Skip to content

Fix(chat): resolve empty-string TIN bypass masking with is not None guard#433

Open
Jean-Regis-M wants to merge 1 commit intoGenAI-Security-Project:mainfrom
Jean-Regis-M:patch-35
Open

Fix(chat): resolve empty-string TIN bypass masking with is not None guard#433
Jean-Regis-M wants to merge 1 commit intoGenAI-Security-Project:mainfrom
Jean-Regis-M:patch-35

Conversation

@Jean-Regis-M
Copy link
Copy Markdown
Contributor

@Jean-Regis-M Jean-Regis-M commented Mar 29, 2026
edited
Loading

Summary

Fixes #408

Sensitive field masking skipped "" and 0 values due to Python
truthiness evaluation. Replaces falsy check with explicit is not None.

Problem

if key in result and result[key]: treats "" as False, allowing
an empty-string TIN to bypass the masking pipeline and be returned raw.
Affects tin, bank_account_number, bank_routing_number in both
VendorChatAssistant and CoPilotAssistant.

Root Cause

Truthiness guard result[key] evaluates falsy values ("", 0) as
False, skipping the masking block entirely.

Solution

Changed guard to result[key] is not None in both _call_get_vendor_details
implementations. Two-line diff, no other code touched.

Impact

  • No breaking changes
  • Minimal diff (2 lines across 2 locations)
  • Deterministic: all non-None sensitive fields now always masked
  • Zero regression risk on non-empty values

Testing

pytest tests/unit/agents/test_chat_assistant.py::TestQAFindings::test_chat_qa_002_empty_string_tin_not_masked -v
pytest tests/unit/agents/test_chat_assistant.py::TestQAFindings::test_chat_qa_003_integer_zero_tin_not_masked -v
pytest tests/unit/agents/test_chat_assistant.py -v

@Jean-Regis-M
fix(chat): mask sensitive fields with is not None instead of truthiness
2c65c47 
Root cause:
Truthiness guard `result[key]` evaluates "" and 0 as False, causing
masking to be skipped for empty-string or zero-value TIN/bank fields.

Solution:
Replace `result[key]` with `result[key] is not None` in both
VendorChatAssistant and CoPilotAssistant._call_get_vendor_details.

Impact:
Deterministic masking for all non-None sensitive field values.
None (absent/null) fields continue to pass through unchanged.
Zero regression risk on existing non-empty field behavior.

Signed-off-by: JEAN REGIS <240509606@firat.edu.tr>
@Jean-Regis-M Jean-Regis-M marked this pull request as ready for review March 29, 2026 19:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug_187_EVALUATE: CHAT-QA-002 — Empty-string TIN bypasses masking and is returned unmasked

1 participant

@Jean-Regis-M