|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
import argparse |
|
import os |
|
import re |
|
import string |
|
from difflib import SequenceMatcher |
|
|
|
from .log import log |
|
import nltk |
|
from better_profanity import profanity |
|
|
|
from .guardrail_blocklist_utils import read_keyword_list_from_dir, to_ascii |
|
from .guardrail_core import ContentSafetyGuardrail, GuardrailRunner |
|
from .misc import misc, Color, timer |
|
|
|
DEFAULT_CHECKPOINT_DIR = "checkpoints/Cosmos-1.0-Guardrail/blocklist" |
|
CENSOR = Color.red("*") |
|
|
|
|
|
class Blocklist(ContentSafetyGuardrail): |
|
def __init__( |
|
self, |
|
checkpoint_dir: str = DEFAULT_CHECKPOINT_DIR, |
|
guardrail_partial_match_min_chars: int = 4, |
|
guardrail_partial_match_letter_count: float = 0.5, |
|
) -> None: |
|
nltk.data.path.append(os.path.join(checkpoint_dir, "nltk_data")) |
|
self.lemmatizer = nltk.WordNetLemmatizer() |
|
self.profanity = profanity |
|
self.checkpoint_dir = checkpoint_dir |
|
self.guardrail_partial_match_min_chars = guardrail_partial_match_min_chars |
|
self.guardrail_partial_match_letter_count = guardrail_partial_match_letter_count |
|
|
|
|
|
self.blocklist_words = read_keyword_list_from_dir(os.path.join(self.checkpoint_dir, "custom")) |
|
self.whitelist_words = read_keyword_list_from_dir(os.path.join(self.checkpoint_dir, "whitelist")) |
|
self.exact_match_words = read_keyword_list_from_dir(os.path.join(self.checkpoint_dir, "exact_match")) |
|
|
|
self.profanity.load_censor_words(custom_words=self.blocklist_words, whitelist_words=self.whitelist_words) |
|
log.debug(f"Loaded {len(self.blocklist_words)} words/phrases from blocklist") |
|
log.debug(f"Whitelisted {len(self.whitelist_words)} words/phrases from whitelist") |
|
log.debug(f"Loaded {len(self.exact_match_words)} exact match words/phrases from blocklist") |
|
|
|
def uncensor_whitelist(self, input_prompt: str, censored_prompt: str) -> str: |
|
"""Explicitly uncensor words that are in the whitelist.""" |
|
input_words = input_prompt.split() |
|
censored_words = censored_prompt.split() |
|
whitelist_words = set(self.whitelist_words) |
|
for i, token in enumerate(input_words): |
|
if token.strip(string.punctuation).lower() in whitelist_words: |
|
censored_words[i] = token |
|
censored_prompt = " ".join(censored_words) |
|
return censored_prompt |
|
|
|
def censor_prompt(self, input_prompt: str) -> tuple[bool, str]: |
|
"""Censor the prompt using the blocklist with better-profanity fuzzy matching. |
|
|
|
Args: |
|
input_prompt: input prompt to censor |
|
|
|
Returns: |
|
bool: True if the prompt is blocked, False otherwise |
|
str: A message indicating why the prompt was blocked |
|
""" |
|
censored_prompt = self.profanity.censor(input_prompt, censor_char=CENSOR) |
|
|
|
censored_prompt = self.uncensor_whitelist(input_prompt, censored_prompt) |
|
if CENSOR in censored_prompt: |
|
return True, f"Prompt blocked by censorship: Censored Prompt: {censored_prompt}" |
|
return False, "" |
|
|
|
@staticmethod |
|
def check_partial_match( |
|
normalized_prompt: str, normalized_word: str, guardrail_partial_match_letter_count: float |
|
) -> tuple[bool, str]: |
|
""" |
|
Check robustly if normalized word and the matching target have a difference of up to guardrail_partial_match_letter_count characters. |
|
|
|
Args: |
|
normalized_prompt: a string with many words |
|
normalized_word: a string with one or multiple words, its length is smaller than normalized_prompt |
|
guardrail_partial_match_letter_count: maximum allowed difference in characters (float to allow partial characters) |
|
|
|
Returns: |
|
bool: True if a match is found, False otherwise |
|
str: A message indicating why the prompt was blocked |
|
""" |
|
prompt_words = normalized_prompt.split() |
|
word_length = len(normalized_word.split()) |
|
max_similarity_ratio = (len(normalized_word) - float(guardrail_partial_match_letter_count)) / float( |
|
len(normalized_word) |
|
) |
|
|
|
for i in range(len(prompt_words) - word_length + 1): |
|
|
|
substring = " ".join(prompt_words[i : i + word_length]) |
|
similarity_ratio = SequenceMatcher(None, substring, normalized_word).ratio() |
|
if similarity_ratio >= max_similarity_ratio: |
|
return ( |
|
True, |
|
f"Prompt blocked by partial match blocklist: Prompt: {normalized_prompt}, Partial Match Word: {normalized_word}", |
|
) |
|
|
|
return False, "" |
|
|
|
@staticmethod |
|
def check_against_whole_word_blocklist( |
|
prompt: str, |
|
blocklist: list[str], |
|
guardrail_partial_match_min_chars: int = 4, |
|
guardrail_partial_match_letter_count: float = 0.5, |
|
) -> bool: |
|
""" |
|
Check if the prompt contains any whole words from the blocklist. |
|
The match is case insensitive and robust to multiple spaces between words. |
|
|
|
Args: |
|
prompt: input prompt to check |
|
blocklist: list of words to check against |
|
guardrail_partial_match_min_chars: minimum number of characters in a word to check for partial match |
|
guardrail_partial_match_letter_count: maximum allowed difference in characters for partial match |
|
|
|
Returns: |
|
bool: True if a match is found, False otherwise |
|
str: A message indicating why the prompt was blocked |
|
""" |
|
|
|
normalized_prompt = re.sub(r"\s+", " ", prompt).strip().lower() |
|
|
|
for word in blocklist: |
|
|
|
normalized_word = re.sub(r"\s+", " ", word).strip().lower() |
|
|
|
|
|
if re.search(r"\b" + re.escape(normalized_word) + r"\b", normalized_prompt): |
|
return True, f"Prompt blocked by exact match blocklist: Prompt: {prompt}, Exact Match Word: {word}" |
|
|
|
|
|
if len(normalized_word) >= guardrail_partial_match_min_chars: |
|
match, message = Blocklist.check_partial_match( |
|
normalized_prompt, normalized_word, guardrail_partial_match_letter_count |
|
) |
|
if match: |
|
return True, message |
|
|
|
return False, "" |
|
|
|
def is_safe(self, input_prompt: str = "") -> tuple[bool, str]: |
|
"""Check if the input prompt is safe using the blocklist.""" |
|
|
|
if not input_prompt: |
|
return False, "Input is empty" |
|
input_prompt = to_ascii(input_prompt) |
|
|
|
|
|
censored, message = self.censor_prompt(input_prompt) |
|
if censored: |
|
return False, message |
|
|
|
|
|
tokens = nltk.word_tokenize(input_prompt) |
|
lemmas = [self.lemmatizer.lemmatize(token) for token in tokens] |
|
lemmatized_prompt = " ".join(lemmas) |
|
censored, message = self.censor_prompt(lemmatized_prompt) |
|
if censored: |
|
return False, message |
|
|
|
|
|
censored, message = self.check_against_whole_word_blocklist( |
|
input_prompt, |
|
self.exact_match_words, |
|
self.guardrail_partial_match_min_chars, |
|
self.guardrail_partial_match_letter_count, |
|
) |
|
if censored: |
|
return False, message |
|
|
|
|
|
return True, "Input is safe" |
|
|
|
|
|
def parse_args(): |
|
parser = argparse.ArgumentParser() |
|
parser.add_argument("--prompt", type=str, required=True, help="Input prompt") |
|
parser.add_argument( |
|
"--checkpoint_dir", |
|
type=str, |
|
help="Path to the Blocklist checkpoint folder", |
|
default=DEFAULT_CHECKPOINT_DIR, |
|
) |
|
return parser.parse_args() |
|
|
|
|
|
def main(args): |
|
blocklist = Blocklist(checkpoint_dir=args.checkpoint_dir) |
|
runner = GuardrailRunner(safety_models=[blocklist]) |
|
with timer("blocklist safety check"): |
|
safety, message = runner.run_safety_check(args.prompt) |
|
log.info(f"Input is: {'SAFE' if safety else 'UNSAFE'}") |
|
log.info(f"Message: {message}") if not safety else None |
|
|
|
|
|
if __name__ == "__main__": |
|
args = parse_args() |
|
main(args) |
|
|
