BOLA chatbot

[preetkaran20]

Summary by CodeRabbit

Release Notes

• New Features

  • Added BOLA (Broken Object Level Access) vulnerability lab with three progressive difficulty levels demonstrating different access control bypass scenarios.
  • Introduced interactive chatbot interface for testing vulnerabilities in a medical information system context.

• Refactor

  • Updated template management system to support per-level UI customization.
  • Extended chat completion capabilities with message-list-based API support.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 42f84b4b-b04b-4732-8b5e-38032a7448e2

📥 Commits

Reviewing files that changed from the base of the PR and between 07bb859 and 852f1bc.

📒 Files selected for processing (18)

• src/app.py
• src/controllers/bola_chatbot_controller.py
• src/controllers/indirect_prompt_injection_controller.py
• src/controllers/prompt_injection_controller.py
• src/framework/decorators.py
• src/framework/registry.py
• src/ollama_client.py
• src/service/vulnerabilities/__init__.py
• src/service/vulnerabilities/bola_chatbot_lab.py
• src/static/facade/bola/bola_chatbot_level1.css
• src/static/facade/bola/bola_chatbot_level1.html
• src/static/facade/bola/bola_chatbot_level1.js
• src/static/facade/bola/bola_chatbot_level2.css
• src/static/facade/bola/bola_chatbot_level2.html
• src/static/facade/bola/bola_chatbot_level2.js
• src/static/facade/bola/bola_chatbot_level3.css
• src/static/facade/bola/bola_chatbot_level3.html
• src/static/facade/bola/bola_chatbot_level3.js

---

📝 Walkthrough

Walkthrough

This PR introduces a comprehensive BOLA (Broken Object Level Access) vulnerability lab for LLM-based applications. It adds a three-level chatbot demonstration with escalating access controls, a new FastAPI controller with level-specific POST endpoints, backend LLM orchestration using a planner/responder pattern, frontend UI assets for each level, and updates the template registry to support per-level HTML templates instead of fixed controller-level templates.

Changes

BOLA Chatbot Lab Feature

Layer / File(s)	Summary
Framework & Enum src/framework/decorators.py	Added VulnerabilityType.BOLA enum member for Broken Object Level Authorization vulnerability classification.
Lab Implementation src/service/vulnerabilities/bola_chatbot_lab.py	New comprehensive lab with BOLAChatbotLevel dataclass, three evaluation levels (1–3) using a two-phase planner/responder orchestration pattern with mock patient data, helper functions for JSON parsing and context building, and evaluate_level/verify_level_secret exported functions. Levels differ in how patient ID selection is handled: Level 1 allows planner selection, Level 2 allows planner selection with prompt guard rails, Level 3 enforces backend authentication.
Service Exports src/service/vulnerabilities/__init__.py	Imported and re-exported BOLA lab functions as BOLA_LEVELS, evaluate_bola_level, and verify_bola_level_secret.
Ollama Client Enhancement src/ollama_client.py	Added new async function chat_completion_with_messages(...) to support explicit message-list-based chat requests to Ollama /api/chat endpoint.
FastAPI Controller src/controllers/bola_chatbot_controller.py	New BOLAChatbotController class with three POST endpoints (level1, level2, level3) that parse user input/model from request JSON, invoke the corresponding lab evaluation, and return structured error responses for ValueError and network failures. Each endpoint registered with level-specific HTML template, BOLA vulnerability exposure type, and attack-vector/payload decorators.
App Bootstrap src/app.py	Added import of BOLAChatbotController to ensure controller registration on startup.
Frontend Level 1 src/static/facade/bola/bola_chatbot_level1.*	HTML page displaying Level 1 challenge (no access controls), CSS styling for chatbot container/header/chat UI/input area/result panels, and JavaScript class/utilities for message handling, endpoint routing, and response parsing.
Frontend Level 2 src/static/facade/bola/bola_chatbot_level2.*	HTML page displaying Level 2 challenge (prompt-level guard rails), CSS styling (identical visual pattern to Level 1), and JavaScript implementation with same UI interaction model.
Frontend Level 3 src/static/facade/bola/bola_chatbot_level3.*	HTML page displaying Level 3 challenge (application-layer guard rails), CSS styling (identical visual pattern), and JavaScript implementation for secure-level chatbot interaction.

Template Architecture Refactoring

Layer / File(s)	Summary
Registry Template Resolution src/framework/registry.py	Refactored get_facade_vulnerability_definitions to resolve html_template per vulnerability level (from level["html_template"]) instead of deriving a single controller-level template name, enabling each level to reference its own or a shared template.
Prompt Injection Template Consolidation src/controllers/prompt_injection_controller.py	Updated all ten endpoint decorators (level1–level10) to reference shared html_template="prompt_injection_template" instead of level-specific templates (prompt_injection_level{N}).
Indirect Prompt Injection Template Consolidation src/controllers/indirect_prompt_injection_controller.py	Updated all four endpoint decorators (level1–level4) to reference shared html_template="indirect_prompt_injection_template" instead of level-specific templates (indirect_prompt_injection_level{N}).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

The changes introduce intricate LLM orchestration logic (planner/responder pattern with multi-level behavioral differences), span multiple subsystems (controller, lab service, registry, frontend), and include substantial frontend code (three complete chatbot UI implementations with HTML/CSS/JavaScript). The registry refactoring requires understanding the template resolution mechanism and its interaction with controller decorators. Heterogeneous changes across framework, service, and UI layers demand separate reasoning for each area.

Poem

🐰 A BOLA breach in three grand acts,
With planner-responder dialogue facts—
Templates now flex per-level bright,
While chatbots dance through access-right.
Guard rails rise, from weak to tight! 🔐

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch try

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🎉 Thanks for contributing @preetkaran20!
We’d love to stay in touch and grow SasanLabs 🚀
👉 Please fill this (takes 30 sec):
https://docs.google.com/forms/d/e/1FAIpQLSfwWVdnULUhtfruA-DN328NwKnBGebaWg9U5y0xivLLxxoMog/viewform?usp=pp_url&entry.1414771947=preetkaran20
Also consider ⭐ starring the repo if you like it!