From 6b389e01b55586306d9c9fddca58d833450183d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mathias=20Panzenb=C3=B6ck?=
 <134175+panzi@users.noreply.github.com>
Date: Wed, 12 Feb 2025 05:53:42 +0100
Subject: [PATCH] Remove use of eval() from operators.py (#4888)

Use `np.float32()` instead.

### What problem does this PR solve?

Using `eval()` can lead to code injections.

I think `eval()` is only used to parse a floating point number here.
This change preserves the correct behavior if the string `"None"` is
supplied. But if that behavior isn't intended then this part could be
just deleted instead, since `np.float32()` is parsing strings anyway:

```Python
        if isinstance(scale, str):
            scale = eval(scale)
```

### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)
---
 deepdoc/vision/operators.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deepdoc/vision/operators.py b/deepdoc/vision/operators.py
index d7162522a..bfe6c726a 100644
--- a/deepdoc/vision/operators.py
+++ b/deepdoc/vision/operators.py
@@ -108,7 +108,7 @@ class NormalizeImage(object):
 
     def __init__(self, scale=None, mean=None, std=None, order='chw', **kwargs):
         if isinstance(scale, str):
-            scale = eval(scale)
+            scale = np.float32(scale) if scale != 'None' else None
         self.scale = np.float32(scale if scale is not None else 1.0 / 255.0)
         mean = mean if mean is not None else [0.485, 0.456, 0.406]
         std = std if std is not None else [0.229, 0.224, 0.225]