From f43db8bc51614bc428b38019cd3cd3889c206517 Mon Sep 17 00:00:00 2001
From: Tong Liu <57178900+Lyutoon@users.noreply.github.com>
Date: Thu, 8 Aug 2024 13:44:55 +0800
Subject: [PATCH] fix code injection (#1868)

### What problem does this PR solve?

fix code injection in https://github.com/infiniflow/ragflow/issues/1860,
developers can have a check to see if the fix works as expected.

### Type of change

Vulnerability Fix
---
 api/apps/llm_app.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/api/apps/llm_app.py b/api/apps/llm_app.py
index 3f5a0b7be44..c29a220cb96 100644
--- a/api/apps/llm_app.py
+++ b/api/apps/llm_app.py
@@ -22,6 +22,7 @@
 from api.utils.api_utils import get_json_result
 from rag.llm import EmbeddingModel, ChatModel, RerankModel,CvModel
 import requests
+import ast
 
 @manager.route('/factories', methods=['GET'])
 @login_required
@@ -113,7 +114,7 @@ def add_llm():
     if factory == "VolcEngine":
         # For VolcEngine, due to its special authentication method
         # Assemble volc_ak, volc_sk, endpoint_id into api_key
-        temp = list(eval(req["llm_name"]).items())[0]
+        temp = list(ast.literal_eval(req["llm_name"]).items())[0]
         llm_name = temp[0]
         endpoint_id = temp[1]
         api_key = '{' + f'"volc_ak": "{req.get("volc_ak", "")}", ' \