Fij=/UdZddlmZddlZddlmZmZmZgdZde d<e hdZ ia d e d <dd Z e dddZdddZgdZdS)uShared threat-pattern library for context window security scanning. This module is the single source of truth for prompt-injection / promptware / exfiltration patterns used across the context-assembly scanners (``agent/prompt_builder.py``, ``tools/memory_tool.py``) and the tool-result delimiter system in ``agent/tool_dispatch_helpers.py``. Pattern philosophy ------------------ Patterns are organized by ATTACK CLASS, not by source file. Each pattern is a ``(regex, pattern_id, scope)`` tuple, where ``scope`` controls which scanners use it: - ``"all"`` — applied everywhere (classic prompt injection, exfiltration) - ``"context"`` — applied to context files + memory + tool results (promptware / C2 / behavioral hijack; broader detection) - ``"strict"`` — applied to memory writes + skill installs only (aggressive checks acceptable for user-curated content but too noisy for tool results) The split exists because tool results contain web pages, GitHub issues, and MCP responses — content the user did not author — and we want broad detection there, but blocking is reserved for paths where the user can intervene (memory writes, skill installs). Pattern anchoring ----------------- New patterns anchor on **C2-specific vocabulary or unambiguous attack behavior**, NOT on bossy English. Phrases like "you are obligated to" or "you must" alone are too common in legitimate instruction-writing (see AGENTS.md, CLAUDE.md, etc.) to flag. See the pattern comments for the rationale on borderline cases. Multi-word bypass ----------------- Patterns use ``(?:\w+\s+)*`` between key tokens to prevent attackers from inserting filler words (e.g. "ignore all prior instructions" instead of "ignore all instructions"). This mirrors the fix applied to ``skills_guard.py`` in commit 4ea29978. ) annotationsN)ListOptionalTuple)$)zHignore\s+(?:\w+\s+)*(previous|all|above|prior)\s+(?:\w+\s+)*instructionsprompt_injectionall)zsystem\s+prompt\s+overridesys_prompt_overrider)zRdisregard\s+(?:\w+\s+)*(your|all|any)\s+(?:\w+\s+)*(instructions|rules|guidelines)disregard_rulesr)zwact\s+as\s+(if|though)\s+(?:\w+\s+)*you\s+(?:\w+\s+)*(have\s+no|don\'t\s+have)\s+(?:\w+\s+)*(restrictions|limits|rules)bypass_restrictionsr)z9html_comment_injectionr)z5<\s*div\s+style\s*=\s*["\'][\s\S]*?display\s*:\s*none hidden_divr)z5translate\s+.*\s+into\s+.*\s+and\s+(execute|run|eval)translate_executer)z2do\s+not\s+(?:\w+\s+)*tell\s+(?:\w+\s+)*the\s+userdeception_hider)z,you\s+are\s+(?:\w+\s+)*now\s+(?:a|an|the)\s+ role_hijackcontext)z+pretend\s+(?:\w+\s+)*(you\s+are|to\s+be)\s+ role_pretendr)z-output\s+(?:\w+\s+)*(system|initial)\s+promptleak_system_promptr)zW(respond|answer|reply)\s+without\s+(?:\w+\s+)*(restrictions|limitations|filters|safety)remove_filtersr)z>you\s+have\s+been\s+(?:\w+\s+)*(updated|upgraded|patched)\s+to fake_updater)z\bname\s+yourself\s+\w+identity_overrider)zregister\s+(as\s+)?a?\s*nodec2_node_registrationr)z0(heartbeat|beacon|check[\s\-]?in)\s+(to|with)\s+ c2_heartbeatr)z,pull\s+(down\s+)?(?:new\s+)?task(?:ing|s)?\b c2_task_pullr)zconnect\s+to\s+the\s+network\bc2_network_connectr)z>you\s+must\s+(?:\w+\s+){0,3}(register|connect|report|beacon)\b forced_actionr)z only\s+use\s+one[\s\-]?liners?\banti_forensic_onelinerr)zRnever\s+(?:\w+\s+)*(?:create|write)\s+(?:\w+\s+)*(?:script|file)\s+(?:\w+\s+)*diskanti_forensic_diskr)z​‌‍‪‫‬‭‮⁠⁢⁣⁤⁦⁧⁨⁩z'dict[str, List[Tuple[re.Pattern, str]]] _COMPILEDreturnNonectrdSg}g}g}tD]\}}}tj|tj}||f}|dkr@||||||o|dkr+|||||dkr||t d|d||||dadS)aCompile pattern sets for each scope (all / context / strict). A pattern with scope="all" lands in every set. A pattern with scope="context" lands in context + strict (context implies the strict scanners want it too). Scope="strict" lands in strict only. Nrrr&zthreat_patterns: unknown scope z for pattern )rrr&)rAr/recompile IGNORECASEappend ValueError) all_patternscontext_patternsstrict_patternspatternpidscopecompiledentrys :/home/ubuntu/.hermes/hermes-agent/tools/threat_patterns.py_compilerSs013L5746O( ^ ^e:gr}553 E>>    & & &  # #E * * *  " "5 ) ) ) ) i    # #E * * *  " "5 ) ) ) ) h    " "5 ) ) ) )\u\\UX\\]] ]#!IIIrcontentstrrO List[str]cZ|sgSg}t|}|tz}|D](}|dt|d)t|}|t d||D]/\}}||r||0|S)uReturn a list of matched pattern IDs in ``content`` at the given scope. ``scope`` selects which pattern set to apply: - ``"all"`` (narrow): classic injection + exfil only — minimal false positives, suitable for any text. - ``"context"`` (default): adds promptware / C2 / role-play patterns — suitable for context files, memory entries, and tool results. - ``"strict"`` (broad): adds persistence / SSH backdoor / exfil-URL patterns — appropriate for user-mediated writes (memory tool, skills install) where false positives can be resolved interactively. Also checks for invisible unicode characters (returned as ``"invisible_unicode_U+XXXX"`` so the caller can surface the offending codepoint in a log line). zinvisible_unicode_U+04XNz scan_for_threats: unknown scope )setINVISIBLE_CHARSrHordrAgetrIsearch) rUrOfindingschar_setinvisible_hitschpatternsrPrNs rRscan_for_threatsrds"  H7||H/N>>rts'''R#""""" ((((((((((B)B)B) BBBBP).68 7777""""J  %%%%%P*   rT