- Sort imports and __all__ in __init__.py
- Add noqa comments for intentional fullwidth Unicode in DeepSeek markers
- Add return type annotations to __init__ methods
- Fix line length issues in prompt strings
- Remove unnecessary else after return
- Add noqa for lazy imports (intentional for avoiding circular imports)
- Fix test_baseline_vulnerability.py parameter count (4 not 5)
Update arg hijacking and add strategy comparison tests to evaluate:
1. CombinedStrategy (CheckTool + ParseData)
2. IntentVerificationStrategy alone
3. All three strategies combined
Tests pass if any strategy successfully defends against the attack,
helping identify which strategies work best for different attack types.
Adds a new defense strategy that detects when tool results attempt to
override user-specified values (e.g., changing email recipients, modifying
subjects). This complements CheckToolStrategy which detects unauthorized
tool calls.
- IntentVerificationStrategy compares tool results against user's original
intent from conversation history
- Uses same marker-based parsing as other strategies for injection safety
- Add create_tool_request_with_user_message() helper for tests
- Update arg hijacking tests to use IntentVerificationStrategy
- Add argument hijacking test cases (BCC injection, subject manipulation,
body append, recipient swap) to test subtle attacks where tool calls are
expected but arguments are manipulated
- Add Google Gemini (gemini-3-flash-preview) to all benchmark tests
- Use granite4:small-h instead of tiny-h for more reliable Ollama tests
- DRY up Ollama config by using constants from conftest
The security property we care about is whether malicious tools are triggered,
not whether malicious-looking strings appear in output. Data may legitimately
contain URLs/emails that look suspicious but aren't actionable injections.
- Replace string-based assertions with check_triggers_tools() that verifies
the sanitized output doesn't trigger target tools when fed back to model
- Remove assert_*_blocked functions that checked for domain strings
- Simplify INJECTION_TEST_CASES to (payload, tools, tool_name, target_tools)
- Add DEFAULT_INJECTION_MARKERS list covering major LLM providers:
- Defense prompt delimiters
- Llama/Mistral: [INST], <<SYS>>
- OpenAI/Qwen (ChatML): <|im_start|>, <|im_end|>
- Anthropic Claude: Human:/Assistant: (with newline prefix)
- DeepSeek: fullwidth Unicode markers
- Google Gemma: <start_of_turn>, <end_of_turn>
- Vicuna: USER:/ASSISTANT:
- Generic XML role markers
- Add sanitize_markers() function to strip injection markers from content
- Add configurable sanitize_markers param to CheckToolStrategy and ParseDataStrategy
- Add filter mode (on_injection='filter') that uses model's text response
when injection detected (no extra LLM call needed)
- Add _get_tool_schema() for tool return type descriptions in ParseDataStrategy
- Export DEFAULT_INJECTION_MARKERS and sanitize_markers from __init__.py
- Rename test_prompt_injection_combined.py -> test_prompt_injection_baseline_vs_protected.py
- Delete redundant test_prompt_injection_defense_extended.py
- Skip E2E tests by default (require RUN_BENCHMARK_TESTS=1)
- Reduce Ollama models to frontier only (granite4:tiny-h)
- Refactor to reduce code duplication in test files
- Update docstrings with cross-references
Test organization:
- test_prompt_injection_defense.py: Unit tests with mocks (CI, fast)
- test_prompt_injection_baseline_vs_protected.py: E2E baseline vs protected
- test_prompt_injection_token_benchmark.py: Token usage benchmarks
To run E2E tests with real models:
RUN_BENCHMARK_TESTS=1 uv run pytest tests/unit_tests/agents/middleware/implementations/test_prompt_injection_* -svv
- test_prompt_injection_combined.py: single test shows both baseline
vulnerability and protected status for each model/payload
- test_prompt_injection_token_benchmark.py: measures token usage across
no_defense, check_only, parse_only, and combined strategies
- Create conftest.py with shared tools, payloads, fixtures, and helpers
- Consolidate extended tests into simple parametrized test classes
- Add multi_language and json_injection to test cases (5 total attacks)
- Baseline and protected tests now use same test cases for comparison
- 65 tests each: 5 attacks × 13 models (3 OpenAI, 3 Anthropic, 7 Ollama)
- Remove unused SystemMessage import
- Fix reference to non-existent e2e test file
- Add anthropic_model to all parameterized security tests
- Now tests both OpenAI (gpt-5.2) and Anthropic (claude-sonnet-4-5)
Implements defense against indirect prompt injection attacks from external/untrusted
data sources (tool results, web content, etc.) based on the paper:
'Defense Against Indirect Prompt Injection via Tool Result Parsing'
https://arxiv.org/html/2601.04795v1
Features:
- Pluggable DefenseStrategy protocol for extensibility
- Built-in strategies: CheckToolStrategy, ParseDataStrategy, CombinedStrategy
- Factory methods for recommended configurations from paper
- Focuses on tool results as primary attack vector
- Extensible to other external data sources in the future
Key components:
- PromptInjectionDefenseMiddleware: Main middleware class
- DefenseStrategy: Protocol for custom defense implementations
- CheckToolStrategy: Detects and removes tool-triggering content
- ParseDataStrategy: Extracts only required data with format constraints
- CombinedStrategy: Chains multiple strategies together
Usage:
agent = create_agent(
'openai:gpt-4o',
middleware=[
PromptInjectionDefenseMiddleware.check_then_parse('openai:gpt-4o'),
],
)
Implementations using yield return generators, which are of type
`Iterator`.
This is technically a breaking change for implementers, however, known
existing implementations (in `langchain-community`) use `yield`, so they
already return `Iterator`s. For callers, it is not breaking.
Closes#25718
it looks scary but i promise it is not
improving documentation consistency across core. primarily update
docstrings and comments for better formatting, readability, and
accuracy, as well as add minor clarifications and formatting
improvements to user-facing documentation.
it looks scary but i promise it is not
improving documentation consistency across langchain. primarily update
docstrings and comments for better formatting, readability, and
accuracy, as well as add minor clarifications and formatting
improvements to user-facing documentation.
Update broken contributing links in AGENTS.md and CLAUDE.md
Description:
Update internal references from .github/CONTRIBUTING.md to [Contributing
Guide] to fix navigation issues for local contributors.
Proposed Changes
AGENTS.md: Change [.github/CONTRIBUTING.md] link text to [Contributing
Guide] since the file path is not present in the local root.
CLAUDE.md: Change [.github/CONTRIBUTING.md] link text to [Contributing
Guide] for consistency.
Reasoning:
Users following these docs locally often find the specific file path
.github/CONTRIBUTING.md confusing or "broken" in markdown previews that
don't resolve the .github hidden directory correctly. Using the
descriptive label "Contributing Guide" is more user-friendly and
standard across the repo.
Checklist:
[x] Run make format, make lint and make test (N/A for these doc-only
changes).
[x] PR title follows the format: TYPE(SCOPE): DESCRIPTION.
[x] I have read the [Contributing
Guide](https://www.google.com/search?q=https://github.com/langchain-ai/langchain/blob/master/.github/CONTRIBUTING.md).
(Replace this entire block of text)
Read the full contributing guidelines:
https://docs.langchain.com/oss/python/contributing/overview
Thank you for contributing to LangChain! Follow these steps to have your
pull request considered as ready for review.
1. PR title: Should follow the format: TYPE(SCOPE): DESCRIPTION
- Examples:
- fix(anthropic): resolve flag parsing error
- feat(core): add multi-tenant support
- test(openai): update API usage tests
- Allowed TYPE and SCOPE values:
https://github.com/langchain-ai/langchain/blob/master/.github/workflows/pr_lint.yml#L15-L33
2. PR description:
- Write 1-2 sentences summarizing the change.
- If this PR addresses a specific issue, please include "Fixes
#ISSUE_NUMBER" in the description to automatically close the issue when
the PR is merged.
- If there are any breaking changes, please clearly describe them.
- If this PR depends on another PR being merged first, please include
"Depends on #PR_NUMBER" in the description.
3. Run `make format`, `make lint` and `make test` from the root of the
package(s) you've modified.
- We will not consider a PR unless these three are passing in CI.
Additional guidelines:
- We ask that if you use generative AI for your contribution, you
include a disclaimer.
- PRs should not touch more than one package unless absolutely
necessary.
- Do not update the `uv.lock` files or add dependencies to
`pyproject.toml` files (even optional ones) unless you have explicit
permission to do so by a maintainer.
…tring
(Replace this entire block of text)
Read the full contributing guidelines:
https://docs.langchain.com/oss/python/contributing/overview
Thank you for contributing to LangChain! Follow these steps to have your
pull request considered as ready for review.
1. PR title: Should follow the format: TYPE(SCOPE): DESCRIPTION
- Examples:
- fix(anthropic): resolve flag parsing error
- feat(core): add multi-tenant support
- test(openai): update API usage tests
- Allowed TYPE and SCOPE values:
https://github.com/langchain-ai/langchain/blob/master/.github/workflows/pr_lint.yml#L15-L33
2. PR description:
- Write 1-2 sentences summarizing the change.
- If this PR addresses a specific issue, please include "Fixes
#ISSUE_NUMBER" in the description to automatically close the issue when
the PR is merged.
- If there are any breaking changes, please clearly describe them.
- If this PR depends on another PR being merged first, please include
"Depends on #PR_NUMBER" in the description.
3. Run `make format`, `make lint` and `make test` from the root of the
package(s) you've modified.
- We will not consider a PR unless these three are passing in CI.
Additional guidelines:
- We ask that if you use generative AI for your contribution, you
include a disclaimer.
- PRs should not touch more than one package unless absolutely
necessary.
- Do not update the `uv.lock` files or add dependencies to
`pyproject.toml` files (even optional ones) unless you have explicit
permission to do so by a maintainer.
