pengjunjie/ragflow
1
0
Fork 1
mirror of https://github.com/infiniflow/ragflow.git synced 2025-12-30 08:35:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

security: replace unsafe eval with ast.literal_eval in vision operators (#12236)

Browse Source 
Addresses a potential RCE vulnerability in NormalizeImage by using
ast.literal_eval for safer string parsing.

---------

Co-authored-by: Kevin Hu <kevinhu.sh@gmail.com>
This commit is contained in:
Rin
2025-12-29 12:28:09 +07:00
committed by GitHub
parent fddfce303c
commit 651d9fff9f
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
deepdoc/vision/operators.py
View File

@ -16,6 +16,7 @@
import logging import logging
import sys import sys
import ast
import six import six
import cv2 import cv2
import numpy as np import numpy as np
@ -108,7 +109,14 @@ class NormalizeImage:
def __init__(self, scale=None, mean=None, std=None, order='chw', **kwargs): def __init__(self, scale=None, mean=None, std=None, order='chw', **kwargs):
if isinstance(scale, str): if isinstance(scale, str):
scale = eval(scale) try:
scale = float(scale)
except ValueError:
if '/' in scale:
parts = scale.split('/')
scale = ast.literal_eval(parts[0]) / ast.literal_eval(parts[1])
else:
scale = ast.literal_eval(scale)
self.scale = np.float32(scale if scale is not None else 1.0 / 255.0) self.scale = np.float32(scale if scale is not None else 1.0 / 255.0)
mean = mean if mean is not None else [0.485, 0.456, 0.406] mean = mean if mean is not None else [0.485, 0.456, 0.406]
std = std if std is not None else [0.229, 0.224, 0.225] std = std if std is not None else [0.229, 0.224, 0.225]