Prompt Injection in Grape with Cockroachdb

Prompt injection becomes relevant in a Grape API when user-controlled input is used to construct dynamic prompts that are sent to an LLM endpoint, and that endpoint happens to be backed by a Cockroachdb instance for storing conversation context, user preferences, or session data. In this setup, an attacker can supply malicious input designed to alter the intended behavior of the LLM prompt, effectively injecting instructions that the model processes as if they originated from the system prompt. Because Cockroachdb may persist these user-supplied strings as part of application state, a stored prompt injection can repeatedly affect multiple users or sessions, amplifying the impact.

Consider a Grape endpoint that builds a prompt using user input before sending it to an LLM. If the prompt is constructed via string interpolation without validation or escaping, an attacker can include jailbreak patterns or role-changing instructions that shift the model’s behavior. For example, a user might submit a message that closes the original system instruction block and appends a new directive, such as ignoring prior constraints and returning sensitive data. With Cockroachdb involved, the injected prompt could be saved (e.g., in a user_message table), enabling persistent manipulation across requests. The LLM/AI Security checks in middleBrick specifically test for such system prompt extraction and instruction override via sequential probes, including attempts to exfiltrate data or exploit cost mechanisms. Even if Cockroachdb is used only as durable storage, failing to sanitize or strictly scope user input before it reaches the prompt-building logic exposes the API to injection, undermining the integrity of the LLM interactions.

middleBrick’s unauthenticated LLM endpoint detection can identify whether an exposed endpoint accepts crafted inputs that change prompt behavior. When combined with Cockroachdb, the risk is not only runtime manipulation but also persistence in the database, which may violate data integrity expectations in compliance frameworks such as GDPR or SOC2. Attack patterns like DAN jailbreak or cost exploitation become feasible if user messages are concatenated into prompts without proper segregation. Therefore, the integration of Grape, LLM endpoints, and Cockroachdb requires strict input validation, clear separation between system and user content, and runtime output scanning to detect PII, API keys, or executable code in LLM responses.

To mitigate prompt injection in Grape when using Cockroachdb, ensure that user input is never directly interpolated into prompts and that database operations enforce strict schemas and parameterized queries. The following example demonstrates a safer approach in a Grape resource, using explicit parameter binding and avoiding string-based prompt assembly.

# Gemfile
# gem 'pg'
# gem 'grape'
# gem 'activerecord'

require 'grape'
require 'active_record'

ActiveRecord::Base.establish_connection(
  adapter: 'cockroachdb',
  database: 'api_db',
  host: 'localhost',
  port: 26257,
  sslmode: 'require'
)

class UserMessage < ActiveRecord::Base
  self.table_name = 'user_messages'
  validates :user_id, presence: true
  validates :content, presence: true, length: { maximum: 2000 }
end

class Api < Grape::API
  format :json

  resource :chat do
    desc 'Post a message with strict input handling'
    params do
      requires :user_id, type: Integer, desc: 'User identifier'
      requires :content, type: String, desc: 'User message, length-limited'
    end
    post do'
      # Use ActiveRecord with bound parameters; no string interpolation
      UserMessage.create!(user_id: params[:user_id], content: params[:content])

      # Build prompt parts safely; do not concatenate raw user content
      system_prompt = 'You are a helpful assistant. Keep responses concise and factual.'
      user_prompt = params[:content].strip

      # Call LLM endpoint (pseudocode; replace with actual client)
      # llm_response = call_llm(system: system_prompt, user: user_prompt)
      llm_response = { text: 'Echo: ' + user_prompt[0..50] }

      { response: llm_response[:text] }
    end
  end
end

Key remediation points specific to Cockroachdb:

• Use schema-enforced tables with NOT NULL constraints on critical columns (e.g., user_id, content) to reduce ambiguous or malicious payloads.
• Apply length limits and allowlist validation on string fields before insertion; avoid storing raw user input in fields used for prompt construction without escaping.
• When reading from Cockroachdb to assemble prompts, treat stored data as untrusted and apply output encoding or filtering before including it in dynamic prompts.
• Enable database-side TLS and require strong authentication to prevent tampering at rest or in transit, which complements application-level input validation.

These steps align with the broader LLM/AI Security checks in middleBrick, which include system prompt leakage detection and active prompt injection testing. Even when using Cockroachdb as a backend store, the API’s behavior must ensure that user data cannot alter the intended instruction set of the LLM. MiddleBrick’s GitHub Action can be added to CI/CD pipelines to enforce security thresholds, and its MCP Server allows scanning APIs directly from development environments to catch such issues early.