Fix calculator ACE vulnerability

PaddlePaddle · Jan 18, 2024 · e9cbff3 · e9cbff3
1 parent 0109e37
commit e9cbff3
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/erniebot-agent/src/erniebot_agent/tools/calculator_tool.py b/erniebot-agent/src/erniebot_agent/tools/calculator_tool.py
@@ -24,7 +24,16 @@ class CalculatorTool(Tool):
     ouptut_type: Type[ToolParameterView] = CalculatorToolOutputView
 
     async def __call__(self, math_formula: str) -> Dict[str, float]:
-        return {"formula_result": eval(math_formula)}
+        try:
+            code = compile(math_formula, "<string>", "eval")
+        except (SyntaxError, ValueError) as e:
+            raise ValueError("Invalid input expression") from e
+        try:
+            result = eval(code, {"__builtins__": {}}, {})
+        except NameError as e:
+            names_not_allowed = code.co_names
+            raise ValueError(f"Names {names_not_allowed} are not allowed in the expression.") from e
+        return {"formula_result": result}
 
     @property
     def examples(self) -> List[Message]: