DATA
6de0bf9f5b
Vendored deer-flow upstream (bytedance/deer-flow) plus prompt-injection hardening: - New deerflow.security package: content_delimiter, html_cleaner, sanitizer (8 layers — invisible chars, control chars, symbols, NFC, PUA, tag chars, horizontal whitespace collapse with newline/tab preservation, length cap) - New deerflow.community.searx package: web_search, web_fetch, image_search backed by a private SearX instance, every external string sanitized and wrapped in <<<EXTERNAL_UNTRUSTED_CONTENT>>> delimiters - All native community web providers (ddg_search, tavily, exa, firecrawl, jina_ai, infoquest, image_search) replaced with hard-fail stubs that raise NativeWebToolDisabledError at import time, so a misconfigured tool.use path fails loud rather than silently falling back to unsanitized output - Native client back-doors (jina_client.py, infoquest_client.py) stubbed too - Native-tool tests quarantined under tests/_disabled_native/ (collect_ignore_glob via local conftest.py) - Sanitizer Layer 7 fix: only collapse horizontal whitespace, preserve newlines and tabs so list/table structure survives - Hardened runtime config.yaml references only the searx-backed tools - Factory overlay (backend/) kept in sync with deer-flow tree as a reference / source See HARDENING.md for the full audit trail and verification steps.
21 KiB
21 KiB
DeerFlow Prompt Injection Protection Integration Plan
Based on OpenClaw Hardened Scripts Analysis
Date: 2026-04-11
Source Reference: ~/.openclaw/workspace-websearch/searx-scripts/ and ~/.openclaw/workspace-websearch/fetch-scripts/
Executive Summary
This document outlines the integration of OpenClaw-style prompt injection hardening into DeerFlow's web search and web fetch tools. The OpenClaw implementation demonstrates a defense-in-depth approach with multiple sanitization layers and clear content delimitation.
Current State: DeerFlow has NO prompt injection protection for web search/fetch results.
Target State: Multi-layer sanitization with content delimiters and hardened script execution.
1. Analysis of OpenClaw Protection Layers
1.1 Content Delimiter Pattern (CRITICAL)
OpenClaw wraps external content with explicit markers:
<<<EXTERNAL_UNTRUSTED_CONTENT>>>
{sanitized_search_results}
<<<END_EXTERNAL_UNTRUSTED_CONTENT>>>
Benefit: LLM can semantically distinguish between system instructions and untrusted external data.
1.2 Unicode Attack Surface Reduction
| Category | Characters | Purpose |
|---|---|---|
| Zero-width | \u200b-\u200f, \u2060-\u2064 |
Steganography, hidden payloads |
| BOM/Format | \ufeff, \ufffe |
Byte-order confusion |
| Control | \u00ad, \u034f |
Soft hyphen, grapheme joiner |
| Private Use | \uE000-\uF8FF |
Custom glyph substitution attacks |
| Tag Characters | \uE0000-\uE007F |
Unicode tag sequences |
1.3 HTML Threat Reduction
Removed elements: <script>, <style>, <noscript>, <header>, <footer>, <nav>, <aside>
1.4 Length Limiting
- Search results: 500 chars per field
- Fetch content: 10,000 chars (configurable)
2. Integration Architecture
2.1 High-Level Flow
┌─────────────────────────────────────────────────────────────┐
│ BEFORE (Current) │
│ │
│ Web Search/Fetch → Provider → JSON.dumps → LLM Prompt │
│ (NO SANITIZATION) │
└─────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────┐
│ AFTER (Target) │
│ │
│ Web Search/Fetch → Provider → Sanitizer → Delimited → LLM │
│ ↓ │
│ Multi-layer hardening │
└─────────────────────────────────────────────────────────────┘
2.2 Component Placement
deerflow/
└── security/
├── __init__.py
├── sanitizer.py # Core sanitization logic
├── content_delimiter.py # Delimiter wrapping
└── html_cleaner.py # HTML stripping for web_fetch
└── community/
└── searx/ # New hardened SearX provider
├── __init__.py
├── tools.py
└── client.py
3. Implementation Plan
Phase 1: Core Sanitization Module (Priority: HIGH)
File: backend/packages/harness/deerflow/security/sanitizer.py
"""Prompt injection hardening sanitizer based on OpenClaw patterns."""
import re
import unicodedata
from typing import Optional
class PromptInjectionSanitizer:
"""Sanitizes external content for safe LLM consumption."""
# Zero-width and invisible characters (OpenClaw pattern)
INVISIBLE_CHARS = [
'\u200b', '\u200c', '\u200d', '\u200e', '\u200f', # Zero-width spaces
'\u2060', '\u2061', '\u2062', '\u2063', '\u2064', # Word joiners
'\ufeff', '\ufffe', # BOM
'\u00ad', # Soft hyphen
'\u034f', # Combining grapheme
'\u061c', # Arabic letter mark
'\u115f', '\u1160', # Hangul fillers
'\u17b4', '\u17b5', # Khmer vowels
'\u180e', # Mongolian separator
'\u3164', # Hangul filler
'\uffa0', # Halfwidth Hangul
]
def sanitize(self, text: str, max_length: Optional[int] = None) -> str:
"""Apply all sanitization layers.
Args:
text: Raw text to sanitize
max_length: Optional maximum length (with ellipsis)
Returns:
Sanitized text safe for LLM prompts
"""
if not text:
return ''
# Layer 1: Remove invisible/zero-width characters
text = self._remove_invisible(text)
# Layer 2: Remove control characters (except \n, \t)
text = self._remove_control_chars(text)
# Layer 3: Remove symbols (So, Sk categories)
text = self._remove_symbols(text)
# Layer 4: Normalize Unicode (NFC)
text = unicodedata.normalize('NFC', text)
# Layer 5: Remove Private Use Area
text = self._remove_pua(text)
# Layer 6: Remove tag characters
text = self._remove_tag_chars(text)
# Layer 7: Collapse whitespace
text = re.sub(r'\s+', ' ', text).strip()
# Layer 8: Length limiting
if max_length and len(text) > max_length:
text = text[:max_length-3] + '...'
return text
def _remove_invisible(self, text: str) -> str:
for char in self.INVISIBLE_CHARS:
text = text.replace(char, '')
return text
def _remove_control_chars(self, text: str) -> str:
return ''.join(c for c in text
if unicodedata.category(c) != 'Cc' or c in '\n\t')
def _remove_symbols(self, text: str) -> str:
return ''.join(c for c in text
if unicodedata.category(c) not in ('So', 'Sk'))
def _remove_pua(self, text: str) -> str:
return ''.join(c for c in text
if not (0xE000 <= ord(c) <= 0xF8FF
or 0xF0000 <= ord(c) <= 0x10FFFF))
def _remove_tag_chars(self, text: str) -> str:
return ''.join(c for c in text
if not (0xE0000 <= ord(c) <= 0xE007F))
# Global instance
sanitizer = PromptInjectionSanitizer()
Phase 2: Content Delimiter (Priority: HIGH)
File: backend/packages/harness/deerflow/security/content_delimiter.py
"""Content delimiter wrapper for safe LLM prompt integration."""
from typing import Union
import json
# OpenClaw-style delimiters
START_DELIMITER = "<<<EXTERNAL_UNTRUSTED_CONTENT>>>"
END_DELIMITER = "<<<END_EXTERNAL_UNTRUSTED_CONTENT>>>"
def wrap_untrusted_content(content: Union[str, dict, list]) -> str:
"""Wrap external content with safety delimiters.
This creates a semantic boundary between system instructions
and untrusted external data, helping prevent prompt injection.
Args:
content: Raw content (string, dict, or list)
Returns:
Delimited string for LLM consumption
"""
if isinstance(content, (dict, list)):
text = json.dumps(content, indent=2, ensure_ascii=False)
else:
text = str(content)
return f"{START_DELIMITER}\n{text}\n{END_DELIMITER}"
def unwrap_trusted_content(delimited: str) -> str:
"""Extract content from delimiters (for testing/debugging).
Args:
delimited: Content wrapped in delimiters
Returns:
Raw content string
"""
lines = delimited.split('\n')
if lines[0] == START_DELIMITER and lines[-1] == END_DELIMITER:
return '\n'.join(lines[1:-1])
return delimited
Phase 3: HTML Cleaner for Web Fetch (Priority: HIGH)
File: backend/packages/harness/deerflow/security/html_cleaner.py
"""HTML-to-text extraction with security-focused stripping."""
from html.parser import HTMLParser
from typing import Optional
class SecureTextExtractor(HTMLParser):
"""Extract visible text while stripping potentially dangerous elements.
Based on OpenClaw's fetch.sh implementation.
"""
DANGEROUS_TAGS = {
'script', 'style', 'noscript',
'header', 'footer', 'nav', 'aside',
'iframe', 'object', 'embed', 'form',
}
def __init__(self):
super().__init__()
self.text = []
self.skip_depth = 0
def handle_starttag(self, tag, attrs):
if tag in self.DANGEROUS_TAGS:
self.skip_depth += 1
def handle_endtag(self, tag):
if tag in self.DANGEROUS_TAGS and self.skip_depth > 0:
self.skip_depth -= 1
def handle_data(self, data):
if self.skip_depth == 0:
self.text.append(data)
def get_text(self) -> str:
return ' '.join(self.text)
def extract_secure_text(html: str, max_chars: Optional[int] = None) -> str:
"""Extract clean text from HTML.
Args:
html: Raw HTML content
max_chars: Optional maximum length
Returns:
Clean text without dangerous elements
"""
extractor = SecureTextExtractor()
extractor.feed(html)
text = extractor.get_text()
# Collapse whitespace
import re
text = re.sub(r'[ \t]+', ' ', text)
text = re.sub(r'\n{3,}', '\n\n', text)
text = text.strip()
if max_chars and len(text) > max_chars:
text = text[:max_chars-3] + '...'
return text
Phase 4: Hardened SearX Provider (Priority: HIGH)
File: backend/packages/harness/deerflow/community/searx/tools.py
"""Hardened SearX web search and fetch tools."""
import json
import os
from urllib.parse import quote
import httpx
from langchain.tools import tool
from deerflow.config import get_app_config
from deerflow.security.content_delimiter import wrap_untrusted_content
from deerflow.security.sanitizer import sanitizer
from deerflow.security.html_cleaner import extract_secure_text
def _get_searx_config() -> dict:
"""Get SearX configuration from app config."""
config = get_app_config().get_tool_config("web_search")
return {
"url": config.model_extra.get("searx_url", "http://localhost:8888"),
"max_results": config.model_extra.get("max_results", 10),
}
@tool("web_search", parse_docstring=True)
def web_search_tool(query: str, max_results: int = 10) -> str:
"""Search the web using hardened SearX instance.
All results are sanitized against prompt injection attacks.
Args:
query: Search keywords
max_results: Maximum results to return (default 10)
"""
cfg = _get_searx_config()
searx_url = cfg["url"]
# URL-safe encoding
encoded_query = quote(query)
try:
response = httpx.get(
f"{searx_url}/search",
params={
"q": encoded_query,
"format": "json",
"max_results": min(max_results, cfg["max_results"]),
},
timeout=30.0
)
response.raise_for_status()
data = response.json()
except Exception as e:
return json.dumps({"error": f"Search failed: {e}"})
# Sanitize and limit results
results = []
for r in data.get("results", [])[:max_results]:
results.append({
"title": sanitizer.sanitize(r.get("title", "")),
"url": r.get("url", ""), # Keep URL intact
"content": sanitizer.sanitize(r.get("content", ""), max_length=500),
})
output = {
"query": query,
"total_results": len(results),
"results": results,
}
# Wrap with security delimiters
return wrap_untrusted_content(output)
@tool("web_fetch", parse_docstring=True)
async def web_fetch_tool(url: str, max_chars: int = 10000) -> str:
"""Fetch web page content with security hardening.
Dangerous HTML elements are stripped and content is sanitized.
Args:
url: URL to fetch
max_chars: Maximum characters to return (default 10000)
"""
try:
async with httpx.AsyncClient() as client:
response = await client.get(url, timeout=30.0)
response.raise_for_status()
html = response.text
except Exception as e:
return wrap_untrusted_content({"error": f"Fetch failed: {e}"})
# Extract text and sanitize
raw_text = extract_secure_text(html)
clean_text = sanitizer.sanitize(raw_text, max_length=max_chars)
# Wrap with security delimiters
return wrap_untrusted_content(clean_text)
Phase 5: Configuration Schema Update (Priority: MEDIUM)
Update: config.example.yaml
# ============================================================================
# Security-First Web Search Configuration
# ============================================================================
# Hardened SearX provider with prompt injection protection
tools:
# Hardened SearX web search (RECOMMENDED for private instances)
- name: web_search
group: web
use: deerflow.community.searx.tools:web_search_tool
searx_url: http://your-searx-instance:8888
max_results: 10
# Hardened web fetch
- name: web_fetch
group: web
use: deerflow.community.searx.tools:web_fetch_tool
4. Testing Strategy
4.1 Unit Tests
File: backend/tests/test_security_sanitizer.py
"""Tests for prompt injection sanitizer."""
import pytest
from deerflow.security.sanitizer import PromptInjectionSanitizer
class TestPromptInjectionSanitizer:
"""Test cases based on OpenClaw patterns."""
def test_removes_zero_width_spaces(self):
"""Zero-width characters are common steganography vectors."""
sanitizer = PromptInjectionSanitizer()
text = "Hello\u200bWorld\u200c" # ZWSP and ZWNJ
result = sanitizer.sanitize(text)
assert "\u200b" not in result
assert "\u200c" not in result
assert result == "HelloWorld"
def test_removes_control_chars(self):
"""Control chars can disrupt prompt parsing."""
sanitizer = PromptInjectionSanitizer()
text = "Hello\x00World\x01Test"
result = sanitizer.sanitize(text)
assert "\x00" not in result
assert "\x01" not in result
assert "Hello" in result
def test_preserves_newlines_and_tabs(self):
"""Structural characters should be preserved."""
sanitizer = PromptInjectionSanitizer()
text = "Line1\nLine2\tTabbed"
result = sanitizer.sanitize(text)
assert "\n" in result
assert "\t" in result
def test_truncates_long_content(self):
"""Length limiting prevents context overflow."""
sanitizer = PromptInjectionSanitizer()
text = "A" * 1000
result = sanitizer.sanitize(text, max_length=100)
assert len(result) == 100
assert result.endswith("...")
def test_handles_pua_characters(self):
"""Private Use Area chars can encode hidden data."""
sanitizer = PromptInjectionSanitizer()
text = "Hello\uE000World" # PUA start
result = sanitizer.sanitize(text)
assert "\uE000" not in result
class TestContentDelimiter:
"""Test delimiter wrapping."""
def test_wraps_dict_content(self):
from deerflow.security.content_delimiter import wrap_untrusted_content
content = {"title": "Test", "url": "http://example.com"}
result = wrap_untrusted_content(content)
assert "<<<EXTERNAL_UNTRUSTED_CONTENT>>>" in result
assert "<<<END_EXTERNAL_UNTRUSTED_CONTENT>>>" in result
assert "Test" in result
def test_wraps_string_content(self):
from deerflow.security.content_delimiter import wrap_untrusted_content
content = "Raw text from web"
result = wrap_untrusted_content(content)
assert "<<<EXTERNAL_UNTRUSTED_CONTENT>>>" in result
assert "Raw text from web" in result
4.2 Integration Tests
"""Integration tests for hardened web tools."""
import pytest
class TestHardenedSearxSearch:
"""Test hardened SearX search against prompt injection."""
def test_search_results_are_delimited(self):
"""Results must be wrapped in security delimiters."""
from deerflow.community.searx.tools import web_search_tool
result = web_search_tool("test query")
assert "<<<EXTERNAL_UNTRUSTED_CONTENT>>>" in result
assert "<<<END_EXTERNAL_UNTRUSTED_CONTENT>>>" in result
def test_malicious_content_is_sanitized(self):
"""Malicious payloads in search results are neutralized."""
# This would require mocking the SearX response
pass
class TestHardenedWebFetch:
"""Test hardened web fetch against XSS/prompt injection."""
def test_html_scripts_are_removed(self):
"""Script tags must be stripped."""
from deerflow.security.html_cleaner import extract_secure_text
html = "<p>Hello</p><script>alert('xss')</script><p>World</p>"
result = extract_secure_text(html)
assert "script" not in result.lower()
assert "alert" not in result
assert "Hello" in result
assert "World" in result
5. Deployment Plan
Step 1: Add Security Module
cd /home/data/deerflow-factory/deer-flow/backend/packages/harness/deerflow
mkdir -p security
# Create sanitizer.py, content_delimiter.py, html_cleaner.py
Step 2: Add SearX Provider
mkdir -p community/searx
# Create __init__.py, tools.py
Step 3: Update Dependencies
# Verify httpx is available (should be via langchain)
uv pip show httpx
Step 4: Configuration
- Copy
config.example.yamltoconfig.yaml - Replace
web_searchandweb_fetchtools with hardened SearX versions - Set
searx_urlto your private instance
Step 5: Testing
cd backend
uv run python -m pytest tests/test_security_sanitizer.py -v
uv run python -m pytest tests/test_searx_tools.py -v
6. Migration Guide for Existing Deployments
From DuckDuckGo/Tavily to Hardened SearX
-
Backup current config:
cp config.yaml config.yaml.pre-security.bak -
Update tools section:
# OLD (remove or comment) # - name: web_search # group: web # use: deerflow.community.ddg_search.tools:web_search_tool # NEW (add) - name: web_search group: web use: deerflow.community.searx.tools:web_search_tool searx_url: http://your-searx:8888 max_results: 10 -
Restart services:
make docker-restart # or make dev-restart
7. Verification Checklist
- Sanitizer unit tests pass
- Content delimiter tests pass
- HTML cleaner tests pass
- SearX search integration tests pass
- SearX fetch integration tests pass
- Malicious payload test: zero-width characters removed
- Malicious payload test: control characters removed
- Malicious payload test: script tags stripped
- Content delimiters present in output
- Private SearX instance responds correctly
- Configuration migration documented
8. References
OpenClaw Sources
~/.openclaw/workspace-websearch/searx-scripts/search.sh~/.openclaw/workspace-websearch/fetch-scripts/fetch.sh~/.openclaw/workspace-websearch/AGENTS.md~/.openclaw/workspace-websearch/SOUL.md
OWASP Resources
- OWASP Top 10 for LLM Applications: LLM01 (Prompt Injection)
- OWASP LLM Threats: https://genai.owasp.org/llm-top-10/
DeerFlow Integration Points
deerflow/community/ddg_search/tools.py(reference)deerflow/community/jina_ai/tools.py(reference)deerflow/guardrails/(existing security framework)
9. Summary
This integration plan brings OpenClaw's battle-tested prompt injection hardening to DeerFlow through:
- Content Delimiters: Clear semantic boundary markers
- Unicode Sanitization: Removal of zero-width and invisible characters
- HTML Threat Reduction: Stripping of dangerous elements
- Length Limiting: Context overflow protection
- Clean Architecture: Reusable security module
Estimated Effort: 2-3 days for full implementation and testing
Risk Level: LOW (additive changes, existing tools remain available)
Security Impact: HIGH (eliminates major prompt injection vector)