From 16a3a5b039ed7c0d3cf1abe6d23a36c129965c09 Mon Sep 17 00:00:00 2001
From: Mikel Bober-Irizar <mikel@mxbi.net>
Date: Sun, 16 Apr 2023 05:36:50 +0100
Subject: [PATCH] Merge pull request from GHSA-hv5m-3rp9-xcpf

* Remove eval of API input

* Remove unnecessary eval/exec for security

* Use ast.literal_eval

* Use ast.literal_eval

---------

Co-authored-by: oobabooga <112222186+oobabooga@users.noreply.github.com>
---
 modules/chat.py            |  5 +++--
 modules/extensions.py      |  4 ++--
 modules/shared.py          |  4 ++--
 modules/text_generation.py |  3 ++-
 server.py                  | 12 ++++++------
 5 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/modules/chat.py b/modules/chat.py
index 43a75e4..34f7b2f 100644
--- a/modules/chat.py
+++ b/modules/chat.py
@@ -1,3 +1,4 @@
+import ast
 import base64
 import copy
 import io
@@ -81,7 +82,7 @@ def get_stopping_strings(state):
         stopping_strings = [f"\n{state['name1']}", f"\n{state['name2']}"]
     else:
         stopping_strings = [f"\n{state['name1']}:", f"\n{state['name2']}:"]
-    stopping_strings += eval(f"[{state['custom_stopping_strings']}]")
+    stopping_strings += ast.literal_eval(f"[{state['custom_stopping_strings']}]")
     return stopping_strings
 
 
@@ -525,4 +526,4 @@ def upload_your_profile_picture(img, name1, name2, mode):
         img.save(Path('cache/pfp_me.png'))
         print('Profile picture saved to "cache/pfp_me.png"')
 
-    return chat_html_wrapper(shared.history['visible'], name1, name2, mode, reset_cache=True)
\ No newline at end of file
+    return chat_html_wrapper(shared.history['visible'], name1, name2, mode, reset_cache=True)
diff --git a/modules/extensions.py b/modules/extensions.py
index eded405..a6903a9 100644
--- a/modules/extensions.py
+++ b/modules/extensions.py
@@ -17,7 +17,7 @@ def load_extensions():
             print(f'Loading the extension "{name}"... ', end='')
             try:
                 exec(f"import extensions.{name}.script")
-                extension = eval(f"extensions.{name}.script")
+                extension = getattr(extensions, name).script
                 if extension not in setup_called and hasattr(extension, "setup"):
                     setup_called.add(extension)
                     extension.setup()
@@ -32,7 +32,7 @@ def load_extensions():
 def iterator():
     for name in sorted(state, key=lambda x: state[x][1]):
         if state[name][0]:
-            yield eval(f"extensions.{name}.script"), name
+            yield getattr(extensions, name).script, name
 
 
 # Extension functions that map string -> string
diff --git a/modules/shared.py b/modules/shared.py
index 0230614..374942e 100644
--- a/modules/shared.py
+++ b/modules/shared.py
@@ -152,9 +152,9 @@ args_defaults = parser.parse_args([])
 # Deprecation warnings for parameters that have been renamed
 deprecated_dict = {}
 for k in deprecated_dict:
-    if eval(f"args.{k}") != deprecated_dict[k][1]:
+    if getattr(args, k) != deprecated_dict[k][1]:
         print(f"Warning: --{k} is deprecated and will be removed. Use --{deprecated_dict[k][0]} instead.")
-        exec(f"args.{deprecated_dict[k][0]} = args.{k}")
+        setattr(args, deprecated_dict[k][0], getattr(args, k))
 
 # Deprecation warnings for parameters that have been removed
 if args.cai_chat:
diff --git a/modules/text_generation.py b/modules/text_generation.py
index 79696f4..65a1da9 100644
--- a/modules/text_generation.py
+++ b/modules/text_generation.py
@@ -1,3 +1,4 @@
+import ast
 import random
 import re
 import time
@@ -192,7 +193,7 @@ def generate_reply(question, state, eos_token=None, stopping_strings=[]):
 
     # Handling the stopping strings
     stopping_criteria_list = transformers.StoppingCriteriaList()
-    for st in [stopping_strings, eval(f"[{state['custom_stopping_strings']}]")]:
+    for st in (stopping_strings, ast.literal_eval(f"[{state['custom_stopping_strings']}]")]):
         if type(st) is list and len(st) > 0:
             sentinel_token_ids = [encode(string, add_special_tokens=False) for string in st]
             stopping_criteria_list.append(_SentinelTokenStoppingCriteria(sentinel_token_ids=sentinel_token_ids, starting_idx=len(input_ids[0])))
diff --git a/server.py b/server.py
index ecc8932..4f3ea3e 100644
--- a/server.py
+++ b/server.py
@@ -214,7 +214,7 @@ def update_model_parameters(state, initial=False):
         elif element == 'cpu_memory' and value is not None:
             value = f"{value}MiB"
 
-        exec(f"shared.args.{element} = value")
+        setattr(shared.args, element, value)
 
     found_positive = False
     for i in gpu_memories:
@@ -449,14 +449,14 @@ def set_interface_arguments(interface_mode, extensions, bool_active):
 
     shared.args.extensions = extensions
     for k in modes[1:]:
-        exec(f"shared.args.{k} = False")
+        setattr(shared.args, k, False)
     if interface_mode != "default":
-        exec(f"shared.args.{interface_mode} = True")
+        setattr(shared.args, interface_mode, True)
 
     for k in bool_list:
-        exec(f"shared.args.{k} = False")
+        setattr(shared.args, k, False)
     for k in bool_active:
-        exec(f"shared.args.{k} = True")
+        setattr(shared.args, k, True)
 
     shared.need_restart = True
 
@@ -673,7 +673,7 @@ def create_interface():
             modes = ["default", "notebook", "chat", "cai_chat"]
             current_mode = "default"
             for mode in modes[1:]:
-                if eval(f"shared.args.{mode}"):
+                if getattr(shared.args, mode):
                     current_mode = mode
                     break
             cmd_list = vars(shared.args)