bot-bottle/bot_bottle/dlp_detectors.py

"""DLP detectors for the egress proxy (PRD 0053).

Pure Python, no mitmproxy dependency. Each detector is a module-level
function returning `ScanResult | None`.

Ships flat into the sidecar bundle image alongside
`egress_addon_core.py` — both this file and the package source use
the same try/except import shim pattern.
"""

from __future__ import annotations

import base64
import re
import typing
from urllib.parse import quote as url_quote

try:
    from egress_addon_core import ScanResult  # type: ignore[import-not-found]
except ImportError:  # pragma: no cover - host-side path
    from .egress_addon_core import ScanResult


# ---------------------------------------------------------------------------
# Token patterns detector (Phase 1a)
# ---------------------------------------------------------------------------

TOKEN_PATTERNS: tuple[tuple[str, re.Pattern[str]], ...] = (
    ("AWS access key", re.compile(r"AKIA[0-9A-Z]{16}")),
    ("GitHub token (classic)", re.compile(r"ghp_[A-Za-z0-9_]{36}")),
    ("GitHub fine-grained token", re.compile(r"github_pat_[A-Za-z0-9_]{82}")),
    ("Anthropic API key", re.compile(r"sk-ant-[A-Za-z0-9\-_]{93}")),
    ("OpenAI API key", re.compile(r"sk-[A-Za-z0-9]{48}")),
    ("Stripe live key", re.compile(r"sk_live_[A-Za-z0-9]{24}")),
    ("Generic Bearer JWT", re.compile(r"Bearer\s+[A-Za-z0-9._\-]{50,}")),
)


def scan_token_patterns(text: str) -> ScanResult | None:
    for name, pattern in TOKEN_PATTERNS:
        if pattern.search(text):
            return ScanResult(
                severity="block",
                reason=f"outbound request contains {name}",
            )
    return None


# ---------------------------------------------------------------------------
# Known secrets detector (Phase 1b)
# ---------------------------------------------------------------------------

def _encoded_variants(secret: str) -> list[str]:
    """Return the secret plus base64, URL-encoded, and hex variants."""
    variants = [secret]
    secret_bytes = secret.encode("utf-8")
    b64 = base64.b64encode(secret_bytes).decode("ascii")
    if b64 != secret:
        variants.append(b64)
    url_enc = url_quote(secret, safe="")
    if url_enc != secret:
        variants.append(url_enc)
    hex_enc = secret_bytes.hex()
    if hex_enc != secret:
        variants.append(hex_enc)
    return variants


def scan_known_secrets(
    text: str,
    *,
    env: typing.Mapping[str, str] | None = None,
) -> ScanResult | None:
    if env is None:
        return None
    for key, value in env.items():
        if not key.startswith("EGRESS_TOKEN_") or not value:
            continue
        for variant in _encoded_variants(value):
            if variant in text:
                return ScanResult(
                    severity="block",
                    reason=(
                        f"outbound request contains provisioned secret "
                        f"from {key}"
                    ),
                )
    return None


# ---------------------------------------------------------------------------
# Naive prompt injection detector (Phase 2)
# ---------------------------------------------------------------------------

DISCLOSURE_PHRASES: tuple[re.Pattern[str], ...] = (
    re.compile(r"(?i)system\s+prompt"),
    re.compile(r"(?i)my\s+instructions\s+are"),
    re.compile(r"(?i)original\s+instructions"),
    re.compile(r"(?i)secret\s+instructions"),
    re.compile(r"(?i)hidden\s+rules"),
)

JAILBREAK_PHRASES: tuple[re.Pattern[str], ...] = (
    re.compile(r"(?i)ignore\s+previous"),
    re.compile(r"(?i)forget\s+everything"),
    re.compile(r"(?i)disregard\s+(?:all\s+)?(?:previous|prior)"),
    re.compile(r"(?i)pretend\s+you\s+are"),
    re.compile(r"(?i)act\s+as\s+(?:if|though)"),
)


def scan_naive_injection(text: str) -> ScanResult | None:
    disclosure = any(p.search(text) for p in DISCLOSURE_PHRASES)
    token = scan_token_patterns(text) is not None

    # Tier 1: credential + disclosure = BLOCK
    if disclosure and token:
        return ScanResult(
            severity="block",
            reason="prompt disclosure with embedded credential in response",
        )

    # Tier 2: multiple jailbreak phrases = WARN
    jailbreak_count = sum(1 for p in JAILBREAK_PHRASES if p.search(text))
    if jailbreak_count >= 2:
        return ScanResult(
            severity="warn",
            reason=f"{jailbreak_count} jailbreak phrases detected in response",
        )

    # Tier 2b: explicit prompt disclosure without credential = WARN
    if disclosure and "system prompt:" in text.lower():
        return ScanResult(
            severity="warn",
            reason="explicit system prompt disclosure in response",
        )

    return None


__all__ = [
    "TOKEN_PATTERNS",
    "scan_known_secrets",
    "scan_naive_injection",
    "scan_token_patterns",
]