github/langchain
1
0
Fork 0
mirror of https://github.com/hwchase17/langchain.git synced 2025-06-19 21:33:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

experimental[patch]: Enhance protection against arbitrary code execution in PALChain (#17091)

Browse Source 
- **Description:** Block some ways to trigger arbitrary code execution
bug in PALChain.

---------

Co-authored-by: Eugene Yurtsev <eyurtsev@gmail.com>
This commit is contained in:
DanisJiang 2024-02-15 03:44:07 +08:00 committed by GitHub
parent 8562a1e7d4
commit de9a6cdf16
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
libs/experimental/langchain_experimental/pal_chain/base.py
View File

@ -21,6 +21,16 @@ from langchain_experimental.pal_chain.math_prompt import MATH_PROMPT
from langchain_experimental.pydantic_v1 import Extra, Field from langchain_experimental.pydantic_v1 import Extra, Field
COMMAND_EXECUTION_FUNCTIONS = ["system", "exec", "execfile", "eval", "__import__"] COMMAND_EXECUTION_FUNCTIONS = ["system", "exec", "execfile", "eval", "__import__"]
COMMAND_EXECUTION_ATTRIBUTES = [
"__import__",
"__subclasses__",
"__builtins__",
"__globals__",
"__getattribute__",
"__bases__",
"__mro__",
"__base__",
]
class PALValidation: class PALValidation:
@ -232,6 +242,15 @@ class PALChain(Chain):
or not code_validations.allow_imports or not code_validations.allow_imports
): ):
for node in ast.walk(code_tree): for node in ast.walk(code_tree):
if (
not code_validations.allow_command_exec
and isinstance(node, ast.Attribute)
and node.attr in COMMAND_EXECUTION_ATTRIBUTES
):
raise ValueError(
f"Found illegal command execution function "
f"{node.attr} in code {code}"
)
if (not code_validations.allow_command_exec) and isinstance( if (not code_validations.allow_command_exec) and isinstance(
node, ast.Call node, ast.Call
): ):