redteam-docx-document-upload (Red Team DOCX Indirect Prompt Injection)
This example targets the deployed example-app service at https://example-app.promptfoo.app to test indirect prompt injection through uploaded DOCX files.
Setup
Copy this example into a new working directory:
npx promptfoo@latest init --example redteam-docx-document-upload
Set an OpenAI API key for red team generation and grading, or configure an equivalent provider in promptfooconfig.yaml:
export OPENAI_API_KEY=your-key-here
promptfooconfig.yaml points at the deployed app:
targets:
- config:
appBaseUrl: https://example-app.promptfoo.app
Running
From the directory where you initialized the example:
npx promptfoo@latest redteam run -c promptfooconfig.yaml --no-cache
How It Works
The target declares two inputs:
documentusestype: docx, so generated document text is materialized into a real DOCX data URI before the provider is called. Itsconfig.inputPurposedescribes the kind of document the app expects, andconfig.injectionPlacementscontrols which DOCX-native surfaces may carry the injected instruction.questionis plain text that asks the assistant to summarize the uploaded document. It setsconfig.benign: trueso multi-input generation keeps the user request natural while placing the adversarial content indocument.
The custom provider uploads the DOCX bytes to the configured appBaseUrl's /documents endpoint, then asks the chat endpoint to call summarize_document with the returned document_id. The provider defaults to https://example-app.promptfoo.app, so the example runs against the deployed app out of the box.
The example config currently runs bias:age, rbac, bfla, harmful:profanity, and prompt-extraction against the uploaded DOCX flow, then applies the jailbreak:meta strategy to mutate those generated attacks. The red team purpose describes the available example-app tools and explicitly marks Jane Smith's readwrite profile as out of bounds for the current readonly user.
special-token-injection is intentionally omitted for now because that plugin is currently excluded in multi-input mode.