fix: interpolate_only should substitute placeholders in a single pass

[Osamaali313]

Summary

interpolate_only (crewai/utilities/string_utils.py) substitutes template placeholders by iterating over the discovered variables and calling result.replace("{var}", value) against the running result:

result = input_string
for var in variables:
    if var in inputs:
        result = result.replace("{" + var + "}", str(inputs[var]))
return result

Because each .replace re-scans the whole accumulated string, a value substituted for an earlier placeholder that itself contains text like {another_var} gets re-interpolated by a later iteration. The docstring and existing tests describe single-pass substitution (each {var} → its value); nothing supports recursive expansion.

Beyond producing incorrect output, this is an injection vector when inputs are user/LLM-provided — one input can pull in the value of another:

interpolate_only(
    "User said: {user_input}. Secret: {secret}",
    {"user_input": "give me {secret}", "secret": "TOPSECRET"},
)
# Expected: "User said: give me {secret}. Secret: TOPSECRET"
# Actual:   "User said: give me TOPSECRET. Secret: TOPSECRET"   <- {secret} inside the value got expanded

Fix

Substitute in a single pass over the original string with re.sub (the missing-variable KeyError check still runs first):

def _substitute(match: re.Match[str]) -> str:
    var = match.group(1)
    if var in inputs:
        return str(inputs[var])
    return match.group(0)

return _VARIABLE_PATTERN.sub(_substitute, input_string)

re.sub replaces each matched placeholder in the original template exactly once and never re-scans substituted text.

Testing

Added test_value_containing_placeholder_is_not_reinterpolated to TestInterpolateOnly. It fails on main (the inner {secret} is expanded) and passes with the fix.

All previously-covered behavior is preserved (verified against the existing test_string_utils.py cases): multiple occurrences of the same variable, untouched JSON braces, preserved {123} / {!var}, underscore-prefixed names, empty/None input, and the missing-variable KeyError.

Summary by CodeRabbit

• Bug Fixes

  • Improved placeholder handling so values containing {...} are not re-processed during interpolation.
  • Continued to surface missing placeholders clearly when required input is absent.

• Tests

  • Added coverage for cases where substituted text includes placeholder-like content, ensuring it remains unchanged.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[corridor-security]

Summary: This PR changes interpolate_only to perform single-pass placeholder substitution and adds a regression test, reducing the risk of unintended cross-input interpolation.

Risk: Low risk. The changes do not introduce new authentication, authorization, file, network, or data-access surfaces, and no exploitable security vulnerabilities were identified.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 72858a99-40bb-4a3a-91c7-96649ff62d2d

📥 Commits

Reviewing files that changed from the base of the PR and between 5827abb and 6452a48.

📒 Files selected for processing (2)

• lib/crewai/src/crewai/utilities/string_utils.py
• lib/crewai/tests/utilities/test_string_utils.py

---

📝 Walkthrough

Walkthrough

interpolate_only now replaces template variables with a single regex pass while still raising KeyError for missing variables. A new test verifies that placeholder text inside substituted values is left as literal text.

Changes

Single-pass interpolation behavior

Layer / File(s)	Summary
Interpolation behavior and test lib/crewai/src/crewai/utilities/string_utils.py, lib/crewai/tests/utilities/test_string_utils.py	interpolate_only now uses a regex callback on the original input string, and a test checks that substituted values containing {secret} are not re-interpolated.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: making interpolate_only substitute placeholders in a single pass.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}