Tong Liu
commited on
Commit
·
7240dd7
1
Parent(s):
570986a
fix code injection (#1868)
Browse files### What problem does this PR solve?
fix code injection in https://github.com/infiniflow/ragflow/issues/1860,
developers can have a check to see if the fix works as expected.
### Type of change
Vulnerability Fix
- api/apps/llm_app.py +2 -1
api/apps/llm_app.py
CHANGED
|
@@ -22,6 +22,7 @@ from api.db.db_models import TenantLLM
|
|
| 22 |
from api.utils.api_utils import get_json_result
|
| 23 |
from rag.llm import EmbeddingModel, ChatModel, RerankModel,CvModel
|
| 24 |
import requests
|
|
|
|
| 25 |
|
| 26 |
@manager.route('/factories', methods=['GET'])
|
| 27 |
@login_required
|
|
@@ -113,7 +114,7 @@ def add_llm():
|
|
| 113 |
if factory == "VolcEngine":
|
| 114 |
# For VolcEngine, due to its special authentication method
|
| 115 |
# Assemble volc_ak, volc_sk, endpoint_id into api_key
|
| 116 |
-
temp = list(
|
| 117 |
llm_name = temp[0]
|
| 118 |
endpoint_id = temp[1]
|
| 119 |
api_key = '{' + f'"volc_ak": "{req.get("volc_ak", "")}", ' \
|
|
|
|
| 22 |
from api.utils.api_utils import get_json_result
|
| 23 |
from rag.llm import EmbeddingModel, ChatModel, RerankModel,CvModel
|
| 24 |
import requests
|
| 25 |
+
import ast
|
| 26 |
|
| 27 |
@manager.route('/factories', methods=['GET'])
|
| 28 |
@login_required
|
|
|
|
| 114 |
if factory == "VolcEngine":
|
| 115 |
# For VolcEngine, due to its special authentication method
|
| 116 |
# Assemble volc_ak, volc_sk, endpoint_id into api_key
|
| 117 |
+
temp = list(ast.literal_eval(req["llm_name"]).items())[0]
|
| 118 |
llm_name = temp[0]
|
| 119 |
endpoint_id = temp[1]
|
| 120 |
api_key = '{' + f'"volc_ak": "{req.get("volc_ak", "")}", ' \
|