community[patch]: Patch tdidf retriever (CVE-2024-2057) (#18695)

This is a patch for `CVE-2024-2057`: https://www.cve.org/CVERecord?id=CVE-2024-2057 This affects users that: * Use the `TFIDFRetriever` * Attempt to de-serialize it from an untrusted source that contains a malicious payload
2025-09-25 04:49:17 +00:00 · 2024-03-06 15:49:04 -05:00
parent 81cbf0f2fd
commit 0e52961562
2 changed files with 35 additions and 0 deletions
--- a/libs/community/tests/unit_tests/retrievers/test_tfidf.py
+++ b/libs/community/tests/unit_tests/retrievers/test_tfidf.py
@@ -56,6 +56,11 @@ def test_save_local_load_local() -> None:
        loaded_tfidf_retriever = TFIDFRetriever.load_local(
            folder_path=temp_folder,
            file_name=file_name,
+            # Not a realistic security risk in this case.
+            # OK to allow for testing purposes.
+            # If the file has been compromised during this test, there's
+            # a much bigger problem.
+            allow_dangerous_deserialization=True,
        )
    assert len(loaded_tfidf_retriever.docs) == 3
    assert loaded_tfidf_retriever.tfidf_array.toarray().shape == (3, 5)