fix: six HIGH-priority hardening fixes (prompt-injection seal + 8-K storage + XML entity expansion)#165
Open
sroussey wants to merge 5 commits into
Open
fix: six HIGH-priority hardening fixes (prompt-injection seal + 8-K storage + XML entity expansion)#165sroussey wants to merge 5 commits into
sroussey wants to merge 5 commits into
Conversation
The prompt-injection seal around S-1/424 AI section extraction had two filer-controllable weak points: 1. The fence tag was a static literal (`UNTRUSTED_FILER_DOCUMENT`), so a filer could pre-stage a matching closing tag and end the fence early. The defang scan was case-insensitive but flat — only a single literal tag-shape was rewritten. 2. A model-emitted `source_span` was capped at the verifier (post- normalization) but persisted raw, so an attacker who slipped any verifier-passing row could ship unbounded raw bytes through the provenance column. This patch deepens the seal: - The fence tag carries a per-call 64-bit random nonce. The `UNTRUSTED_FILER_DOCUMENT_NONCE_<hex>` shape means a pre-staged closing tag in the prospectus cannot match the call's actual fence. - Before defang, the section body is HTML-entity-decoded (multi-pass, up to a fixed point), NFKC-normalized, and stripped of zero-width / bidi format chars. The defang scan matches any tag-shaped token whose alphabetic payload squashes to `UNTRUSTEDFILERDOCUMENT...`, so obfuscations via `<`, fullwidth letters, ZWSP, intra-tag spaces, and case-mixing all collapse to `[redacted-fence-tag]`. - A new `boundSourceSpan` caps stored spans at 1000 raw chars (returning `null` over the cap rather than truncating). A new `verifyRowSpan` rejects a span whose raw byte count exceeds the cap before the normalize-and-substring check runs, so a whitespace-inflated payload that would otherwise normalize under cap can no longer pass the gate. All `verifyRow:` callsites and `source_span:` persist sites in the S-1 storage and shared offering-sections layer route through these. - Bumps the S-1 extractor version to 1.3.0 and the 424 extractor version to 1.2.0: prompt-shape changes drift confidence calibration, and the span-storage shape changes too. Operators should run startDev/promote to roll the new version into production. Adds unit tests for `boundSourceSpan` / `verifyRowSpan` boundary cases, a 1500-raw-char whitespace-padded span dead-letter test in the storage layer, and obfuscation tests for fullwidth, HTML-entity, mixed-case + zero-width, intra-tag whitespace, wrong-nonce, and nonce uniqueness. Co-Authored-By: Claude <noreply@anthropic.com>
…ntity hardening
Four hardening fixes around the Form 8-K event-storage path:
1. fast-xml-parser entity expansion is disabled (`processEntities: false`)
on the shared Form XML parser. A filer-controlled SGML payload that
declared a chain of nested entity references would otherwise expand
into a multi-GB string ("billion laughs") and peg CPU at parse time.
A regression test feeds a 10-level billion-laughs DOCTYPE through
Form_8_K.parse and asserts the parse stays well under 50 ms.
2. EDGAR accession numbers cross trust boundaries unconstrained — the
filing-task input schema and the Form 8-K event table both accepted
any string, so an over-long or malformed accession could land in
storage. Introduces `TypeAccessionNumber()` (20-char fixed length,
`^\d{10}-\d{2}-\d{6}$`) and applies it at the
ProcessAccessionDocFormTask input and the event row schema.
3. The Form 8-K event row keyed `(cik, accession_number, item_code)` as
its primary key — a re-extract under a new extractor version would
overwrite the prior version's rows, erasing the time series. Switches
the table to a synthetic `event_id` AUTOINCREMENT PK plus an explicit
`(cik, accession_number, extractor_id, extractor_version, item_code)`
UNIQUE natural-key index, mirroring the PersonObservation /
CompanyObservation shape. Both extractor columns are now first-class
so coverage / drop-previous ceremonies can target a single version.
A one-shot legacy-schema migration drops the pre-versioned table on
the SQLite and Postgres paths (the natural-key PK cannot be ALTERed
away on either backend, and 8-K events are deterministic to re-extract).
4. `processForm8K` previously looped over items with one `put` per item,
so a mid-loop crash left the row set torn between old and new items
for the same (filing, version). Adds `Form8KEventRepo.replaceEvents`
— DELETE all rows for `(cik, accession_number, extractor_id,
extractor_version)` then bulk-insert the new set, wrapped in a
real transaction on the SQLite (better-sqlite3 `db.transaction`)
and Postgres (`BEGIN / COMMIT / ROLLBACK` on a checked-out client)
paths. The in-memory backend (tests only) is synchronous so a torn
write cannot interleave. A failure-injection test seeds a row,
then re-runs `replaceEvents` with a NOT NULL-violating second
insert and asserts the prior baseline is intact after rollback.
Also wires `extractor_id` + `extractor_version` through the task layer
into `processForm8K` so the same writer can run under any version slot.
Co-Authored-By: Claude <noreply@anthropic.com>
…B_TYPE token
In CI the 21 Form_8_K tests failed with `no such table: form_8k_events`
because `replaceForm8KEvents` was dispatching to `replaceSqlite` even
though the test harness had wired `FORM_8K_EVENT_REPOSITORY_TOKEN` to an
in-memory storage. The trigger was test-process global-DI contamination:
`FetchDailyIndexTask.test.ts` calls `EnvToDI()` at module-load time,
which registers `SEC_DB_TYPE = "sqlite"` in the `globalServiceRegistry`.
The ServiceRegistry has no unregister API, so once any earlier test in
the same Bun worker hits that path, `SEC_DB_TYPE` sticks for the rest of
the run. `resetDependencyInjectionsForTesting()` rebinds the repo tokens
to in-memory storages but cannot clear `SEC_DB_TYPE`, so the SQLite
branch in `replaceForm8KEvents` won and reached for `getDb()`, which
either fell over on an uninitialized SQLite handle (locally) or
write-attempted against a table that was never created (CI).
Fix: trust the actual repo. `InMemoryTabularStorage.isDurable()` returns
`false`; the production storages don't override it. When the resolved
repo is non-durable, take the repo path regardless of `SEC_DB_TYPE`.
This makes the dispatch correct even when global config and the
registered repo disagree, which is the steady-state in the test process.
Reproduces locally via:
bun test src/task/index/FetchDailyIndexTask.test.ts \\
src/sec/forms/miscellaneous-filings/Form_8_K.test.ts
(without the fix: 25 Form_8_K fails; with the fix: all 29 pass).
Co-Authored-By: Claude <noreply@anthropic.com>
Contributor
Author
|
CI's 21
Fix in Reproduced locally via Generated by Claude Code |
Resolves conflicts created by PR #166 (SPAC de-SPAC lifecycle / merger-proxy / redemption extraction) landing on main after this PR opened. Conflicts resolved: - src/sec/forms/miscellaneous-filings/Form_8_K.storage.ts - Function signature combines both side's additive params: extractor_id, extractor_version (this PR), fullSubmissionText, model (#166). - Event writes go through replaceEvents() (this PR), threading extractor_id + extractor_version into the version-scoped delete-then-insert. - SPAC milestone mapping + redemption extraction blocks from #166 follow unchanged after the events are persisted. - src/task/forms/ProcessAccessionDocFormTask.ts - Keep TypeAccessionNumber import (this PR), processMergerProxy + hasRedemptionTriggerItem imports (#166). - 8-K dispatch call site passes both extractor_id/extractor_version and fullSubmissionText into processForm8K; merger-proxy case from #166 follows. - src/sec/forms/registration-statements/s1/sectionExtractors.ts (auto-merged cleanly by git but the new extractMergerDeal / extractRedemption functions still called the pre-PR wrapUntrusted shape + UNTRUSTED_PREAMBLE constant, which this PR removed. Both updated to the nonce-fence API (wrapUntrusted -> { wrapped, nonce }, buildUntrustedPreamble(nonce)) so the new SPAC AI extractors get the per-call nonce fence + multi-stage defang for free. Without this, the prompts would interpolate as "[object Object]" and the model receives garbage. Verification: - targeted: bun test src/sec/forms/miscellaneous-filings/ \ src/sec/forms/proxies-information-statements/ src/task/forms/ \ src/storage/spac/ src/storage/form-8k-event/ \ src/sec/forms/registration-statements/ -> 229 pass / 0 fail. - full: bun test -> 1410 pass / 7 fail. All 7 fails are pre-existing FetchDailyIndexTask + FetchQuarterlyIndexTask 5000ms network timeouts unrelated to this PR (sandbox can't reach SEC.gov reliably). - bun run build -> clean (bun build + tsc, no errors). Co-Authored-By: Claude <noreply@anthropic.com>
Contributor
Author
|
Rebased onto main ( Conflicts resolved (all additive):
Verification on
CI will validate. Generated by Claude Code |
…e-fence API The new SPAC extractors added in PR #166 (extractMergerDeal, extractRedemption) called the pre-PR wrapUntrusted shape (returning a string) and the removed UNTRUSTED_PREAMBLE constant. After this PR swapped wrapUntrusted to return { wrapped, nonce } and replaced the constant with buildUntrustedPreamble(nonce), the surviving call sites template-interpolated UNTRUSTED_PREAMBLE as a free identifier -> compile error (TS2552), and even if the type had survived the { wrapped, nonce } object would have rendered as "[object Object]" in the prompt -> the model receives garbage and silently returns nothing (caught by Form_DEFM14A.storage.e2e.test.ts target_name=null assertions in the post-merge run). Both extractors now use the same nonce-fence + multi-stage defang as the other section extractors -- a forced consequence of the merge, extending the per-call nonce + entity decode + NFKC + zero-width strip protection to the new SPAC AI extractors at no extra design cost. Co-Authored-By: Claude <noreply@anthropic.com>
Contributor
Author
|
CI on Generated by Claude Code |
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Six HIGH-priority security / correctness fixes, split across two commits:
(per-call nonce fence, multi-stage defang, raw-byte source_span cap).
validation at trust boundaries, versioned PK so re-extracts don't clobber
history, transactional writes with rollback).
All 1339 tests pass; full build + tsc are clean.
Plan A — prompt-injection seal (commit 1)
fix(forms/s1): per-call nonce fence + raw-span cap + multi-stage defangThe static
<UNTRUSTED_FILER_DOCUMENT>fence tag and single-pass defangleft two avenues open:
(the defang was case-insensitive but flat — only one tag-shape was
rewritten, and obfuscations via HTML entities, fullwidth letters,
zero-width chars, or intra-tag whitespace slipped past).
source_spanwas capped only at the verifier(post-normalization). A row that passed verification could still
ship unbounded raw bytes into the provenance column.
This PR deepens the seal:
wrapUntrustedcall mints a 64-bitrandom hex nonce; the fence tag becomes
<UNTRUSTED_FILER_DOCUMENT_NONCE_<hex>>…</UNTRUSTED_FILER_DOCUMENT_NONCE_<hex>>.A pre-staged closing tag in the prospectus cannot match the actual
fence (the attacker doesn't know the nonce).
decoding (named + numeric, up to a fixed point), Unicode NFKC
normalization, and zero-width / bidi format-char stripping. The
defang scan then matches any tag-shaped token whose alphabetic
payload squashes to
UNTRUSTEDFILERDOCUMENT*and rewrites it to[redacted-fence-tag].boundSourceSpanreturnsnullfor spans over 1000 raw chars (rather than truncating); new
verifyRowSpanrejects over-cap spans BEFORE normalization, so awhitespace-inflated span that would otherwise normalize under cap
no longer passes the verifier. All 7
verifyRow:callsites and9
source_span:persist sites in the S-1 storage and sharedoffering-sections layer route through these.
1.2.0 → 1.3.0; 424 extractor1.1.0 → 1.2.0. Prompt-shape change drifts confidence calibration,and the span-storage shape changes too — operators should rotate.
New / extended tests: 10 unit tests for
boundSourceSpan/verifyRowSpanboundary cases; 9 prompt-injection tests covering thenonced fence, fullwidth, HTML-entity, mixed-case + ZWSP, intra-tag
whitespace, wrong-nonce, and nonce uniqueness; a 1500-raw-char
whitespace-padded storage-layer dead-letter test.
Plan B — Form 8-K storage (commit 2)
fix(forms/8-K): tx writes, versioned PK, accession unification, XML entity hardeningprocessEntities: falseon theshared Form XML parser. A filer-crafted "billion laughs" DOCTYPE
no longer expands to a multi-GB string. Regression test feeds a
10-level chain and asserts parse completes well under 50 ms.
TypeAccessionNumber()enforcesthe EDGAR 20-char
^\d{10}-\d{2}-\d{6}$shape at trust boundaries— applied to
ProcessAccessionDocFormTaskinput and the 8-K eventrow schema. Tests assert 21- and 22-char strings are rejected.
form_8k_eventsnow uses a syntheticevent_idAUTOINCREMENT PK;
extractor_idandextractor_versionarefirst-class columns; the natural key
(cik, accession_number, extractor_id, extractor_version, item_code)is enforced UNIQUE. Re-extracts under a new version no longer
overwrite the prior version's rows. New
getEventsByVersion()query helper.
Form8KEventRepo.replaceEvents()deletesevery row matching
(cik, accession_number, extractor_id, extractor_version)and bulk-inserts the new set inside a realtransaction (better-sqlite3
db.transactionon SQLite,BEGIN / COMMIT / ROLLBACKon a checked-out PG client). Mid-writefailure rolls both halves back; the table never carries a partial
item list for one
(filing, version). A SQLite failure-injectiontest verifies rollback.
Migration notes
The 8-K event table introduced in PR #68 had its PK changed from
(cik, accession_number, item_code)toevent_id. Neither SQLitenor Postgres can ALTER away a primary key, so a one-shot
migrateLegacyForm8KEventsTablestep (called fromsetupAllDatabasesbefore the table'ssetupDatabase()) detectsthe legacy shape (no
event_idcolumn) andDROPs the table. 8-Kevents are deterministic to re-extract from the filing's items list,
so re-running
sec fetch form <cik> 8-Krebuilds the data losslessly.Operator action
Roll the new extractor versions into production:
After upgrading, the legacy 8-K event table (if any) is dropped on
the next
setupAllDatabases()invocation — re-fetch any 8-K filingsthat were processed under the previous schema:
Files changed (broad strokes)
src/sec/forms/registration-statements/s1/sectionExtractors.ts—nonce fence + multi-stage defang
src/sec/forms/registration-statements/s1/verifySourceSpan.ts—boundSourceSpan/verifyRowSpan/MAX_STORED_SPAN_CHARSsrc/sec/forms/registration-statements/Form_S_1.storage.ts,src/sec/forms/registration-statements/s1/offeringSections.ts—swap all
verifyRow:andsource_span:sitessrc/sec/forms/registration-statements/Form_S_1.storage.ts,src/sec/forms/registration-statements/Form_424.storage.ts—version bumps
src/sec/forms/Form.ts—processEntities: falsesrc/sec/edgar/accessionNumber.ts(new) —TypeAccessionNumbersrc/task/forms/ProcessAccessionDocFormTask.ts— accessionvalidator at task input; pass
extractor_id+extractor_versioninto
processForm8Ksrc/storage/form-8k-event/Form8KEventSchema.ts— versioned PK,Form8KEventUniqueIndexessrc/storage/form-8k-event/Form8KEventRepo.ts— version-awarequery helpers +
replaceEventssrc/storage/form-8k-event/Form8KEventReplace.ts(new) —SQLite / PG transactional replace
src/storage/form-8k-event/Form8KEventLegacyMigration.ts(new) —drop legacy
form_8k_eventssrc/sec/forms/miscellaneous-filings/Form_8_K.storage.ts— usereplaceEvents, accept extractor version paramssrc/config/{DefaultDI,TestingDI,setupAllDatabases}.ts— wirenew unique index + legacy-migration step
Verification
🤖 Generated with Claude Code
Generated by Claude Code