Merge pull request from GHSA-hv5m-3rp9-xcpf

* Remove eval of API input * Remove unnecessary eval/exec for security * Use ast.literal_eval * Use ast.literal_eval --------- Co-authored-by: oobabooga <112222186+oobabooga@users.noreply.github.com>
2023-04-16 05:36:50 +01:00 · 2023-04-16 05:36:50 +01:00 · 16a3a5b039
commit 16a3a5b039
parent d2ea925fa5
5 changed files with 15 additions and 13 deletions
--- a/modules/text_generation.py
+++ b/modules/text_generation.py
@ -1,3 +1,4 @@
+import ast
 import random
 import re
 import time
@ -192,7 +193,7 @@ def generate_reply(question, state, eos_token=None, stopping_strings=[]):

    # Handling the stopping strings
    stopping_criteria_list = transformers.StoppingCriteriaList()
-    for st in [stopping_strings, eval(f"[{state['custom_stopping_strings']}]")]:
+    for st in (stopping_strings, ast.literal_eval(f"[{state['custom_stopping_strings']}]")]):
        if type(st) is list and len(st) > 0:
            sentinel_token_ids = [encode(string, add_special_tokens=False) for string in st]
            stopping_criteria_list.append(_SentinelTokenStoppingCriteria(sentinel_token_ids=sentinel_token_ids, starting_idx=len(input_ids[0])))