From 7a1744b8535353ea722087efcb7e1771200f6a4b Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 24 Jun 2026 04:38:55 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20sanitize=20?=
 =?UTF-8?q?exception=20messages=20in=20boundary=20handlers?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Remove user-controlled input from error messages returned to clients in GraphQL resolvers and Bedrock Agent tools to prevent information leakage and reflected input vulnerabilities.
---
 templates/agent/handler.py   | 6 +++---
 templates/graphql/handler.py | 4 ++--
 tests/agent/test_handler.py  | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/templates/agent/handler.py b/templates/agent/handler.py
index f990c50..38938cb 100644
--- a/templates/agent/handler.py
+++ b/templates/agent/handler.py
@@ -32,11 +32,11 @@ def get_item(item_id: str) -> dict:
     try:
         item = repository.get_item(item_id)
         if not item:
-            return {"error": f"Item {item_id} not found"}
+            return {"error": "Item not found"}
         return Item.model_validate(item).dump()
     except Exception as error:
         logger.error("Failed to get item", extra={"itemId": item_id}, exc_info=error)
-        return {"error": f"Failed to get item with ID '{item_id}'"}
+        return {"error": "Failed to get item"}
 
 
 @tracer.capture_method
@@ -59,7 +59,7 @@ def create_item(item_id: str, name: str, description: str | None = None) -> dict
         return item
     except Exception as error:
         logger.error("Failed to create item", extra={"itemId": item_id}, exc_info=error)
-        return {"error": f"Failed to create item with ID '{item_id}'"}
+        return {"error": "Failed to create item"}
 
 
 @logger.inject_lambda_context
diff --git a/templates/graphql/handler.py b/templates/graphql/handler.py
index e000537..0949fc5 100644
--- a/templates/graphql/handler.py
+++ b/templates/graphql/handler.py
@@ -35,7 +35,7 @@ def get_item(id: str) -> dict | None:
         return Item.model_validate(item).dump()
     except Exception as error:
         logger.error("Failed to get item", extra={"itemId": id}, exc_info=error)
-        raise RuntimeError(f"Failed to get item with ID '{id}'") from None
+        raise RuntimeError("Failed to get item") from None
 
 
 @app.resolver(type_name="Query", field_name="listItems")
@@ -70,7 +70,7 @@ def create_item(name: str) -> dict:
         return item
     except (ValidationError, Exception) as error:
         logger.error("Failed to create item", extra={"itemName": name}, exc_info=error)
-        raise RuntimeError(f"Failed to create item with name '{name}'") from None
+        raise RuntimeError("Failed to create item") from None
 
 
 @logger.inject_lambda_context(correlation_id_path=correlation_paths.APPSYNC_RESOLVER)
diff --git a/tests/agent/test_handler.py b/tests/agent/test_handler.py
index 6859eb1..cf77f87 100644
--- a/tests/agent/test_handler.py
+++ b/tests/agent/test_handler.py
@@ -44,7 +44,7 @@ def test_handler_get_item_not_found():
     result = get_item("2")
 
     assert "error" in result
-    assert "not found" in result["error"]
+    assert result["error"] == "Item not found"
 
 
 def test_handler_create_item(repository):
@@ -117,7 +117,7 @@ def test_error_handling_sanitization(mocker):
 
     assert "error" in result
     assert "Database connection failed" not in result["error"]
-    assert "Failed to get item with ID '123'" in result["error"]
+    assert result["error"] == "Failed to get item"
 
 
 if __name__ == "__main__":