Fix adversarial chat target for Tense, Crescendo, and MultiTurn attack strategies#45776
Merged
slister1001 merged 12 commits intoAzure:mainfrom Mar 19, 2026
Merged
Fix adversarial chat target for Tense, Crescendo, and MultiTurn attack strategies#45776slister1001 merged 12 commits intoAzure:mainfrom
slister1001 merged 12 commits intoAzure:mainfrom
Conversation
Add explicit encoding='utf-8' to all file open() calls in the PyRIT result processing path. Without this, Windows defaults to the system locale encoding (charmap/cp1252), causing UnicodeDecodeError when reading JSONL files containing non-ASCII characters from UnicodeConfusable strategy or CJK languages. Fixes: Tests 1.7 (UnicodeConfusable), 1.16 (Japanese/Chinese) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Test CJK characters, Unicode confusables, and mixed scripts to prevent future regressions of the charmap encoding bug on Windows. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…GELOG Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…/azure-sdk-for-python into fix/redteam-encoding
The Foundry execution path was incorrectly passing the user's callback target as adversarial_chat_target to PyRIT's FoundryScenario. This caused PyRIT's TenseConverter to use the callback as its LLM for prompt rephrasing, resulting in the callback's fixed response leaking into converted_value and appearing as the user message in results. Changes: - Create AzureRAIServiceTarget with strategy-appropriate template key instead of reusing the user's callback target - Add _get_adversarial_template_key() to select the correct RAI service template per attack strategy (crescendo, multi-turn, or tense converter) - Show original_value for user messages in _build_messages_from_pieces() as defense-in-depth against converter output leaking into display - Add 9 regression tests covering template key selection, wiring verification, original_value display, and the exact reported bug - Fix existing test mocks to set original_value on user-role pieces Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions
bot
added
the
Evaluation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes Foundry-based red team execution so PyRIT’s adversarial_chat_target uses an AzureRAIServiceTarget (instead of the user’s callback target), preventing callback responses from leaking into converted prompts and ultimately into scan result “user message” content.
Changes:
- Updated
_execute_attacks_with_foundryto construct and pass anAzureRAIServiceTargetasadversarial_chat_target, selecting a template key based on attack strategies. - Updated Foundry result message construction to show
original_valuefor user messages (falling back toconverted_valuewhen needed). - Added regression unit tests and a changelog entry covering the callback-response leakage scenario.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
sdk/evaluation/azure-ai-evaluation/azure/ai/evaluation/red_team/_red_team.py |
Ensures Foundry adversarial chat uses AzureRAIServiceTarget and adds strategy→template selection helper. |
sdk/evaluation/azure-ai-evaluation/azure/ai/evaluation/red_team/_foundry/_foundry_result_processor.py |
Displays the original adversarial prompt for user messages to avoid showing converter/callback output. |
sdk/evaluation/azure-ai-evaluation/tests/unittests/test_redteam/test_foundry.py |
Updates existing mocks for original_value and adds new regression tests around adversarial chat wiring and message building. |
sdk/evaluation/azure-ai-evaluation/CHANGELOG.md |
Documents the bug fix in the unreleased section. |
You can also share your feedback on Copilot code review. Take the survey.
sdk/evaluation/azure-ai-evaluation/tests/unittests/test_redteam/test_foundry.py
Outdated
Show resolved
Hide resolved
sdk/evaluation/azure-ai-evaluation/tests/unittests/test_redteam/test_foundry.py
Outdated
Show resolved
Hide resolved
sdk/evaluation/azure-ai-evaluation/azure/ai/evaluation/red_team/_red_team.py
Show resolved
Hide resolved
sdk/evaluation/azure-ai-evaluation/azure/ai/evaluation/red_team/_red_team.py
Outdated
Show resolved
Hide resolved
- Convert _get_adversarial_template_key to @staticmethod - Pass crescendo_format=True when crescendo template is selected - Remove anti-pattern test and CentralMemory singleton leak - Update staticmethod test calls to not pass None as self Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
nagkumar91
approved these changes
Mar 18, 2026
Member
nagkumar91
left a comment
nagkumar91
left a comment
There was a problem hiding this comment.
Good bug fix. The root cause — user's callback being passed as adversarial_chat_target and leaking into converter output — is clearly identified and correctly fixed by creating a proper AzureRAIServiceTarget instead.
_get_adversarial_template_keylogic is sound —_validate_strategiesalready prevents Crescendo+MultiTurn coexistence, so the precedence concern is moot ✅original_valuepreference for user messages is a sensible defense-in-depth ✅crescendo_formatflag properly gated on template selection ✅- Tests are thorough: 9 regression tests covering template selection, wiring, original_value display, and the exact reported bug ✅
LGTM.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Please add an informative description that covers that changes made by the pull request and link all relevant issues.
If an SDK is being regenerated based on a new API spec, a link to the pull request containing these API spec changes should be included above.
All SDK Contribution checklist:
General Guidelines and Best Practices
Testing Guidelines