From 14955e6251fd72d12f9b3be729795a00a5e00241 Mon Sep 17 00:00:00 2001 From: zsimjee Date: Mon, 16 Sep 2024 17:08:46 -0700 Subject: [PATCH] safe eval --- guardrails/utils/validator_utils.py | 3 ++- tests/unit_tests/test_datatypes.py | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/guardrails/utils/validator_utils.py b/guardrails/utils/validator_utils.py index a1a78260f..b6d60ba02 100644 --- a/guardrails/utils/validator_utils.py +++ b/guardrails/utils/validator_utils.py @@ -1,6 +1,7 @@ # ruff: noqa """This module contains the constants and utils used by the validator.py.""" +from ast import literal_eval from typing import Any, Dict, List, Optional, Tuple, Type, Union, cast from guardrails_api_client import ValidatorReference @@ -33,7 +34,7 @@ def parse_rail_arguments(arg_tokens: List[str]) -> List[Any]: # and be responsible for parsing them to the correct types. # Option 2: We use something like the Validator Manifest that describes the arguments # to parse the values from the string WITHOUT an eval. - t = eval(t) + t = literal_eval(t) except (ValueError, SyntaxError, NameError) as e: raise ValueError( f"Python expression `{t}` is not valid, " diff --git a/tests/unit_tests/test_datatypes.py b/tests/unit_tests/test_datatypes.py index c99ea9be6..07399ecfd 100644 --- a/tests/unit_tests/test_datatypes.py +++ b/tests/unit_tests/test_datatypes.py @@ -22,7 +22,7 @@ def __init__(self, *args, **kwargs): ("test-validator: a", ["a"]), ("test-validator: a b", ["a", "b"]), ( - "test-validator: {list(range(5))} a b", + "test-validator: {[0,1,2,3,4]} a b", [[0, 1, 2, 3, 4], "a", "b"], ), ("test-validator: {[1, 2, 3]} a b", [[1, 2, 3], "a", "b"]), @@ -31,7 +31,7 @@ def __init__(self, *args, **kwargs): [{"a": 1, "b": 2}, "c", "d"], ), ( - "test-validator: {1 + 2} {{'a': 1, 'b': 2}} c d", + "test-validator: {3} {{'a': 1, 'b': 2}} c d", [3, {"a": 1, "b": 2}, "c", "d"], ), ],