Fix: code exec component vulnerability and add support for nested list and dict object (#11504)

### What problem does this PR solve? Fix code exec component vulnerability and add support for nested list and dict object. <img width="1491" height="952" alt="image" src="https://github.com/user-attachments/assets/ec2de4e3-0919-413d-abe6-d19431292f14" /> Return a single value: <img width="1156" height="719" alt="image" src="https://github.com/user-attachments/assets/baa35caa-e27c-4064-a9f9-4c0af9a3d5b8" /> ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue) - [x] New Feature (non-breaking change which adds functionality)
2025-12-08 20:42:30 +08:00 · 2025-11-25 14:35:41 +08:00
parent 8c1ee3845a
commit 7a344a32f9
2 changed files with 180 additions and 57 deletions
--- a/agent/canvas.py
+++ b/agent/canvas.py
@ -206,17 +206,28 @@ class Graph:
        for key in path.split('.'):
            if cur is None:
                return None
+
            if isinstance(cur, str):
                try:
                    cur = json.loads(cur)
                except Exception:
                    return None
+
            if isinstance(cur, dict):
                cur = cur.get(key)
-            else:
-                cur = getattr(cur, key, None)
+                continue
+
+            if isinstance(cur, (list, tuple)):
+                try:
+                    idx = int(key)
+                    cur = cur[idx]
+                except Exception:
+                    return None
+                continue
+
+            cur = getattr(cur, key, None)
        return cur
-    
+
    def set_variable_value(self, exp: str,value):
        exp = exp.strip("{").strip("}").strip(" ").strip("{").strip("}")
        if exp.find("@") < 0:
@ -440,7 +451,7 @@ class Canvas(Graph):

                    if isinstance(cpn_obj.output("attachment"), tuple):
                        yield decorate("message", {"attachment": cpn_obj.output("attachment")})
-                        
+
                    yield decorate("message_end", {"reference": self.get_reference() if cite else None})

                    while partials:
@ -647,4 +658,3 @@ class Canvas(Graph):

    def get_component_thoughts(self, cpn_id) -> str:
        return self.components.get(cpn_id)["obj"].thoughts()
-