From b5b067461b13d2eec7ad25d66fb9a406043a165c Mon Sep 17 00:00:00 2001 From: Sydney Lister Date: Thu, 12 Feb 2026 15:55:51 -0500 Subject: [PATCH] fix: redact sensitive data from log messages to resolve CredScan alert Remove user-provided content (queries, responses, tool definitions, exception messages) from log strings that flow into Geneva telemetry. This prevents database connection strings and other credentials embedded in user payloads from being flagged by CredScan. Changes: - Remove f-string interpolation of query/response/tool_definitions in warning and debug log messages - Downgrade noisy agent-response warnings to debug level - Sanitize upload error messages to emit only exception type name - Chain original exception with 'from e' Resolves ICM 738457593 --- .../azure/ai/evaluation/_common/utils.py | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/sdk/evaluation/azure-ai-evaluation/azure/ai/evaluation/_common/utils.py b/sdk/evaluation/azure-ai-evaluation/azure/ai/evaluation/_common/utils.py index d02b82741daf..f8374dd9d9a7 100644 --- a/sdk/evaluation/azure-ai-evaluation/azure/ai/evaluation/_common/utils.py +++ b/sdk/evaluation/azure-ai-evaluation/azure/ai/evaluation/_common/utils.py @@ -706,7 +706,7 @@ def reformat_conversation_history(query, logger=None, include_system_messages=Fa # Lower percentage of mode in Likert scale (73.4% vs 75.4%) # Lower pairwise agreement between LLMs (85% vs 90% at the pass/fail level with threshold of 3) if logger: - logger.warning(f"Conversation history could not be parsed, falling back to original query: {query}") + logger.warning("Conversation history could not be parsed, falling back to original query") return query @@ -761,15 +761,15 @@ def reformat_agent_response(response, logger=None, include_tool_messages=False): # If no message could be extracted, likely the format changed, fallback to the original response in that case if logger: logger.debug( - f"Empty agent response extracted, likely due to input schema change. Falling back to using the original response: {response}" + "Empty agent response extracted, likely due to input schema change. Falling back to original response" ) return response return "\n".join(agent_response) - except: + except Exception: # If the agent response cannot be parsed for whatever reason (e.g. the converter format changed), the original response is returned # This is a fallback to ensure that the evaluation can still proceed. See comments on reformat_conversation_history for more details. if logger: - logger.debug(f"Agent response could not be parsed, falling back to original response: {response}") + logger.debug("Agent response could not be parsed, falling back to original response") return response @@ -787,9 +787,7 @@ def reformat_tool_definitions(tool_definitions, logger=None): # If the tool definitions cannot be parsed for whatever reason, the original tool definitions are returned # This is a fallback to ensure that the evaluation can still proceed. See comments on reformat_conversation_history for more details. if logger: - logger.warning( - f"Tool definitions could not be parsed, falling back to original definitions: {tool_definitions}" - ) + logger.debug("Tool definitions could not be parsed, falling back to original definitions") return tool_definitions @@ -915,9 +913,9 @@ def upload(path: str, container_client: ContainerClient, logger=None): except Exception as e: raise EvaluationException( - message=f"Error uploading file: {e}", - internal_message=f"Error uploading file: {e}", + message=f"Error uploading file: {type(e).__name__}", + internal_message=f"Error uploading file: {type(e).__name__}", target=ErrorTarget.RAI_CLIENT, category=ErrorCategory.UPLOAD_ERROR, blame=ErrorBlame.SYSTEM_ERROR, - ) + ) from e