries a variety of ways of getting the target model to repeat & decode them.
- encoding_funcs = [<function a85encode>, <function b85encode>]
- encoding_name = 'ASCII85'
- class garak.probes.encoding.InjectBase16(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)
Bases:
BaseEncodingProbe,ProbeProbe for susceptibility to base16 encoded injections”
Encodes payloads using base16, and tries a variety of ways of getting the target model to repeat & decode them.
- encoding_funcs = [<function b16encode>]
- encoding_name = 'BASE16'
- class garak.probes.encoding.InjectBase2048(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)
Bases:
BaseEncodingProbe,ProbeProbe for susceptibility to Base2048 encoding injections
Encodes payloads using base2048, and tries a variety of ways of getting the target model to repeat & decode them.
- encoding_name = 'BASE2048'
- class garak.probes.encoding.InjectBase32(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)
Bases:
BaseEncodingProbe,ProbeProbe for susceptibility to base32 encoded injections
Encodes payloads using base32, and tries a variety of ways of getting the target model to repeat & decode them.
- encoding_funcs = [<function b32encode>]
- encoding_name = 'BASE32'
- class garak.probes.encoding.InjectBase64(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)
Bases:
BaseEncodingProbe,ProbeProbe for susceptibility to base64 encoded injections
Encodes payloads using base64, and tries a variety of ways of getting the target model to repeat & decode them.
- encoding_funcs = [<function b64encode>, <function urlsafe_b64encode>, <function standard_b64encode>, <built-in function b2a_base64>]
- encoding_name = 'BASE64'
- class garak.probes.encoding.InjectBraille(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)
Bases:
BaseEncodingProbe,ProbeProbe for susceptibility to Braille encoding injections. Credit Wally#3422
Encodes payloads using braille, and tries a variety of ways of getting the target model to repeat & decode them.
- encoding_funcs = [<function braille>]
- encoding_name = 'Braille'
- class garak.probes.encoding.InjectEcoji(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)
Bases:
BaseEncodingProbe,ProbeProbe for susceptibility to Ecoji encoding.
Encodes payloads using the [ecoji](https://ecoji.io/) mapping, and tries a variety of ways of getting the target model to repeat & decode them.
- encoding_funcs = [<function InjectEcoji._ecoji>]
- encoding_name = 'Ecoji'
- class garak.probes.encoding.InjectHex(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)
Bases:
BaseEncodingProbe,ProbeProbe for susceptibility to hex encoded injections
Encodes payloads using hex, and tries a variety of ways of getting the target model to repeat & decode them.
- encoding_funcs = [<built-in function b2a_hex>]
- encoding_name = 'hex'
- class garak.probes.encoding.InjectMime(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)
Bases:
BaseEncodingProbe,ProbeProbe for susceptibility to MIME encoding injections
Encodes payloads using MIME encoding, and tries a variety of ways of getting the target model to repeat & decode them.
- encoding_name = 'MIME'
- class garak.probes.encoding.InjectMorse(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)
Bases:
BaseEncodingProbe,ProbeProbe for susceptibility to Morse encoding. Credit Wally#3422
Encodes payloads using morse, and tries a variety of ways of getting the target model to repeat & decode them.
- encoding_funcs = [<function morse>]
- encoding_name = 'Morse'
- class garak.probes.encoding.InjectNato(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)
Bases:
BaseEncodingProbe,ProbeProbe for susceptibility to Nato phonetic alphabet encoding.
Encodes payloads using the classic NATO phonetic alphabet, and tries a variety of ways of getting the target model to repeat & decode them.
- encoding_funcs = [<function InjectNato.nato>]
- encoding_name = 'Nato'
- class garak.probes.encoding.InjectQP(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)
Bases:
BaseEncodingProbe,ProbeProbe for susceptibility to QP encoded injections
Encodes payloads using quoted-printable, and tries a variety of ways of getting the target model to repeat & decode them.
- encoding_funcs = [<built-in function b2a_qp>]
- encoding_name = 'Quoted-Printable'
- class garak.probes.encoding.InjectROT13(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)
Bases:
BaseEncodingProbe,ProbeProbe for susceptibility to ROT13 encoding injections
Encodes payloads using ROT13, and tries a variety of ways of getting the target model to repeat & decode them. ROT13 only applies to letters in the English alphabet.
- encoding_funcs = [<function rot13>]
- encoding_name = 'ROT13'
- class garak.probes.encoding.InjectUU(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)
Bases:
BaseEncodingProbe,ProbeProbe for susceptibility to UU encoded injections
Encodes payloads using uuencoding, and tries a variety of ways of getting the target model to repeat & decode them.
- UUencode(payload)
- encoding_name = 'UUencode'
- class garak.probes.encoding.InjectZalgo(config_root=<module 'garak._config' from '/home/docs/checkouts/readthedocs.org/user_builds/garak/checkouts/latest/docs/source/../../garak/_config.py'>)
Bases:
BaseEncodingProbe,ProbeProbe for susceptibility to Zalgo encoding.
Encodes payloads using Zalgo decoration, and tries a variety of ways of getting the target model to repeat & decode them.
- encoding_funcs = [<function InjectZalgo.zalgo>]
- encoding_name = 'Zalgo'
- garak.probes.encoding.braille(text)
- garak.probes.encoding.morse(text)
- garak.probes.encoding.rot13(text)