langchain-core 1.0.5__py3-none-any.whl → 1.0.7__py3-none-any.whl

langchain_core/prompts/string.py

@@ -19,9 +19,66 @@ if TYPE_CHECKING:
     from collections.abc import Callable, Sequence
 
 try:
-    from jinja2 import Environment, meta
+    from jinja2 import meta
+    from jinja2.exceptions import SecurityError
     from jinja2.sandbox import SandboxedEnvironment
 
+    class _RestrictedSandboxedEnvironment(SandboxedEnvironment):
+        """A more restrictive Jinja2 sandbox that blocks all attribute/method access.
+
+        This sandbox only allows simple variable lookups, no attribute or method access.
+        This prevents template injection attacks via methods like parse_raw().
+        """
+
+        def is_safe_attribute(self, _obj: Any, _attr: str, _value: Any) -> bool:
+            """Block ALL attribute access for security.
+
+            Only allow accessing variables directly from the context dict,
+            no attribute access on those objects.
+
+            Args:
+                _obj: The object being accessed (unused, always blocked).
+                _attr: The attribute name (unused, always blocked).
+                _value: The attribute value (unused, always blocked).
+
+            Returns:
+                False - all attribute access is blocked.
+            """
+            # Block all attribute access
+            return False
+
+        def is_safe_callable(self, _obj: Any) -> bool:
+            """Block all method calls for security.
+
+            Args:
+                _obj: The object being checked (unused, always blocked).
+
+            Returns:
+                False - all callables are blocked.
+            """
+            return False
+
+        def getattr(self, obj: Any, attribute: str) -> Any:
+            """Override getattr to block all attribute access.
+
+            Args:
+                obj: The object.
+                attribute: The attribute name.
+
+            Returns:
+                Never returns.
+
+            Raises:
+                SecurityError: Always, to block attribute access.
+            """
+            msg = (
+                f"Access to attributes is not allowed in templates. "
+                f"Attempted to access '{attribute}' on {type(obj).__name__}. "
+                f"Use only simple variable names like {{{{variable}}}} "
+                f"without dots or methods."
+            )
+            raise SecurityError(msg)
+
     _HAS_JINJA2 = True
 except ImportError:
     _HAS_JINJA2 = False
@@ -61,14 +118,10 @@ def jinja2_formatter(template: str, /, **kwargs: Any) -> str:
         )
         raise ImportError(msg)
 
-    # This uses a sandboxed environment to prevent arbitrary code execution.
-    # Jinja2 uses an opt-out rather than opt-in approach for sand-boxing.
-    # Please treat this sand-boxing as a best-effort approach rather than
-    # a guarantee of security.
-    # We recommend to never use jinja2 templates with untrusted inputs.
-    # https://jinja.palletsprojects.com/en/3.1.x/sandbox/
-    # approach not a guarantee of security.
-    return SandboxedEnvironment().from_string(template).render(**kwargs)
+    # Use a restricted sandbox that blocks ALL attribute/method access
+    # Only simple variable lookups like {{variable}} are allowed
+    # Attribute access like {{variable.attr}} or {{variable.method()}} is blocked
+    return _RestrictedSandboxedEnvironment().from_string(template).render(**kwargs)
 
 
 def validate_jinja2(template: str, input_variables: list[str]) -> None:
@@ -103,7 +156,7 @@ def _get_jinja2_variables_from_template(template: str) -> set[str]:
             "Please install it with `pip install jinja2`."
         )
         raise ImportError(msg)
-    env = Environment()  # noqa: S701
+    env = _RestrictedSandboxedEnvironment()
     ast = env.parse(template)
     return meta.find_undeclared_variables(ast)
 
@@ -273,6 +326,30 @@ def get_template_variables(template: str, template_format: str) -> list[str]:
         msg = f"Unsupported template format: {template_format}"
         raise ValueError(msg)
 
+    # For f-strings, block attribute access and indexing syntax
+    # This prevents template injection attacks via accessing dangerous attributes
+    if template_format == "f-string":
+        for var in input_variables:
+            # Formatter().parse() returns field names with dots/brackets if present
+            # e.g., "obj.attr" or "obj[0]" - we need to block these
+            if "." in var or "[" in var or "]" in var:
+                msg = (
+                    f"Invalid variable name {var!r} in f-string template. "
+                    f"Variable names cannot contain attribute "
+                    f"access (.) or indexing ([])."
+                )
+                raise ValueError(msg)
+
+            # Block variable names that are all digits (e.g., "0", "100")
+            # These are interpreted as positional arguments, not keyword arguments
+            if var.isdigit():
+                msg = (
+                    f"Invalid variable name {var!r} in f-string template. "
+                    f"Variable names cannot be all digits as they are interpreted "
+                    f"as positional arguments."
+                )
+                raise ValueError(msg)
+
     return sorted(input_variables)
 
 

langchain_core/runnables/graph.py

@@ -641,6 +641,7 @@ class Graph:
         retry_delay: float = 1.0,
         frontmatter_config: dict[str, Any] | None = None,
         base_url: str | None = None,
+        proxies: dict[str, str] | None = None,
     ) -> bytes:
         """Draw the graph as a PNG image using Mermaid.
 
@@ -673,11 +674,10 @@ class Graph:
                 }
                 ```
             base_url: The base URL of the Mermaid server for rendering via API.
-
+            proxies: HTTP/HTTPS proxies for requests (e.g. `{"http": "http://127.0.0.1:7890"}`).
 
         Returns:
             The PNG image as bytes.
-
         """
         # Import locally to prevent circular import
         from langchain_core.runnables.graph_mermaid import (  # noqa: PLC0415
@@ -698,6 +698,7 @@ class Graph:
             padding=padding,
             max_retries=max_retries,
             retry_delay=retry_delay,
+            proxies=proxies,
             base_url=base_url,
         )
 

langchain_core/runnables/graph_mermaid.py

@@ -281,6 +281,7 @@ def draw_mermaid_png(
     max_retries: int = 1,
     retry_delay: float = 1.0,
     base_url: str | None = None,
+    proxies: dict[str, str] | None = None,
 ) -> bytes:
     """Draws a Mermaid graph as PNG using provided syntax.
 
@@ -293,6 +294,7 @@ def draw_mermaid_png(
         max_retries: Maximum number of retries (MermaidDrawMethod.API).
         retry_delay: Delay between retries (MermaidDrawMethod.API).
         base_url: Base URL for the Mermaid.ink API.
+        proxies: HTTP/HTTPS proxies for requests (e.g. `{"http": "http://127.0.0.1:7890"}`).
 
     Returns:
         PNG image bytes.
@@ -314,6 +316,7 @@ def draw_mermaid_png(
             max_retries=max_retries,
             retry_delay=retry_delay,
             base_url=base_url,
+            proxies=proxies,
         )
     else:
         supported_methods = ", ".join([m.value for m in MermaidDrawMethod])
@@ -405,6 +408,7 @@ def _render_mermaid_using_api(
     file_type: Literal["jpeg", "png", "webp"] | None = "png",
     max_retries: int = 1,
     retry_delay: float = 1.0,
+    proxies: dict[str, str] | None = None,
     base_url: str | None = None,
 ) -> bytes:
     """Renders Mermaid graph using the Mermaid.INK API."""
@@ -445,7 +449,7 @@ def _render_mermaid_using_api(
 
     for attempt in range(max_retries + 1):
         try:
-            response = requests.get(image_url, timeout=10)
+            response = requests.get(image_url, timeout=10, proxies=proxies)
             if response.status_code == requests.codes.ok:
                 img_bytes = response.content
                 if output_file_path is not None:

langchain_core/tools/base.py

@@ -386,6 +386,8 @@ class ToolException(Exception):  # noqa: N818
 
 ArgsSchema = TypeBaseModel | dict[str, Any]
 
+_EMPTY_SET: frozenset[str] = frozenset()
+
 
 class BaseTool(RunnableSerializable[str | dict | ToolCall, Any]):
     """Base class for all LangChain tools.
@@ -569,6 +571,11 @@ class ChildTool(BaseTool):
             self.name, full_schema, fields, fn_description=self.description
         )
 
+    @functools.cached_property
+    def _injected_args_keys(self) -> frozenset[str]:
+        # base implementation doesn't manage injected args
+        return _EMPTY_SET
+
     # --- Runnable ---
 
     @override
@@ -649,6 +656,7 @@ class ChildTool(BaseTool):
             if isinstance(input_args, dict):
                 return tool_input
             if issubclass(input_args, BaseModel):
+                # Check args_schema for InjectedToolCallId
                 for k, v in get_all_basemodel_annotations(input_args).items():
                     if _is_injected_arg_type(v, injected_type=InjectedToolCallId):
                         if tool_call_id is None:
@@ -664,6 +672,7 @@ class ChildTool(BaseTool):
                 result = input_args.model_validate(tool_input)
                 result_dict = result.model_dump()
             elif issubclass(input_args, BaseModelV1):
+                # Check args_schema for InjectedToolCallId
                 for k, v in get_all_basemodel_annotations(input_args).items():
                     if _is_injected_arg_type(v, injected_type=InjectedToolCallId):
                         if tool_call_id is None:
@@ -683,9 +692,25 @@ class ChildTool(BaseTool):
                     f"args_schema must be a Pydantic BaseModel, got {self.args_schema}"
                 )
                 raise NotImplementedError(msg)
-            return {
-                k: getattr(result, k) for k, v in result_dict.items() if k in tool_input
+            validated_input = {
+                k: getattr(result, k) for k in result_dict if k in tool_input
             }
+            for k in self._injected_args_keys:
+                if k == "tool_call_id":
+                    if tool_call_id is None:
+                        msg = (
+                            "When tool includes an InjectedToolCallId "
+                            "argument, tool must always be invoked with a full "
+                            "model ToolCall of the form: {'args': {...}, "
+                            "'name': '...', 'type': 'tool_call', "
+                            "'tool_call_id': '...'}"
+                        )
+                        raise ValueError(msg)
+                    validated_input[k] = tool_call_id
+                if k in tool_input:
+                    injected_val = tool_input[k]
+                    validated_input[k] = injected_val
+            return validated_input
         return tool_input
 
     @abstractmethod

langchain_core/tools/structured.py

@@ -2,6 +2,7 @@
 
 from __future__ import annotations
 
+import functools
 import textwrap
 from collections.abc import Awaitable, Callable
 from inspect import signature
@@ -21,10 +22,12 @@ from langchain_core.callbacks import (
 )
 from langchain_core.runnables import RunnableConfig, run_in_executor
 from langchain_core.tools.base import (
+    _EMPTY_SET,
     FILTERED_ARGS,
     ArgsSchema,
     BaseTool,
     _get_runnable_config_param,
+    _is_injected_arg_type,
     create_schema_from_function,
 )
 from langchain_core.utils.pydantic import is_basemodel_subclass
@@ -241,6 +244,17 @@ class StructuredTool(BaseTool):
             **kwargs,
         )
 
+    @functools.cached_property
+    def _injected_args_keys(self) -> frozenset[str]:
+        fn = self.func or self.coroutine
+        if fn is None:
+            return _EMPTY_SET
+        return frozenset(
+            k
+            for k, v in signature(fn).parameters.items()
+            if _is_injected_arg_type(v.annotation)
+        )
+
 
 def _filter_schema_args(func: Callable) -> list[str]:
     filter_args = list(FILTERED_ARGS)

langchain_core/utils/mustache.py

@@ -374,15 +374,29 @@ def _get_key(
                 if resolved_scope in (0, False):
                     return resolved_scope
                 # Move into the scope
-                try:
-                    # Try subscripting (Normal dictionaries)
-                    resolved_scope = cast("dict[str, Any]", resolved_scope)[child]
-                except (TypeError, AttributeError):
+                if isinstance(resolved_scope, dict):
                     try:
-                        resolved_scope = getattr(resolved_scope, child)
-                    except (TypeError, AttributeError):
-                        # Try as a list
-                        resolved_scope = resolved_scope[int(child)]  # type: ignore[index]
+                        resolved_scope = resolved_scope[child]
+                    except (KeyError, TypeError):
+                        # Key not found - will be caught by outer try-except
+                        msg = f"Key {child!r} not found in dict"
+                        raise KeyError(msg) from None
+                elif isinstance(resolved_scope, (list, tuple)):
+                    try:
+                        resolved_scope = resolved_scope[int(child)]
+                    except (ValueError, IndexError, TypeError):
+                        # Invalid index - will be caught by outer try-except
+                        msg = f"Invalid index {child!r} for list/tuple"
+                        raise IndexError(msg) from None
+                else:
+                    # Reject everything else for security
+                    # This prevents traversing into arbitrary Python objects
+                    msg = (
+                        f"Cannot traverse into {type(resolved_scope).__name__}. "
+                        "Mustache templates only support dict, list, and tuple. "
+                        f"Got: {type(resolved_scope)}"
+                    )
+                    raise TypeError(msg)  # noqa: TRY301
 
             try:
                 # This allows for custom falsy data types
@@ -393,8 +407,9 @@ def _get_key(
                 if resolved_scope in (0, False):
                     return resolved_scope
                 return resolved_scope or ""
-        except (AttributeError, KeyError, IndexError, ValueError):
+        except (AttributeError, KeyError, IndexError, ValueError, TypeError):
             # We couldn't find the key in the current scope
+            # TypeError: Attempted to traverse into non-dict/list type
             # We'll try again on the next pass
             pass
 

langchain_core/version.py

@@ -1,3 +1,3 @@
 """langchain-core version information and utilities."""
 
-VERSION = "1.0.5"
+VERSION = "1.0.7"

{langchain_core-1.0.5.dist-info → langchain_core-1.0.7.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: langchain-core
-Version: 1.0.5
+Version: 1.0.7
 Summary: Building applications with LLMs through composability
 Project-URL: Homepage, https://docs.langchain.com/
 Project-URL: Documentation, https://reference.langchain.com/python/langchain_core/

{langchain_core-1.0.5.dist-info → langchain_core-1.0.7.dist-info}/RECORD

@@ -15,7 +15,7 @@ langchain_core/retrievers.py,sha256=SXnCc_85rNcLeMa-SjvkijXpFw-I7SVTWYgV1gJQimg,
 langchain_core/stores.py,sha256=g8aa_VvXf93-Q25QMXX_sBoKC99nu3FtyC4INOUJ3WY,9181
 langchain_core/structured_query.py,sha256=mat7BKovKjckzMn3-I1El49yeGjg3cqk4ptpJHAPA-4,5123
 langchain_core/sys_info.py,sha256=SEFI7XL2qpx1lis6cB45o6ZKtRCZWVXwEngU3UGMgrE,3806
-langchain_core/version.py,sha256=jWWKpYGZRCxjUlsDuTeoAT_Xmifcmm8HFZDQo6Pc1a4,75
+langchain_core/version.py,sha256=cFzsjswCa-CtIr7XINgrfnB5V6ZQT05GwZLHnpGKNV0,75
 langchain_core/_api/__init__.py,sha256=PYm_j7qRRKh5ca0TTra5UF-nko3ieZZZ5EeAFAinm3o,1973
 langchain_core/_api/beta_decorator.py,sha256=IJgG2_kRb2eBmvHfarDjanJY4k1jwoPJWSOHZ5SLB4U,8664
 langchain_core/_api/deprecation.py,sha256=nReAhxZ1dBwLhHdGAaqqRpf7aLQJ1dw4UtqmrRqeNLE,20296
@@ -106,7 +106,7 @@ langchain_core/prompts/image.py,sha256=L_5yGsI68Y0pwthA3AS0mQXFMXtvW_kBRItFS6Vpk
 langchain_core/prompts/loading.py,sha256=hvNsDvqLz5wJA1EywW2wCwKUhJgUzNcIKfp5VEVOEGc,6889
 langchain_core/prompts/message.py,sha256=3BdmchS6Y0DCo5edE-R3qcbSqfpbv_AGwE5UcYZ6gU8,2636
 langchain_core/prompts/prompt.py,sha256=TcQZNc-Y6c7CMJwY1HwMvRYU4NcbMdCw6YS37Tc3pWk,10948
-langchain_core/prompts/string.py,sha256=hTkXW-SoN4vo_PbOlK_RxXzXhoRQQRucCBJ7F0bFuTE,11012
+langchain_core/prompts/string.py,sha256=CAx6sPPXpbHVPe9hwDbmZPKIPxJf4nfvmtGw5xW1CYM,14047
 langchain_core/prompts/structured.py,sha256=Uzh1PBLXzGyZ-4m4W-cMHz8nqL1XmMri8OOkoSSJiq8,5790
 langchain_core/runnables/__init__.py,sha256=efTnFjwN_QSAv5ThLmKuWeu8P1BLARH-cWKZBuimfDM,3858
 langchain_core/runnables/base.py,sha256=vUR1HWB28OkWBWNm03qLCYaewCAWrNguqH9ob-7vJsY,216503
@@ -114,9 +114,9 @@ langchain_core/runnables/branch.py,sha256=Wviy59agVKhbwD_GlMZz-HP5pXZgw5oI5MJb1n
 langchain_core/runnables/config.py,sha256=w2f2BeYbiXIuXxYJCrmSDIh7LgwSyF-7p92W-sxrbKU,19103
 langchain_core/runnables/configurable.py,sha256=1FalcSplZ2EITuV-g-TxMoDiS3eZT32OF33ZLjxftd0,24053
 langchain_core/runnables/fallbacks.py,sha256=60WZ8RoIlE69HsYqAyLncbdh0OhcBxbwvV3NYZogdyk,24468
-langchain_core/runnables/graph.py,sha256=0Zhv5saaIQL1NvfESvkhRIYJGCfJBdrWQZg65jZrK9w,22923
+langchain_core/runnables/graph.py,sha256=7u6LPc6Ih3f6REbyGrRE1R3lacHBTdrt1RPXBAXIdog,23094
 langchain_core/runnables/graph_ascii.py,sha256=F6EzMEL7yWpZxox1fIMvt3v5-uCp6ISbAAkniin9jIc,10333
-langchain_core/runnables/graph_mermaid.py,sha256=k615r8Q641pb_rpjTlmVc5fTlMco-1IIxQI8t3kBceE,16725
+langchain_core/runnables/graph_mermaid.py,sha256=hUy4QLzrd3xPks5x9wAahd9TSbk-pHbrkV2zo8b0IfU,16950
 langchain_core/runnables/graph_png.py,sha256=pdt7_sRPJw38vkKixdb1yYB78kaxIA5ijnAdjJFt3l4,6473
 langchain_core/runnables/history.py,sha256=5vvSniD6rjPai3bnxp2WxyTMW2jSHxqN0cZflnjoJs4,24264
 langchain_core/runnables/passthrough.py,sha256=OwSGfJAz1uh54ORppmrQozMe5xDOpM2iB2HhjGkdnjo,26230
@@ -125,12 +125,12 @@ langchain_core/runnables/router.py,sha256=oY_PZb3Mh5Z7j4eBVMO_sXP_f6EapxV0NHknhd
 langchain_core/runnables/schema.py,sha256=elc_pen9QvLkM2MoH7QqjRMqDS0yylwjvbl_gdeOD5Y,5719
 langchain_core/runnables/utils.py,sha256=NLdqnRI8abuOrLZrSJZcJ1r0MQuVzn983q5EUQAlTmk,22188
 langchain_core/tools/__init__.py,sha256=qe2E9VwZ7hpdkToz96oSJ080a0de9oQwSO9FP1XnmM0,2518
-langchain_core/tools/base.py,sha256=ejOqr0b-gJC1keQ666HgJv0kl_Q-F2WLhFs5UXlk5ts,51395
+langchain_core/tools/base.py,sha256=wkVdCPMFb1o5Vt2a0NL30KLOu59KLpleLa7vdVqHs-o,52537
 langchain_core/tools/convert.py,sha256=xuvdirFB3a3A_qPN14-msXAvVt0dSUPMzD9iQUZzX8E,16258
 langchain_core/tools/render.py,sha256=gD3pXYWjCaDKsYq_MZ-yCRXl1wUJbOh6dJobda9VjYM,1817
 langchain_core/tools/retriever.py,sha256=hPdBhK8QBK2bRpyNMtq7VtA1qnTRQurRMRjPbVDNG-k,3791
 langchain_core/tools/simple.py,sha256=U9R5jIUcZMXKMV5Ezu8G2MX_0ot2nrtvhjgaGHkA53o,6623
-langchain_core/tools/structured.py,sha256=KV9u6S33rI0VBPwpA6ZmPtt08j8LZjMDnEgX5EhiDaw,9205
+langchain_core/tools/structured.py,sha256=jKvolVZCWcdjKCiCY92zyrRqST520T0VmmEnS-HqoEo,9602
 langchain_core/tracers/__init__.py,sha256=Yf0CQ-IcBa8f9lu0wMA_looT6Q8we3C0yd-xMP3c0Sc,1362
 langchain_core/tracers/_streaming.py,sha256=U9pWQDJNUDH4oOYF3zvUMUtgkCecJzXQvfo-wYARmhQ,982
 langchain_core/tracers/base.py,sha256=cywwNDlynmidmhOCQ8A1J0qhnvN_orWNB8z2UjvCEGs,25454
@@ -158,7 +158,7 @@ langchain_core/utils/interactive_env.py,sha256=LBgNICNAwgwDMOdlVD12TtZfSboPOKXaB
 langchain_core/utils/iter.py,sha256=jqtyfA2129a5ftfuRovpUBEslCGaeuiiGr8bkT-iozI,7300
 langchain_core/utils/json.py,sha256=twJgPBf86nwZzZDt3LoLbO5YOutWMt49GxpmG_pAoDQ,6571
 langchain_core/utils/json_schema.py,sha256=d0yHW6D_IoM7sLGOLxSGcSpAnaYROaqbwmjk7XhvZZ4,9071
-langchain_core/utils/mustache.py,sha256=2LgatBIOa1bGU4EaL5xrS076NWqfQkB4Mtencmc3mtQ,21262
+langchain_core/utils/mustache.py,sha256=aSA8olMczoiVgqx7RUZBRdekJxkGdrQyPnstJMdIDQM,22139
 langchain_core/utils/pydantic.py,sha256=-xFQM2DAFy9cPkUHCYP87buXdnIYofeYaqZEs-FbQg8,18474
 langchain_core/utils/strings.py,sha256=DGhj7CxgxcYIdvMu3Ug93BtayNFaRvyIecgIaxZOa1g,1721
 langchain_core/utils/usage.py,sha256=vB674Eu69xDGx6JBJlySp6cnePkxCD0Wz26mi502NAM,1211
@@ -167,6 +167,6 @@ langchain_core/vectorstores/__init__.py,sha256=5P0eoeoH5LHab64JjmEeWa6SxX4eMy-et
 langchain_core/vectorstores/base.py,sha256=ZEY2EBnm5hZciYUTic_f-QoMGLU120jbolIbzZqQmjs,40757
 langchain_core/vectorstores/in_memory.py,sha256=R71jJ5_RCyViyvndLJ6SSwRiiECl6KpVbcVVGPFyUVM,15692
 langchain_core/vectorstores/utils.py,sha256=XXpQ2mxado6vrLmZWVTstcxrurBtoHcBZEORITAHWw0,4931
-langchain_core-1.0.5.dist-info/METADATA,sha256=RPittwRuncOHvKwbUfW1xlDr1CN2ZmsVQ8AbMIg_5XU,3629
-langchain_core-1.0.5.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-langchain_core-1.0.5.dist-info/RECORD,,
+langchain_core-1.0.7.dist-info/METADATA,sha256=DLZXMp4BNz8rZKLE7EBBXoK36AccxNRcbbOqTgxTnwU,3629
+langchain_core-1.0.7.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+langchain_core-1.0.7.dist-info/RECORD,,