Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

experimental[major]: CVE-2024-46946 fix #26783

Merged
merged 21 commits into from
Sep 24, 2024
Merged

experimental[major]: CVE-2024-46946 fix #26783

merged 21 commits into from
Sep 24, 2024

Conversation

mercyspirit
Copy link
Contributor

Description: Resolve CVE-2024-46946 by switching out sympify with parse_expr with a very specific allowed set of operations.

https://nvd.nist.gov/vuln/detail/cve-2024-46946

Sympify uses eval which makes it vulnerable to code execution. parse_expr is limited to specific expressions.

Bandit results
image

@vercel Vercel
Copy link

vercel bot commented Sep 23, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
langchain ✅ Ready (Inspect) Visit Preview 💬 Add feedback Sep 24, 2024 9:37pm

@dosubot dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. 🤖:security Related to security issues, CVEs labels Sep 23, 2024
@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. and removed size:S This PR changes 10-29 lines, ignoring generated files. labels Sep 23, 2024
eyurtsev
eyurtsev reviewed Sep 24, 2024
View reviewed changes
libs/experimental/langchain_experimental/llm_symbolic_math/base.py Outdated
"exp": sympy.exp,
"log": sympy.log,
"ln": sympy.log, # natural log (alias)
"log10": sympy.log, # log base 10 (use sympy.log)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

both log10 and ln are aliased to sympy.log

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changed so that log would be a user defined base (default 10), ln will be regular sympy log which defaults to ln. And log 10 to base 10

eyurtsev
eyurtsev reviewed Sep 24, 2024
View reviewed changes
Copy link
Collaborator

@eyurtsev eyurtsev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great! Would you be able to check the issue with log10 vs. ln?

@eyurtsev eyurtsev self-assigned this Sep 24, 2024
@dosubot dosubot bot added the lgtm PR looks good. Use to confirm that a PR is ready for merging. label Sep 24, 2024
@eyurtsev eyurtsev changed the title experimental: CVE-2024-46946 fix experimental[major]: CVE-2024-46946 fix Sep 24, 2024
@eyurtsev
Copy link
Collaborator

@mercyspirit I'm going to make the fix backwards compatible for users that are using this code for prototyping since this fix will break a lot of functionality otherwise.

@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. and removed size:M This PR changes 30-99 lines, ignoring generated files. labels Sep 24, 2024
@eyurtsev eyurtsev enabled auto-merge (squash) September 24, 2024 21:30
@eyurtsev eyurtsev merged commit 0414be4 into langchain-ai:master Sep 24, 2024
19 checks passed
@dzubke
Copy link

dzubke commented Sep 30, 2024

This PR resolves this discussion: #26720.

Sheepsta300 pushed a commit to Sheepsta300/langchain that referenced this pull request Oct 1, 2024
@mercyspirit @eyurtsev @Sheepsta300
experimental[major]: CVE-2024-46946 fix (langchain-ai#26783)
25663d9 
Description: Resolve CVE-2024-46946 by switching out sympify with
parse_expr with a very specific allowed set of operations.

https://nvd.nist.gov/vuln/detail/cve-2024-46946

Sympify uses eval which makes it vulnerable to code execution.
parse_expr is limited to specific expressions.

Bandit results

![image](https://github.com/user-attachments/assets/170a6376-7028-4e70-a7ef-9acfb49c1d8a)

---------

Co-authored-by: aqiu7 <[email protected]>
Co-authored-by: Eugene Yurtsev <[email protected]>
Co-authored-by: Eugene Yurtsev <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eyurtsev eyurtsev eyurtsev approved these changes

Assignees

@eyurtsev eyurtsev

Labels
lgtm PR looks good. Use to confirm that a PR is ready for merging. 🤖:security Related to security issues, CVEs size:L This PR changes 100-499 lines, ignoring generated files.
Projects
PR Reviews
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mercyspirit @eyurtsev @dzubke