fix: Address Copilot review comments

abrookins · abrookins · commit 3d17dd9d96ae · 2025-10-01T14:03:27.000-07:00
- Replace unsafe eval() with safe AST-based evaluation in examples
- Use ast.literal_eval() in documentation example
- Fix misleading comment about coroutine parameter (all functions are async)

Security improvements:
- Example now uses AST parsing with whitelisted operators
- Documentation uses ast.literal_eval() for safe evaluation
- Both approaches prevent arbitrary code execution
diff --git a/Any b/Any
diff --git a/agent-memory-client/agent_memory_client/integrations/langchain.py b/agent-memory-client/agent_memory_client/integrations/langchain.py
@@ -204,7 +204,7 @@ def get_memory_tools(
             func=config["func"],
             name=config["name"],
             description=config["description"],
-            coroutine=config["func"],  # Same function works for both sync and async
+            coroutine=config["func"],  # All our functions are async
         )
         langchain_tools.append(langchain_tool)
 
diff --git a/docs/langchain-integration.md b/docs/langchain-integration.md
@@ -222,8 +222,14 @@ memory_tools = get_memory_tools(
 # Define custom tools
 @tool
 async def calculate(expression: str) -> str:
-    """Evaluate a mathematical expression."""
-    return str(eval(expression))
+    """Evaluate a simple mathematical expression safely."""
+    import ast
+    # Use ast.literal_eval for safe evaluation of simple expressions
+    try:
+        result = ast.literal_eval(expression)
+        return str(result)
+    except (ValueError, SyntaxError):
+        return "Error: Invalid expression"
 
 @tool
 async def get_weather(city: str) -> str:
diff --git a/examples/langchain_integration_example.py b/examples/langchain_integration_example.py
@@ -186,9 +186,35 @@ async def custom_agent_example():
 
     @tool
     async def calculate(expression: str) -> str:
-        """Evaluate a mathematical expression."""
+        """Evaluate a simple mathematical expression (numbers and basic operators only)."""
+        import ast
+        import operator
+
+        # Safe evaluation using AST - only allows basic math operations
+        allowed_operators = {
+            ast.Add: operator.add,
+            ast.Sub: operator.sub,
+            ast.Mult: operator.mul,
+            ast.Div: operator.truediv,
+            ast.Pow: operator.pow,
+        }
+
         try:
-            result = eval(expression)  # Note: Use safely in production!
+
+            def eval_node(node: ast.AST) -> float:
+                if isinstance(node, ast.Constant):
+                    return float(node.value)
+                if isinstance(node, ast.BinOp):
+                    op = allowed_operators.get(type(node.op))
+                    if op is None:
+                        raise ValueError(f"Unsupported operator: {type(node.op)}")
+                    return op(eval_node(node.left), eval_node(node.right))
+                if isinstance(node, ast.UnaryOp) and isinstance(node.op, ast.USub):
+                    return -eval_node(node.operand)
+                raise ValueError(f"Unsupported expression: {type(node)}")
+
+            tree = ast.parse(expression, mode="eval")
+            result = eval_node(tree.body)
             return f"Result: {result}"
         except Exception as e:
             return f"Error: {str(e)}"

Original file line number	Diff line number	Diff line change
`@@ -204,7 +204,7 @@ def get_memory_tools(`
`204`	`204`	`func=config["func"],`
`205`	`205`	`name=config["name"],`
`206`	`206`	`description=config["description"],`
`207`		`- coroutine=config["func"], # Same function works for both sync and async`
	`207`	`+ coroutine=config["func"], # All our functions are async`
`208`	`208`	`)`
`209`	`209`	`langchain_tools.append(langchain_tool)`
`210`	`210`