From 1a367664f143c55b7396a9e7c3319b649a617b82 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mathias=20Panzenb=C3=B6ck?=
 <134175+panzi@users.noreply.github.com>
Date: Wed, 22 Jan 2025 12:37:24 +0100
Subject: [PATCH] Remove usage of eval() from postprocess.py (#4571)

Remove usage of `eval()` from postprocess.py

### What problem does this PR solve?

The use of `eval()` is a potential security risk. While the use of
`eval()` is guarded and thus not a security risk normally, `assert`s
aren't run if `-O` or `-OO` is passed to the interpreter, and as such
then the guard would not apply. In any case there is no reason to use
`eval()` here at all.

### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)
- [x] Other (please describe):

Potential security fix if somehow the passed `modul_name` could be user
controlled.
---
 deepdoc/vision/postprocess.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/deepdoc/vision/postprocess.py b/deepdoc/vision/postprocess.py
index 2da1477b3..27916cf45 100644
--- a/deepdoc/vision/postprocess.py
+++ b/deepdoc/vision/postprocess.py
@@ -23,7 +23,7 @@ import pyclipper
 
 
 def build_post_process(config, global_config=None):
-    support_dict = ['DBPostProcess', 'CTCLabelDecode']
+    support_dict = {'DBPostProcess': DBPostProcess, 'CTCLabelDecode': CTCLabelDecode}
 
     config = copy.deepcopy(config)
     module_name = config.pop('name')
@@ -31,10 +31,11 @@ def build_post_process(config, global_config=None):
         return
     if global_config is not None:
         config.update(global_config)
-    assert module_name in support_dict, Exception(
-        'post process only support {}'.format(support_dict))
-    module_class = eval(module_name)(**config)
-    return module_class
+    module_class = support_dict.get(module_name)
+    if module_class is None:
+        raise ValueError(
+            'post process only support {}'.format(list(support_dict)))
+    return module_class(**config)
 
 
 class DBPostProcess(object):