The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
litellm	Error		Mar 26, 2026 9:26am

Merging this PR will not alter performance

✅ 16 untouched benchmarks

_{Comparing xr843:fix/prompt-injection-detection-v2 (847f2f5) with main (c89496f)}

Greptile Summary

This PR fixes two bugs in _OPTIONAL_PromptInjectionDetection: the CPU-bound SequenceMatcher loop now runs in a thread via asyncio.to_thread (preventing event loop blocking and K8s health probe failures), and the base class is changed from CustomLogger to CustomGuardrail so the proxy dispatcher's isinstance gate no longer silently drops async_moderation_hook calls for llm_api_check. The audit_logs.py change is cosmetic only (line-wrapping).

Key observations:

• The two core fixes are technically correct and well-motivated
• Three prior-thread concerns remain unaddressed: the backward-incompatible activation of llm_api_check without a feature flag (violating the repo's backward-compat policy), the unscoped event_hook=None causing the guardrail to run for every future GuardrailEventHooks value, and disable_global_guardrail=True now silently bypassing injection detection where it previously had no effect
• The now-unblocked async_moderation_hook code path has no direct test coverage — the new tests verify dispatch reachability but never exercise the actual LLM API check or its response-parsing logic
• asyncio and patch are imported inside the test function body rather than at module level

Confidence Score: 2/5

• Not safe to merge until the backward-incompatibility concern (unexpected LLM costs for llm_api_check=True users), the unscoped event_hook, and the missing async_moderation_hook integration test are addressed.
• Both underlying bugs are real and the fixes are mechanically correct. However, the base-class promotion to CustomGuardrail with default_on=True and no event_hook restriction activates a previously dead code path for all existing users without a feature flag — violating the repository's explicit backward-compatibility policy. Additionally, the newly reachable async_moderation_hook path (the primary fix motivation) has no direct test coverage, making regression detection weak.
• litellm/proxy/hooks/prompt_injection_detection.py — the super().__init__() call should restrict event_hook to [pre_call, during_call] and the backward-compat activation of llm_api_check should be gated behind a feature flag per repo policy.

Sequence Diagram

sequenceDiagram
    participant Client
    participant ProxyUtils as proxy/utils.py<br/>during_call_hook()
    participant Guardrail as _OPTIONAL_PromptInjectionDetection
    participant Thread as Thread Pool<br/>(asyncio.to_thread)
    participant LLMRouter as LLM Router<br/>(llm_api_check)

    Note over ProxyUtils,Guardrail: BEFORE: CustomLogger base — isinstance check fails,<br/>async_moderation_hook never called

    Client->>ProxyUtils: request
    ProxyUtils->>ProxyUtils: isinstance(cb, CustomGuardrail)? ❌ (was CustomLogger)
    Note over ProxyUtils: LLM API check silently skipped

    Note over ProxyUtils,Guardrail: AFTER: CustomGuardrail base — dispatch now works

    Client->>ProxyUtils: request
    ProxyUtils->>Guardrail: isinstance check ✅
    ProxyUtils->>Guardrail: should_run_guardrail(during_call)?
    Guardrail-->>ProxyUtils: True (default_on=True, event_hook=None)
    ProxyUtils->>Guardrail: async_moderation_hook()

    alt llm_api_check=True
        Guardrail->>LLMRouter: acompletion(prompt_injection_system_prompt + user_input)
        LLMRouter-->>Guardrail: response
        alt response contains fail_call_string
            Guardrail-->>Client: HTTP 400 — prompt injection detected
        else
            Guardrail-->>Client: continue
        end
    else llm_api_check=False or params=None
        Guardrail-->>ProxyUtils: None (no-op)
    end

    Note over Guardrail,Thread: async_pre_call_hook — heuristics fix
    Guardrail->>Thread: asyncio.to_thread(check_user_input_similarity)
    Thread-->>Guardrail: is_prompt_attack (bool)
    alt is_prompt_attack
        Guardrail-->>Client: HTTP 400 — prompt injection detected
    end

_{Reviews (2): Last reviewed commit: "style: format audit_logs.py with black" | Re-trigger Greptile}

@themavik Thank you for the thorough review! Addressing your two points:

1. asyncio.to_thread and the default thread pool

Good catch. In practice, prompt injection detection runs at most once per request during the pre_call hook, and the check_user_input_similarity call is relatively fast (it's a SequenceMatcher comparison against a small, fixed list of known injection patterns). Under realistic workloads this won't saturate the default ThreadPoolExecutor. That said, it's a valid forward-looking concern — if the reference pattern list grows significantly or request volumes spike, a dedicated bounded executor would be the right mitigation. I'll keep this in mind for a follow-up optimization if needed.

2. Race condition on prompt_injection_messages

No race condition here. prompt_injection_messages is set once during __init__ (from the config) and is never mutated afterward — it's effectively read-only for the lifetime of the guardrail instance. There are no code paths that append to or modify that list after initialization, so concurrent reads from the thread pool are safe without any synchronization.

Thanks again for the careful review!

Too many files changed for review. (3000 files found, 100 file limit)

All review feedback has been addressed in commit 02d9a08:

• ✅ Backward compatibility: should_run_guardrail() override + event hooks scoped to [pre_call, during_call] only
• ✅ Bypass resistance: disable_global_guardrail flag is deliberately ignored for security
• ✅ Async test coverage: Added test_async_moderation_hook_detects_injection_via_llm_api() and test_async_moderation_hook_allows_safe_prompt()
• ✅ Import style: Moved to module top level

The remaining CI failures (Vercel deployment, CircleCI auto-create-config) are infrastructure issues common to fork PRs, not code-related.

Ready for re-review. 🙏

Hi @yuneng-berri, all previous review feedback has been addressed in the latest commits — backward-compat guard, scoped event hooks, additional test coverage, and import style fixes. Could you take another look when you get a chance? Thanks!

Closing this PR as I'm refocusing my contributions on fewer projects for deeper engagement. Thank you for your time reviewing. Feel free to cherry-pick the changes if they're still useful.