Skip to content

fix(security): add token budget limiting and LLM validator sanitization#2057

Open
Mr-Neutr0n wants to merge 2 commits into567-labs:mainfrom
Mr-Neutr0n:security/fix-retry-amplification-and-validator-injection
Open

fix(security): add token budget limiting and LLM validator sanitization#2057
Mr-Neutr0n wants to merge 2 commits into567-labs:mainfrom
Mr-Neutr0n:security/fix-retry-amplification-and-validator-injection

Conversation

@Mr-Neutr0n
Copy link

@Mr-Neutr0n Mr-Neutr0n commented Feb 5, 2026

Summary

Addresses security findings from issue #2056:

  1. Retry Amplification Mitigation (Medium severity)

    • Added optional token_budget parameter to create() calls
    • When set, retries will stop if cumulative tokens exceed the budget
    • New TokenBudgetExceeded exception provides detailed context (budget, tokens used, attempts)
    • Prevents runaway costs from adversarial/prompt-injected responses that always fail validation

  2. LLM Validator Injection Protection (Medium severity)

    • User values are now wrapped with explicit delimiters (---BEGIN VALUE--- / ---END VALUE---)
    • Delimiter characters in user input are escaped (\``and---`)
    • Uses structured format that clearly separates user value from validation rules
    • Prevents prompt injection attacks that could manipulate validator decisions

Usage

# New token_budget parameter to prevent retry amplification
try:
    response = client.chat.completions.create(
        response_model=StrictModel,
        max_retries=10,
        token_budget=10000,  # Stop if we use more than 10k tokens total
        ...
    )
except TokenBudgetExceeded as e:
    print(f"Stopped after {e.n_attempts} attempts, used {e.total_tokens_used} tokens")

Changes

  • instructor/core/exceptions.py: Added TokenBudgetExceeded exception
  • instructor/core/retry.py: Added token_budget parameter and get_total_tokens() helper
  • instructor/core/patch.py: Wired token_budget through to retry functions
  • instructor/validation/llm_validators.py: Added input sanitization and structured prompts
  • instructor/__init__.py: Exported TokenBudgetExceeded
  • Added tests for both security fixes

Test Plan

  • Added test_token_budget_exceeded and test_token_budget_exceeded_inherits_from_instructor_error to tests/test_exceptions.py
  • Added tests/test_security_fixes.py with tests for get_total_tokens() helper and sanitization logic
  • Syntax validation passes for all modified files

Fixes #2056

@Mr-Neutr0n
fix(security): add token budget limiting and LLM validator sanitization
38785ef 
Address security findings from issue 567-labs#2056:

1. Retry Amplification Mitigation:
   - Add optional `token_budget` parameter to retry functions
   - Add `TokenBudgetExceeded` exception raised when budget is exceeded
   - Add `get_total_tokens()` helper to extract tokens from usage objects
   - Prevents runaway costs from adversarial responses that repeatedly
     fail validation

2. LLM Validator Injection Protection:
   - Add explicit delimiters around user values in validation prompts
   - Escape delimiter characters (```, ---) in user input
   - Use structured format to separate user value from validation rules
   - Prevents prompt injection attacks in llm_validator

Fixes 567-labs#2056
@Mr-Neutr0n
Copy link
Author

Mr-Neutr0n commented Feb 6, 2026

Friendly follow-up - is there anything I can improve in this PR? Happy to address any feedback.

@Mr-Neutr0n
Copy link
Author

Mr-Neutr0n commented Feb 12, 2026

Friendly bump! Let me know if there's anything I should update or improve to help move this forward.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: Retry amplification and LLM validator injection findings

1 participant

@Mr-Neutr0n