mmarch/text-generation-webui
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request from GHSA-hv5m-3rp9-xcpf

Browse source 
* Remove eval of API input

* Remove unnecessary eval/exec for security

* Use ast.literal_eval

* Use ast.literal_eval

---------

Co-authored-by: oobabooga <112222186+oobabooga@users.noreply.github.com>
This commit is contained in:
Mikel Bober-Irizar 2023-04-16 05:36:50 +01:00 committed by GitHub
parent d2ea925fa5
commit 16a3a5b039
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 15 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

4
modules/extensions.py
View file

@ -17,7 +17,7 @@ def load_extensions():
print(f'Loading the extension "{name}"... ', end='')
try:
exec(f"import extensions.{name}.script")
extension = eval(f"extensions.{name}.script")
extension = getattr(extensions, name).script
if extension not in setup_called and hasattr(extension, "setup"):
setup_called.add(extension)
extension.setup()
@ -32,7 +32,7 @@ def load_extensions():
def iterator():
for name in sorted(state, key=lambda x: state[x][1]):
if state[name][0]:
yield eval(f"extensions.{name}.script"), name
yield getattr(extensions, name).script, name
# Extension functions that map string -> string