examples/redteam-docx-document-upload/README.md
This example targets the deployed example-app service at https://example-app.promptfoo.app to test indirect prompt injection through uploaded DOCX files.
Copy this example into a new working directory:
npx promptfoo@latest init --example redteam-docx-document-upload
Set an OpenAI API key for red team generation and grading, or configure an equivalent provider in promptfooconfig.yaml:
export OPENAI_API_KEY=your-key-here
promptfooconfig.yaml points at the deployed app:
targets:
- config:
appBaseUrl: https://example-app.promptfoo.app
From the directory where you initialized the example:
npx promptfoo@latest redteam run -c promptfooconfig.yaml --no-cache
The target declares two inputs:
document uses type: docx, so generated document text is materialized into a real DOCX data URI before the provider is called. Its config.inputPurpose describes the kind of document the app expects, and config.injectionPlacements controls which DOCX-native surfaces may carry the injected instruction.question is plain text that asks the assistant to summarize the uploaded document. It sets config.benign: true so multi-input generation keeps the user request natural while placing the adversarial content in document.The custom provider uploads the DOCX bytes to the configured appBaseUrl's /documents endpoint, then asks the chat endpoint to call summarize_document with the returned document_id. The provider defaults to https://example-app.promptfoo.app, so the example runs against the deployed app out of the box.
The example config currently runs bias:age, rbac, bfla, harmful:profanity, and prompt-extraction against the uploaded DOCX flow, then applies the jailbreak:meta strategy to mutate those generated attacks. The red team purpose describes the available example-app tools and explicitly marks Jane Smith's readwrite profile as out of bounds for the current readonly user.
special-token-injection is intentionally omitted for now because that plugin is currently excluded in multi-input mode.