AI/ragflow
1
0
Fork 0
mirror of https://git.mirrors.martin98.com/https://github.com/infiniflow/ragflow.git synced 2025-04-23 06:30:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

Remove use of eval() from search.py (#4887)

Browse Source 
Use `json.loads()` instead.

### What problem does this PR solve?

Using `eval()` can lead to code injections. I think this loads a JSON
field, right? If yes, why is this done via `eval()` and not
`json.loads()`?

### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)
This commit is contained in:
Mathias Panzenböck 2025-02-12 06:15:38 +01:00 committed by GitHub
parent 1287558f24
commit 9bcccadebd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rag/nlp/search.py
View File

@ -15,6 +15,7 @@
# #
import logging import logging
import re import re
import json
from dataclasses import dataclass from dataclasses import dataclass
from rag.settings import TAG_FLD, PAGERANK_FLD from rag.settings import TAG_FLD, PAGERANK_FLD
@ -258,7 +259,7 @@ class Dealer:
q_denor = np.sqrt(np.sum([s*s for t,s in query_rfea.items() if t != PAGERANK_FLD])) q_denor = np.sqrt(np.sum([s*s for t,s in query_rfea.items() if t != PAGERANK_FLD]))
for i in search_res.ids: for i in search_res.ids:
nor, denor = 0, 0 nor, denor = 0, 0
for t, sc in eval(search_res.field[i].get(TAG_FLD, "{}")).items(): for t, sc in json.loads(search_res.field[i].get(TAG_FLD, "{}")).items():
if t in query_rfea: if t in query_rfea:
nor += query_rfea[t] * sc nor += query_rfea[t] * sc
denor += sc * sc denor += sc * sc