security: replace unsafe eval with ast.literal_eval in vision operators (#12236)

Addresses a potential RCE vulnerability in NormalizeImage by using ast.literal_eval for safer string parsing. --------- Co-authored-by: Kevin Hu <kevinhu.sh@gmail.com>
2025-12-30 00:32:30 +08:00 · 2025-12-29 12:28:09 +07:00
parent fddfce303c
commit 651d9fff9f
1 changed files with 9 additions and 1 deletions
--- a/deepdoc/vision/operators.py
+++ b/deepdoc/vision/operators.py
@ -16,6 +16,7 @@

 import logging
 import sys
+import ast
 import six
 import cv2
 import numpy as np
@ -108,7 +109,14 @@ class NormalizeImage:

    def __init__(self, scale=None, mean=None, std=None, order='chw', **kwargs):
        if isinstance(scale, str):
-            scale = eval(scale)
+            try:
+                scale = float(scale)
+            except ValueError:
+                if '/' in scale:
+                    parts = scale.split('/')
+                    scale = ast.literal_eval(parts[0]) / ast.literal_eval(parts[1])
+                else:
+                    scale = ast.literal_eval(scale)
        self.scale = np.float32(scale if scale is not None else 1.0 / 255.0)
        mean = mean if mean is not None else [0.485, 0.456, 0.406]
        std = std if std is not None else [0.229, 0.224, 0.225]