fix: use simultaneous regex substitution to prevent cross-placeholder injection

devin-ai-integration[bot] · jsonbailey · devin-ai-integration[bot] · commit b91fa467b6e2 · 2026-04-13T21:53:53.000Z
Co-Authored-By: jbailey@launchdarkly.com &lt;accounts@sidewaysgravity.com&gt;
diff --git a/packages/sdk/server-ai/src/ldai/judge/__init__.py b/packages/sdk/server-ai/src/ldai/judge/__init__.py
@@ -1,6 +1,7 @@
 """Judge implementation for AI evaluation."""
 
 import random
+import re
 from typing import Any, Dict, Optional
 
 from ldai import log
@@ -167,10 +168,11 @@ def _interpolate_message(self, content: str, variables: Dict[str, str]) -> str:
         :param variables: Variables to interpolate
         :return: Interpolated message content
         """
-        result = content
-        for key, value in variables.items():
-            result = result.replace('{{' + key + '}}', value)
-        return result
+        return re.sub(
+            r'\{\{(\w+)\}\}',
+            lambda match: variables.get(match.group(1), match.group(0)),
+            content,
+        )
 
     def _parse_evaluation_response(self, data: Dict[str, Any]) -> Dict[str, EvalScore]:
         """
diff --git a/packages/sdk/server-ai/tests/test_judge.py b/packages/sdk/server-ai/tests/test_judge.py
@@ -688,6 +688,17 @@ def test_multiple_placeholder_occurrences(self, tracker: LDAIConfigTracker, mock
         assert len(messages) == 1
         assert messages[0].content == 'HISTORY | HISTORY'
 
+    def test_cross_placeholder_injection(self, tracker: LDAIConfigTracker, mock_runner):
+        """A message_history value containing {{response_to_evaluate}} must not be expanded."""
+        template = 'History: {{message_history}}\nResponse: {{response_to_evaluate}}'
+
+        judge = self._make_judge(template, tracker, mock_runner)
+        messages = judge._construct_evaluation_messages('{{response_to_evaluate}}', 'REAL OUTPUT')
+
+        assert len(messages) == 1
+        assert messages[0].content == 'History: {{response_to_evaluate}}\nResponse: REAL OUTPUT', \
+            'literal {{response_to_evaluate}} in history value must not be expanded'
+
     def test_mustache_syntax_in_content(self, tracker: LDAIConfigTracker, mock_runner):
         """Mustache-like syntax inside history or response values is preserved verbatim."""
         template = 'History: {{message_history}}\nResponse: {{response_to_evaluate}}'
