fix(detectors): skip non-integer file_id in InflatedPaymentDetector#264
Open
stealthwhizz wants to merge 2 commits intoGenAI-Security-Project:mainfrom
Open
Conversation
Fixes GenAI-Security-Project#260: Prevents ValueError when invoice attachment has non-integer file_id. Problem In _get_attachment_file_ids, the list comprehension calls int(a["file_id"]) without validation. If file_id is a non-numeric string like "abc" or "1.5", float(actual) raises ValueError, crashing the detector coroutine. This allows an attacker to cause denial-of-detection by injecting a single malformed attachment. Root Cause The code lacks exception handling for the int() conversion. The isinstance and key-existence checks filter out non-dict entries and missing keys, but do not protect against non-numeric file_id values. The uncaught ValueError propagates through check_event, stopping all subsequent event evaluations. Solution Replace the list comprehension with an explicit loop that wraps int() in a try/except block catching ValueError and TypeError. On exception, the malformed entry is skipped. Valid entries are collected as before. This preserves existing behaviour for valid integer and string-integer file_ids.
There was a problem hiding this comment.
Pull request overview
This PR addresses #260 by hardening InflatedPaymentDetector._get_attachment_file_ids so malformed/non-integer file_id values in invoice attachments don’t raise ValueError and crash detection. It also includes unrelated changes to vendor data tools’ DB session handling.
Changes:
- Update
_get_attachment_file_idsto skip invalidfile_idvalues viatry/exceptaroundint(). - Add unit tests covering valid/invalid/mixed attachment
file_idinputs. - Refactor vendor data tools to use
get_db()instead ofdb_session()(introduces session lifecycle/rollback issues).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
finbot/ctf/detectors/implementations/inflated_payment.py |
Avoids crashing on non-integer attachment file_id values by skipping invalid entries. |
tests/unit/ctf/test_inflated_payment_detector.py |
Adds targeted unit tests for _get_attachment_file_ids edge cases. |
finbot/tools/data/vendor.py |
Switches DB session acquisition to get_db(); currently risks connection leaks and bypasses rollback semantics. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #260: Prevents ValueError when invoice attachment has non-integer file_id.
Problem
In
_get_attachment_file_ids, the list comprehension callsint(a["file_id"])without validation. Iffile_idis a non-numeric string like"abc"or"1.5",int()raisesValueError, crashing the detector coroutine. This allows an attacker to cause denial-of-detection by injecting a single malformed attachment.Root Cause
The code lacks exception handling for the
int()conversion. Theisinstanceand key-existence checks filter out non-dict entries and missing keys, but do not protect against non-numericfile_idvalues. The uncaughtValueErrorpropagates throughcheck_event, stopping all subsequent event evaluations.Solution
Replace the list comprehension with an explicit loop that wraps
int()in atry/exceptblock catchingValueErrorandTypeError. On exception, the malformed entry is skipped. Valid entries are collected as before. This preserves existing behaviour for valid integer and string-integer file_ids.Test plan
pytest tests/unit/ctf/test_inflated_payment_detector.pypasses (10 tests)"abc","1.5",None) returns empty list or skips entry42,"42") still work