Validation Engine¶
The validation engine answers a single question: does the hidden payload survive extraction by the target RAG framework? A payload that gets stripped during document loading never reaches the LLM and is therefore useless. Validation eliminates guesswork by simulating the exact text extraction behavior of LangChain, LlamaIndex, Unstructured.io, and Haystack against your crafted documents.
Why Validation Matters¶
RAG pipelines follow a consistent pattern: ingest a document, extract its text, chunk the text, embed the chunks, and store them in a vector database. The extraction step is where most hiding techniques either survive or die.
Each framework uses different libraries and heuristics for extraction:
- LangChain uses
BeautifulSoup.get_text()for HTML,python-docxfor DOCX, and basic text extraction for PDF. It tends to be the most permissive. - LlamaIndex uses
html2textfor HTML (more aggressive stripping) and similar DOCX/PDF pipelines to LangChain. - Unstructured.io applies the most aggressive sanitization---stripping comments, hidden elements,
aria-hiddencontent, annotations, metadata, and zero-width Unicode characters. - Haystack uses converter components (
HTMLToDocument,PyPDFToDocument,DocxToDocument) with behavior similar to LangChain for most formats.
A technique that passes LangChain validation may fail against Unstructured. The validation engine lets you test against all four without deploying real framework infrastructure.
Validation Pipeline¶
flowchart LR
A["Crafted Document<br/>(bytes)"] --> B{"Select Framework"}
B -->|langchain| C["LangChain Extractor"]
B -->|llamaindex| D["LlamaIndex Extractor"]
B -->|unstructured| E["Unstructured Extractor"]
B -->|haystack| E2["Haystack Extractor"]
C --> F["Extracted Text"]
D --> F
E --> F
E2 --> F
F --> G{"Payload Found?"}
G -->|Yes| H["ValidationResult<br/>PayloadFound: true"]
G -->|No| I["ValidationResult<br/>PayloadFound: false"]The engine operates entirely in Go with zero Python dependencies. Each framework's extraction behavior is replicated based on documented library behavior and empirical testing against real framework output.
CLI Usage¶
hemlock validate \
--file ./test-docs/poisoned-css-hide-001.html \
--payload "Ignore all previous instructions." \
--framework langchain
hemlock validate \
--file ./test-docs/poisoned-css-hide-001.html \
--payload "Ignore all previous instructions." \
--framework llamaindex
hemlock validate \
--file ./test-docs/poisoned-css-hide-001.html \
--payload "Ignore all previous instructions." \
--framework unstructured
hemlock validate \
--file ./test-docs/poisoned-css-hide-001.html \
--payload "Ignore all previous instructions." \
--framework haystack
# Generate documents
hemlock craft \
--format docx \
--technique fontzero \
--payload override \
--output ./test-docs
# Validate each document
for f in ./test-docs/poisoned-fontzero-*.docx; do
hemlock validate \
--file "$f" \
--payload "Ignore all previous instructions." \
--framework langchain
done
Go API Usage¶
package main
import (
"fmt"
"log"
"github.com/professor-moody/hemlock/pkg/craft"
"github.com/professor-moody/hemlock/pkg/validate"
)
func main() {
// Generate a document
docs, err := craft.Craft(craft.CraftOptions{
Format: "docx",
Technique: "fontzero",
Payload: "override",
Count: 1,
})
if err != nil {
log.Fatal(err)
}
doc := docs[0]
// Validate against each framework
frameworks := []string{"langchain", "llamaindex", "unstructured", "haystack"}
for _, fw := range frameworks {
result, err := validate.Validate(
doc.Content, doc.Payload, doc.Format, fw,
)
if err != nil {
log.Printf(" %s: error: %v", fw, err)
continue
}
fmt.Printf(" %s: found=%t confidence=%s\n",
fw, result.PayloadFound, result.Confidence)
}
}
ValidationResult Struct¶
The Validate and ValidateFile functions return a *ValidationResult containing full details about the extraction outcome.
| Field | Type | Description |
|---|---|---|
Framework |
string |
The framework that was simulated ("langchain", "llamaindex", "unstructured", "haystack") |
PayloadFound |
bool |
Whether the exact payload string was found in the extracted text |
ExtractedText |
string |
The full text extracted by the simulated framework |
PayloadIndex |
int |
Character position of the payload in extracted text (-1 if not found) |
Confidence |
string |
Confidence level of the result: "high", "medium", or "low" |
Notes |
string |
Human-readable notes about the extraction behavior |
Confidence Levels¶
The Confidence field reflects how predictable the framework's extraction behavior is for the given format:
high--- The extraction behavior is well-understood and deterministic. The result reliably reflects what the real framework would do.medium--- The extraction behavior varies across library versions or has edge cases. The result is likely accurate but should be confirmed against the real framework.low--- The extraction behavior is aggressive and difficult to predict exactly. Use real framework testing to confirm.
Confidence Semantics
When PayloadFound is false, the confidence indicates how certain hemlock is that the payload was actually stripped (not a false negative). When PayloadFound is true, the confidence indicates how reliably the real framework would also extract the payload.
Supported Frameworks¶
| Framework | Simulation Approach | Aggressiveness |
|---|---|---|
langchain |
BeautifulSoup tag stripping, python-docx w:t + metadata extraction, basic PDF text extraction with annotations |
Low |
llamaindex |
html2text aggressive stripping, w:t text extraction (no metadata), PDF text + annotations |
Medium |
unstructured |
Full sanitization: hidden elements, aria-hidden, comments, zero-width chars stripped; DOCX text only; PDF text only (no annotations/metadata) | High |
haystack |
Converter components (HTMLToDocument, PyPDFToDocument, DocxToDocument) with behavior similar to LangChain for most formats |
Low |
Next Steps¶
- Framework Comparison --- Detailed extraction behavior and the full survival matrix
- Validate API Reference --- Complete function signatures and usage patterns
- Techniques --- How each hiding technique works at the format level