[SECURITY]: Moving away from serialization and restricting eval scope in LLM Guard

[RinZ27]

I've been spending some time exploring the LLM Guard plugin implementation lately—the modular setup is really well put together. While digging through the logic, I spotted a few implementation details that might be worth revisiting to improve overall robustness.

The cache logic in llmguardplugin/cache.py currently relies on pickle. Since pickle.loads can execute arbitrary code if the data is ever tampered with, I think switching to something like json or msgpack would be a safer bet for serializing LLM responses and validation results.

I also noticed eval() being used in llmguardplugin/policy.py for policy evaluation. Even though it's likely intended for dynamic rules, raw eval feels a bit heavy-handed for this. It might be worth looking into ast.literal_eval or a restricted evaluator to ensure the logic stays contained and doesn't have unintended side effects.

I'm more than happy to help with a PR if you guys are open to these changes.

[crivetimihai]

Thanks for the thoughtful analysis, @RinZ27! You've identified two valid areas for improvement.

On pickle in cache.py: You're correct that pickle.loads poses a deserialization risk if Redis data were ever tampered with. We'd prefer using orjson here since it's already a project dependency—no need to add msgpack as a new external dependency.

On eval in policy.py: The current implementation does use AST parsing with a whitelist of allowed node types before evaluation, so it's not entirely unrestricted—but your point stands. A dedicated safe evaluator or ast.literal_eval (where applicable) would make the security posture more explicit and reduce the attack surface.

We'd welcome a PR addressing these. A few suggestions:

• For the cache, ensure orjson handles the tuple structures used by the Anonymizer/Deanonymizer vault (tuples serialize as arrays, so you may need conversion logic)
• For policy evaluation, consider whether the existing allowed operations (boolean logic, comparisons) can be preserved with the safer approach

Thanks again for digging into this!

[RinZ27]

Great point on orjson—using existing dependencies makes total sense. I'll make sure to handle the tuple-to-array conversion for the vault logic carefully. I'll also look into keeping the current boolean/comparison support while hardening the policy evaluation. Starting on the PR now, thanks!