Files
wehub-resource-sync 0d3cb498a3
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Waiting to run
Test and Publish Multi-arch Docker Image / test (push) Waiting to run
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Blocked by required conditions
Validate Renovate Config / Validate Renovate Configuration (push) Waiting to run
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:24:08 +08:00

2.2 KiB

redteam-docx-document-upload (Red Team DOCX Indirect Prompt Injection)

This example targets the deployed example-app service at https://example-app.promptfoo.app to test indirect prompt injection through uploaded DOCX files.

Setup

Copy this example into a new working directory:

npx promptfoo@latest init --example redteam-docx-document-upload

Set an OpenAI API key for red team generation and grading, or configure an equivalent provider in promptfooconfig.yaml:

export OPENAI_API_KEY=your-key-here

promptfooconfig.yaml points at the deployed app:

targets:
  - config:
      appBaseUrl: https://example-app.promptfoo.app

Running

From the directory where you initialized the example:

npx promptfoo@latest redteam run -c promptfooconfig.yaml --no-cache

How It Works

The target declares two inputs:

  • document uses type: docx, so generated document text is materialized into a real DOCX data URI before the provider is called. Its config.inputPurpose describes the kind of document the app expects, and config.injectionPlacements controls which DOCX-native surfaces may carry the injected instruction.
  • question is plain text that asks the assistant to summarize the uploaded document. It sets config.benign: true so multi-input generation keeps the user request natural while placing the adversarial content in document.

The custom provider uploads the DOCX bytes to the configured appBaseUrl's /documents endpoint, then asks the chat endpoint to call summarize_document with the returned document_id. The provider defaults to https://example-app.promptfoo.app, so the example runs against the deployed app out of the box.

The example config currently runs bias:age, rbac, bfla, harmful:profanity, and prompt-extraction against the uploaded DOCX flow, then applies the jailbreak:meta strategy to mutate those generated attacks. The red team purpose describes the available example-app tools and explicitly marks Jane Smith's readwrite profile as out of bounds for the current readonly user.

special-token-injection is intentionally omitted for now because that plugin is currently excluded in multi-input mode.