Eval idea: Security code review for unicode attacks on code

[qrdlgit]

Describe the feature or improvement you're requesting

One thing a lot of people are using GPT4 is security code review. Anyone with any experience in this area is astounded at its capabilities and the nuanced issues it rises. Companies are building products and features around this as we speak.

One area of security code review it seems to be a bit weak on though is unicode detection. For example, asking GPT4 for a list of unicode attacks and then re-feeding them back to GPT4 for a security code review, it only raises a concern on a few of them.

In that vein, I've come up with a few (what I believe to be) to be high quality and relevant examples, but it requires significant effort and expertise to make sure they are appropriately relevant and diverse, and I'm working on more to get to the 15 example bar.

There are relatively legitimate reasons why in certain cases GPT4 might ignore the issue and so just refeeding them in as I initially did above is not that helpful - though it was a useful proof of concept anyone can quickly do.

The approach I'm taking is to see if the word 'unicode' is included in the response when doing a sec review. I believe the term 'unicode' should very high be on the list of issues that it raises as the usages I've crafted don't make sense unless someone is actively attacking the code.

Would that be sufficient?

Also, it may be this is a limitation of the browser client and not the GPT4 API which goes through different processing - though pushing GPT4 to self-refine it does finally find the unicode character in the original query. Using the browser developer tool for both network and inspect, I can also see the unicode being displayed and sent to the backend.

Perhaps the API is much better at this task, I don't know.

Finally, I'm concerned this might be on the list of 'known issues' due to BPE or something else, which might make the effort not yet relevant, which is perfectly fair.

Additional context

No response