langroid 0.53.14__py3-none-any.whl → 0.53.15__py3-none-any.whl

langroid/agent/special/table_chat_agent.py

@@ -7,6 +7,13 @@ expression (involving a dataframe `df`) to answer the query.
 The expression is passed via the `pandas_eval` tool/function-call,
 which is handled by the Agent's `pandas_eval` method. This method evaluates
 the expression and returns the result as a string.
+
+WARNING: This Agent should be used only with trusted input, as it can execute system
+commands. 
+
+The `full_eval` flag is false by default, which means that the input is sanitized
+against most common code injection attack vectors. `full_eval` may be set to True to 
+disable sanitization at all. Both cases should be used with caution.
 """
 
 import io
@@ -26,6 +33,7 @@ from langroid.language_models.openai_gpt import OpenAIChatModel, OpenAIGPTConfig
 from langroid.parsing.table_loader import read_tabular_data
 from langroid.prompts.prompts_config import PromptsConfig
 from langroid.utils.constants import DONE, PASS
+from langroid.utils.pandas_utils import sanitize_command
 from langroid.vector_store.base import VectorStoreConfig
 
 logger = logging.getLogger(__name__)
@@ -113,6 +121,9 @@ class TableChatAgentConfig(ChatAgentConfig):
     cache: bool = True  # cache results
     debug: bool = False
     stream: bool = True  # allow streaming where needed
+    full_eval: bool = (
+        False  # runs eval without sanitization. Use only on trusted input!
+    )
     data: str | pd.DataFrame  # data file, URL, or DataFrame
     separator: None | str = None  # separator for data file
     vecdb: None | VectorStoreConfig = None
@@ -204,7 +215,7 @@ class TableChatAgent(ChatAgent):
         """
         self.sent_expression = True
         exprn = msg.expression
-        local_vars = {"df": self.df}
+        vars = {"df": self.df}
         # Create a string-based I/O stream
         code_out = io.StringIO()
 
@@ -212,10 +223,13 @@ class TableChatAgent(ChatAgent):
         sys.stdout = code_out
 
         # Evaluate the last line and get the result;
-        # SECURITY: eval only with empty globals and {"df": df} in locals to
-        # prevent arbitrary Python code execution.
+        # SECURITY MITIGATION: Eval input is sanitized by default to prevent most
+        # common code injection attack vectors.
         try:
-            eval_result = eval(exprn, {}, local_vars)
+            if not self.config.full_eval:
+                exprn = sanitize_command(exprn)
+            code = compile(exprn, "<calc>", "eval")
+            eval_result = eval(code, vars, {})
         except Exception as e:
             eval_result = f"ERROR: {type(e)}: {e}"
 
@@ -226,7 +240,7 @@ class TableChatAgent(ChatAgent):
         sys.stdout = sys.__stdout__
 
         # If df has been modified in-place, save the changes back to self.df
-        self.df = local_vars["df"]
+        self.df = vars["df"]
 
         # Get the resulting string from the I/O stream
         print_result = code_out.getvalue() or ""

langroid/utils/pandas_utils.py

@@ -1,7 +1,287 @@
+import ast
 from typing import Any
 
 import pandas as pd
 
+COMMON_USE_DF_METHODS = {
+    "T",
+    "abs",
+    "add",
+    "add_prefix",
+    "add_suffix",
+    "agg",
+    "aggregate",
+    "align",
+    "all",
+    "any",
+    "apply",
+    "applymap",
+    "at",
+    "at_time",
+    "between_time",
+    "bfill",
+    "clip",
+    "combine",
+    "combine_first",
+    "convert_dtypes",
+    "corr",
+    "corrwith",
+    "count",
+    "cov",
+    "cummax",
+    "cummin",
+    "cumprod",
+    "cumsum",
+    "describe",
+    "diff",
+    "dot",
+    "drop_duplicates",
+    "duplicated",
+    "eq",
+    "eval",
+    "ewm",
+    "expanding",
+    "explode",
+    "filter",
+    "first",
+    "groupby",
+    "head",
+    "idxmax",
+    "idxmin",
+    "infer_objects",
+    "interpolate",
+    "isin",
+    "kurt",
+    "kurtosis",
+    "last",
+    "le",
+    "loc",
+    "lt",
+    "gt",
+    "ge",
+    "iloc",
+    "mask",
+    "max",
+    "mean",
+    "median",
+    "melt",
+    "min",
+    "mode",
+    "mul",
+    "nlargest",
+    "nsmallest",
+    "notna",
+    "notnull",
+    "nunique",
+    "pct_change",
+    "pipe",
+    "pivot",
+    "pivot_table",
+    "prod",
+    "product",
+    "quantile",
+    "query",
+    "rank",
+    "replace",
+    "resample",
+    "rolling",
+    "round",
+    "sample",
+    "select_dtypes",
+    "sem",
+    "shift",
+    "skew",
+    "sort_index",
+    "sort_values",
+    "squeeze",
+    "stack",
+    "std",
+    "sum",
+    "tail",
+    "transform",
+    "transpose",
+    "unstack",
+    "value_counts",
+    "var",
+    "where",
+    "xs",
+}
+
+POTENTIALLY_DANGEROUS_DF_METHODS = {
+    "eval",
+    "query",
+    "apply",
+    "applymap",
+    "pipe",
+    "agg",
+    "aggregate",
+    "transform",
+    "rolling",
+    "expanding",
+    "resample",
+}
+
+WHITELISTED_DF_METHODS = COMMON_USE_DF_METHODS - POTENTIALLY_DANGEROUS_DF_METHODS
+
+
+BLOCKED_KW = {
+    "engine",
+    "parser",
+    "inplace",
+    "regex",
+    "dtype",
+    "converters",
+    "eval",
+}
+MAX_CHAIN = 6
+MAX_DEPTH = 25
+NUMERIC_LIMIT = 1_000_000_000
+
+
+class UnsafeCommandError(ValueError):
+    """Raised when a command string violates security policy."""
+
+    pass
+
+
+def _literal_ok(node: ast.AST) -> bool:
+    """Return True if *node* is a safe literal (and within numeric limit)."""
+    if isinstance(node, ast.Constant):
+        if (
+            isinstance(node.value, (int, float, complex))
+            and abs(node.value) > NUMERIC_LIMIT
+        ):
+            raise UnsafeCommandError("numeric constant exceeds limit")
+        return True
+    if isinstance(node, (ast.Tuple, ast.List)):
+        return all(_literal_ok(elt) for elt in node.elts)
+    if isinstance(node, ast.Slice):
+        return all(
+            sub is None or _literal_ok(sub)
+            for sub in (node.lower, node.upper, node.step)
+        )
+    return False
+
+
+class CommandValidator(ast.NodeVisitor):
+    """AST walker that enforces the security policy."""
+
+    # Comparison operators we allow
+    ALLOWED_CMPOP = (ast.Gt, ast.GtE, ast.Lt, ast.LtE, ast.Eq, ast.NotEq)
+
+    # Arithmetic operators we allow (power ** intentionally omitted)
+    ALLOWED_BINOP = (ast.Add, ast.Sub, ast.Mult, ast.Div, ast.FloorDiv, ast.Mod)
+    ALLOWED_UNARY = (ast.UAdd, ast.USub)
+
+    # Node whitelist
+    ALLOWED_NODES = (
+        ast.Expression,
+        ast.Attribute,
+        ast.Name,
+        ast.Load,
+        ast.Call,
+        ast.Subscript,
+        ast.Constant,
+        ast.Tuple,
+        ast.List,
+        ast.Slice,
+        ast.keyword,
+        ast.BinOp,
+        ast.UnaryOp,
+        ast.Compare,
+        *ALLOWED_BINOP,
+        *ALLOWED_UNARY,
+        *ALLOWED_CMPOP,
+    )
+
+    def __init__(self, df_name: str = "df"):
+        self.df_name = df_name
+        self.depth = 0
+        self.chain = 0
+
+    # Depth guard
+    def generic_visit(self, node: ast.AST) -> None:
+        self.depth += 1
+        if self.depth > MAX_DEPTH:
+            raise UnsafeCommandError("AST nesting too deep")
+        super().generic_visit(node)
+        self.depth -= 1
+
+    # Literal validation
+    def visit_Constant(self, node: ast.Constant) -> None:
+        _literal_ok(node)
+
+    # Arithmetic
+    def visit_BinOp(self, node: ast.BinOp) -> None:
+        if not isinstance(node.op, self.ALLOWED_BINOP):
+            raise UnsafeCommandError("operator not allowed")
+        self.generic_visit(node)
+
+    def visit_UnaryOp(self, node: ast.UnaryOp) -> None:
+        if not isinstance(node.op, self.ALLOWED_UNARY):
+            raise UnsafeCommandError("unary operator not allowed")
+        self.generic_visit(node)
+
+    # Comparisons
+    def visit_Compare(self, node: ast.Compare) -> None:
+        if not all(isinstance(op, self.ALLOWED_CMPOP) for op in node.ops):
+            raise UnsafeCommandError("comparison operator not allowed")
+        for comp in node.comparators:
+            _literal_ok(comp)
+        self.generic_visit(node)
+
+    # Subscripts
+    def visit_Subscript(self, node: ast.Subscript) -> None:
+        if not _literal_ok(node.slice):
+            raise UnsafeCommandError("subscript must be literal")
+        self.generic_visit(node)
+
+    # Method calls
+    def visit_Call(self, node: ast.Call) -> None:
+        if not isinstance(node.func, ast.Attribute):
+            raise UnsafeCommandError("only DataFrame method calls allowed")
+
+        method = node.func.attr
+        self.chain += 1
+        if self.chain > MAX_CHAIN:
+            raise UnsafeCommandError("method-chain too long")
+        if method not in WHITELISTED_DF_METHODS:
+            raise UnsafeCommandError(f"method '{method}' not permitted")
+
+        # kwarg / arg checks
+        for kw in node.keywords:
+            if kw.arg in BLOCKED_KW:
+                raise UnsafeCommandError(f"kwarg '{kw.arg}' is blocked")
+            _literal_ok(kw.value)
+        for arg in node.args:
+            _literal_ok(arg)
+
+        try:
+            self.generic_visit(node)
+        finally:
+            self.chain -= 1
+
+    # Names
+    def visit_Name(self, node: ast.Name) -> None:
+        if node.id != self.df_name:
+            raise UnsafeCommandError(f"unexpected variable '{node.id}'")
+
+    # Top-level gate
+    def visit(self, node: ast.AST) -> None:
+        if not isinstance(node, self.ALLOWED_NODES):
+            raise UnsafeCommandError(f"disallowed node {type(node).__name__}")
+        super().visit(node)
+
+
+def sanitize_command(expr: str, df_name: str = "df") -> str:
+    """
+    Validate *expr*; return it unchanged if it passes all rules,
+    else raise UnsafeCommandError with the first violation encountered.
+    """
+    tree = ast.parse(expr, mode="eval")
+    CommandValidator(df_name).visit(tree)
+    return expr
+
 
 def stringify(x: Any) -> str:
     # Convert x to DataFrame if it is not one already

langroid/vector_store/base.py

@@ -14,7 +14,7 @@ from langroid.utils.algorithms.graph import components, topological_sort
 from langroid.utils.configuration import settings
 from langroid.utils.object_registry import ObjectRegistry
 from langroid.utils.output.printing import print_long_text
-from langroid.utils.pandas_utils import stringify
+from langroid.utils.pandas_utils import sanitize_command, stringify
 from langroid.utils.pydantic_utils import flatten_dict
 
 logger = logging.getLogger(__name__)
@@ -159,11 +159,12 @@ class VectorStore(ABC):
         df = pd.DataFrame(dicts)
 
         try:
-            # SECURITY: Use Python's eval() with NO globals and only {"df": df}
-            # in locals. This allows pandas operations on `df` while preventing
-            # access to builtins or other potentially harmful global functions,
-            # mitigating risks associated with executing untrusted `calc` strings.
-            result = eval(calc, {}, {"df": df})  # type: ignore
+            # SECURITY MITIGATION: Eval input is sanitized to prevent most common
+            # code injection attack vectors.
+            vars = {"df": df}
+            calc = sanitize_command(calc)
+            code = compile(calc, "<calc>", "eval")
+            result = eval(code, vars, {})
         except Exception as e:
             # return error message so LLM can fix the calc string if needed
             err = f"""

{langroid-0.53.14.dist-info → langroid-0.53.15.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: langroid
-Version: 0.53.14
+Version: 0.53.15
 Summary: Harness LLMs with Multi-Agent Programming
 Author-email: Prasad Chalasani <pchalasani@gmail.com>
 License: MIT

{langroid-0.53.14.dist-info → langroid-0.53.15.dist-info}/RECORD

@@ -20,7 +20,7 @@ langroid/agent/special/lance_doc_chat_agent.py,sha256=s8xoRs0gGaFtDYFUSIRchsgDVb
 langroid/agent/special/lance_tools.py,sha256=qS8x4wi8mrqfbYV2ztFzrcxyhHQ0ZWOc-zkYiH7awj0,2105
 langroid/agent/special/relevance_extractor_agent.py,sha256=zIx8GUdVo1aGW6ASla0NPQjYYIpmriK_TYMijqAx3F8,4796
 langroid/agent/special/retriever_agent.py,sha256=o2UfqiCGME0t85SZ6qjK041_WZYqXSuV1SeH_3KtVuc,1931
-langroid/agent/special/table_chat_agent.py,sha256=wC4DWRVMAGfVY33JqP8cNR4kO0dqD8ryjWzAkMFT5j0,9780
+langroid/agent/special/table_chat_agent.py,sha256=WS-E3QqI6Wm67-GNAcfIIl_TW7C-kYzlpd461hwLz6Y,10403
 langroid/agent/special/arangodb/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 langroid/agent/special/arangodb/arangodb_agent.py,sha256=12Y54c84c9qXV-YXRBcI5HaqyiY75JR4TmqlURYKJAM,25851
 langroid/agent/special/arangodb/system_messages.py,sha256=udwfLleTdyz_DuxHuoiv2wHEZoAPBPbwdF_ivjIfP5c,6867
@@ -114,7 +114,7 @@ langroid/utils/git_utils.py,sha256=WnflJ3R3owhlD0LNdSJakcKhExcEehE1UW5jYVQl8JY,7
 langroid/utils/globals.py,sha256=Az9dOFqR6n9CoTYSqa2kLikQWS0oCQ9DFQIQAnG-2q8,1355
 langroid/utils/logging.py,sha256=kmdpj1ozH1apf3o00Zgz-ZT-S4BHqUfF81GkY0Gf578,7262
 langroid/utils/object_registry.py,sha256=iPz9GHzvmCeVoidB3JdAMEKcxJEqTdUr0otQEexDZ5s,2100
-langroid/utils/pandas_utils.py,sha256=UctS986Jtl_MvU5rA7-GfrjEHXP7MNu8ePhepv0bTn0,755
+langroid/utils/pandas_utils.py,sha256=Zz_-dKogZR2Ijw5QNTHC2EcEmzgODPU-2_MVgS3274c,7266
 langroid/utils/pydantic_utils.py,sha256=R7Ps8VP56-eSo-LYHWllFo-SJ2zDmdItuuYpUq2gGJ8,20854
 langroid/utils/system.py,sha256=q3QJtTSapIwNe8MMhGEM03wgxPLmZiD47_sF1pKx53I,8472
 langroid/utils/types.py,sha256=-BvyIf_LmAJ5jR9NC7S4CSVNEr3XayAaxJ5o0TiIej0,2992
@@ -125,7 +125,7 @@ langroid/utils/output/citations.py,sha256=9W0slQQgzRGLS7hU51mm5UWao5cS_xr8AVosVe
 langroid/utils/output/printing.py,sha256=yzPJZN-8_jyOJmI9N_oLwEDfjMwVgk3IDiwnZ4eK_AE,2962
 langroid/utils/output/status.py,sha256=rzbE7mDJcgNNvdtylCseQcPGCGghtJvVq3lB-OPJ49E,1049
 langroid/vector_store/__init__.py,sha256=8ktJUVsVUoc7FMmkUFpFBZu7VMWUqQY9zpm4kEJ8yTs,1537
-langroid/vector_store/base.py,sha256=HDgY2uMwOnoyuySDCXdRK_USPWaFRLhti94B2OP1B_w,14752
+langroid/vector_store/base.py,sha256=uIRz3ZVmqxzuq2V71Kpys_6-j460gGjHXQIAJWJLI78,14675
 langroid/vector_store/chromadb.py,sha256=p9mEqJwO2BrL2jSSXfa23kCPlPOwWpF3xJYd5zoWw_c,8661
 langroid/vector_store/lancedb.py,sha256=Qd20gKjWozPWfW5-D66J6U8dSrJo1yl-maj6s1lbf1c,14688
 langroid/vector_store/meilisearch.py,sha256=6frB7GFWeWmeKzRfLZIvzRjllniZ1cYj3HmhHQICXLs,11663
@@ -133,7 +133,7 @@ langroid/vector_store/pineconedb.py,sha256=otxXZNaBKb9f_H75HTaU3lMHiaR2NUp5MqwLZ
 langroid/vector_store/postgres.py,sha256=wHPtIi2qM4fhO4pMQr95pz1ZCe7dTb2hxl4VYspGZoA,16104
 langroid/vector_store/qdrantdb.py,sha256=O6dSBoDZ0jzfeVBd7LLvsXu083xs2fxXtPa9gGX3JX4,18443
 langroid/vector_store/weaviatedb.py,sha256=Yn8pg139gOy3zkaPfoTbMXEEBCiLiYa1MU5d_3UA1K4,11847
-langroid-0.53.14.dist-info/METADATA,sha256=yo2Whf1Lk_qxKbRRe0uTxO-QiLTlkd7MYQBusvZilbw,64946
-langroid-0.53.14.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-langroid-0.53.14.dist-info/licenses/LICENSE,sha256=EgVbvA6VSYgUlvC3RvPKehSg7MFaxWDsFuzLOsPPfJg,1065
-langroid-0.53.14.dist-info/RECORD,,
+langroid-0.53.15.dist-info/METADATA,sha256=893X5dUY-L85Q0rKwS2Ex6fIH3L_W3TZ0NFqCeMbz4Q,64946
+langroid-0.53.15.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+langroid-0.53.15.dist-info/licenses/LICENSE,sha256=EgVbvA6VSYgUlvC3RvPKehSg7MFaxWDsFuzLOsPPfJg,1065
+langroid-0.53.15.dist-info/RECORD,,