Browse Source
fix code injection (#1868)
### What problem does this PR solve? fix code injection in https://github.com/infiniflow/ragflow/issues/1860, developers can have a check to see if the fix works as expected. ### Type of change Vulnerability Fixtags/v0.10.0
Tong Liu
1 year ago
1 changed files with 2 additions and 1 deletions
+ 2
- 1
api/apps/llm_app.py
View File
| from api.utils.api_utils import get_json_result | from api.utils.api_utils import get_json_result | ||||
| from rag.llm import EmbeddingModel, ChatModel, RerankModel,CvModel | from rag.llm import EmbeddingModel, ChatModel, RerankModel,CvModel | ||||
| import requests | import requests | ||||
| import ast | |||||
| @manager.route('/factories', methods=['GET']) | @manager.route('/factories', methods=['GET']) | ||||
| @login_required | @login_required | ||||
| if factory == "VolcEngine": | if factory == "VolcEngine": | ||||
| # For VolcEngine, due to its special authentication method | # For VolcEngine, due to its special authentication method | ||||
| # Assemble volc_ak, volc_sk, endpoint_id into api_key | # Assemble volc_ak, volc_sk, endpoint_id into api_key | ||||
| temp = list(eval(req["llm_name"]).items())[0] | |||||
| temp = list(ast.literal_eval(req["llm_name"]).items())[0] | |||||
| llm_name = temp[0] | llm_name = temp[0] | ||||
| endpoint_id = temp[1] | endpoint_id = temp[1] | ||||
| api_key = '{' + f'"volc_ak": "{req.get("volc_ak", "")}", ' \ | api_key = '{' + f'"volc_ak": "{req.get("volc_ak", "")}", ' \ |
Loading…