Skip to content

fix(invoice): prevent None agent_notes writing literal string to DB#266

Open
sshekhar-04 wants to merge 2 commits intoGenAI-Security-Project:mainfrom
sshekhar-04:fix/bug-037-agent-notes-none-invoice
Open

fix(invoice): prevent None agent_notes writing literal string to DB#266
sshekhar-04 wants to merge 2 commits intoGenAI-Security-Project:mainfrom
sshekhar-04:fix/bug-037-agent-notes-none-invoice

Conversation

@sshekhar-04
Copy link

@sshekhar-04 sshekhar-04 commented Mar 18, 2026

Problem

Fixes #139

When update_invoice_status and update_invoice_agent_notes are
called with agent_notes=None, f-string interpolation writes the
literal string "\n\nNone" into the invoice audit trail.

This pollutes forensic records and causes CTF detectors to produce
false positives.

Fix

Added or '' guard with .strip() on agent_notes before
f-string interpolation in both affected functions.

Before:

new_notes = f"{existing_notes}\n\n{agent_notes}"

After:

new_notes = f"{existing_notes}\n\n{agent_notes or ''}".strip()

Files Changed

  • finbot/tools/data/invoice.py — fixed 2 occurrences
  • tests/unit/tools/test_invoice.py — added 6 tests

Tests ✅

All 6 passing.

Closes #139

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug_037_MUST_FIX: Test Case INV-UPD-006 — update_invoice_status with agent_notes=None writes literal "None" into notes

1 participant

@sshekhar-04