langroid 0.53.14__tar.gz → 0.53.15__tar.gz

{langroid-0.53.14 → langroid-0.53.15}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: langroid
-Version: 0.53.14
+Version: 0.53.15
 Summary: Harness LLMs with Multi-Agent Programming
 Author-email: Prasad Chalasani <pchalasani@gmail.com>
 License: MIT

{langroid-0.53.14 → langroid-0.53.15}/langroid/agent/special/table_chat_agent.py

@@ -7,6 +7,13 @@ expression (involving a dataframe `df`) to answer the query.
 The expression is passed via the `pandas_eval` tool/function-call,
 which is handled by the Agent's `pandas_eval` method. This method evaluates
 the expression and returns the result as a string.
+
+WARNING: This Agent should be used only with trusted input, as it can execute system
+commands. 
+
+The `full_eval` flag is false by default, which means that the input is sanitized
+against most common code injection attack vectors. `full_eval` may be set to True to 
+disable sanitization at all. Both cases should be used with caution.
 """
 
 import io
@@ -26,6 +33,7 @@ from langroid.language_models.openai_gpt import OpenAIChatModel, OpenAIGPTConfig
 from langroid.parsing.table_loader import read_tabular_data
 from langroid.prompts.prompts_config import PromptsConfig
 from langroid.utils.constants import DONE, PASS
+from langroid.utils.pandas_utils import sanitize_command
 from langroid.vector_store.base import VectorStoreConfig
 
 logger = logging.getLogger(__name__)
@@ -113,6 +121,9 @@ class TableChatAgentConfig(ChatAgentConfig):
     cache: bool = True  # cache results
     debug: bool = False
     stream: bool = True  # allow streaming where needed
+    full_eval: bool = (
+        False  # runs eval without sanitization. Use only on trusted input!
+    )
     data: str | pd.DataFrame  # data file, URL, or DataFrame
     separator: None | str = None  # separator for data file
     vecdb: None | VectorStoreConfig = None
@@ -204,7 +215,7 @@ class TableChatAgent(ChatAgent):
         """
         self.sent_expression = True
         exprn = msg.expression
-        local_vars = {"df": self.df}
+        vars = {"df": self.df}
         # Create a string-based I/O stream
         code_out = io.StringIO()
 
@@ -212,10 +223,13 @@ class TableChatAgent(ChatAgent):
         sys.stdout = code_out
 
         # Evaluate the last line and get the result;
-        # SECURITY: eval only with empty globals and {"df": df} in locals to
-        # prevent arbitrary Python code execution.
+        # SECURITY MITIGATION: Eval input is sanitized by default to prevent most
+        # common code injection attack vectors.
         try:
-            eval_result = eval(exprn, {}, local_vars)
+            if not self.config.full_eval:
+                exprn = sanitize_command(exprn)
+            code = compile(exprn, "<calc>", "eval")
+            eval_result = eval(code, vars, {})
         except Exception as e:
             eval_result = f"ERROR: {type(e)}: {e}"
 
@@ -226,7 +240,7 @@ class TableChatAgent(ChatAgent):
         sys.stdout = sys.__stdout__
 
         # If df has been modified in-place, save the changes back to self.df
-        self.df = local_vars["df"]
+        self.df = vars["df"]
 
         # Get the resulting string from the I/O stream
         print_result = code_out.getvalue() or ""

langroid-0.53.15/langroid/utils/pandas_utils.py

@@ -0,0 +1,310 @@
+import ast
+from typing import Any
+
+import pandas as pd
+
+COMMON_USE_DF_METHODS = {
+    "T",
+    "abs",
+    "add",
+    "add_prefix",
+    "add_suffix",
+    "agg",
+    "aggregate",
+    "align",
+    "all",
+    "any",
+    "apply",
+    "applymap",
+    "at",
+    "at_time",
+    "between_time",
+    "bfill",
+    "clip",
+    "combine",
+    "combine_first",
+    "convert_dtypes",
+    "corr",
+    "corrwith",
+    "count",
+    "cov",
+    "cummax",
+    "cummin",
+    "cumprod",
+    "cumsum",
+    "describe",
+    "diff",
+    "dot",
+    "drop_duplicates",
+    "duplicated",
+    "eq",
+    "eval",
+    "ewm",
+    "expanding",
+    "explode",
+    "filter",
+    "first",
+    "groupby",
+    "head",
+    "idxmax",
+    "idxmin",
+    "infer_objects",
+    "interpolate",
+    "isin",
+    "kurt",
+    "kurtosis",
+    "last",
+    "le",
+    "loc",
+    "lt",
+    "gt",
+    "ge",
+    "iloc",
+    "mask",
+    "max",
+    "mean",
+    "median",
+    "melt",
+    "min",
+    "mode",
+    "mul",
+    "nlargest",
+    "nsmallest",
+    "notna",
+    "notnull",
+    "nunique",
+    "pct_change",
+    "pipe",
+    "pivot",
+    "pivot_table",
+    "prod",
+    "product",
+    "quantile",
+    "query",
+    "rank",
+    "replace",
+    "resample",
+    "rolling",
+    "round",
+    "sample",
+    "select_dtypes",
+    "sem",
+    "shift",
+    "skew",
+    "sort_index",
+    "sort_values",
+    "squeeze",
+    "stack",
+    "std",
+    "sum",
+    "tail",
+    "transform",
+    "transpose",
+    "unstack",
+    "value_counts",
+    "var",
+    "where",
+    "xs",
+}
+
+POTENTIALLY_DANGEROUS_DF_METHODS = {
+    "eval",
+    "query",
+    "apply",
+    "applymap",
+    "pipe",
+    "agg",
+    "aggregate",
+    "transform",
+    "rolling",
+    "expanding",
+    "resample",
+}
+
+WHITELISTED_DF_METHODS = COMMON_USE_DF_METHODS - POTENTIALLY_DANGEROUS_DF_METHODS
+
+
+BLOCKED_KW = {
+    "engine",
+    "parser",
+    "inplace",
+    "regex",
+    "dtype",
+    "converters",
+    "eval",
+}
+MAX_CHAIN = 6
+MAX_DEPTH = 25
+NUMERIC_LIMIT = 1_000_000_000
+
+
+class UnsafeCommandError(ValueError):
+    """Raised when a command string violates security policy."""
+
+    pass
+
+
+def _literal_ok(node: ast.AST) -> bool:
+    """Return True if *node* is a safe literal (and within numeric limit)."""
+    if isinstance(node, ast.Constant):
+        if (
+            isinstance(node.value, (int, float, complex))
+            and abs(node.value) > NUMERIC_LIMIT
+        ):
+            raise UnsafeCommandError("numeric constant exceeds limit")
+        return True
+    if isinstance(node, (ast.Tuple, ast.List)):
+        return all(_literal_ok(elt) for elt in node.elts)
+    if isinstance(node, ast.Slice):
+        return all(
+            sub is None or _literal_ok(sub)
+            for sub in (node.lower, node.upper, node.step)
+        )
+    return False
+
+
+class CommandValidator(ast.NodeVisitor):
+    """AST walker that enforces the security policy."""
+
+    # Comparison operators we allow
+    ALLOWED_CMPOP = (ast.Gt, ast.GtE, ast.Lt, ast.LtE, ast.Eq, ast.NotEq)
+
+    # Arithmetic operators we allow (power ** intentionally omitted)
+    ALLOWED_BINOP = (ast.Add, ast.Sub, ast.Mult, ast.Div, ast.FloorDiv, ast.Mod)
+    ALLOWED_UNARY = (ast.UAdd, ast.USub)
+
+    # Node whitelist
+    ALLOWED_NODES = (
+        ast.Expression,
+        ast.Attribute,
+        ast.Name,
+        ast.Load,
+        ast.Call,
+        ast.Subscript,
+        ast.Constant,
+        ast.Tuple,
+        ast.List,
+        ast.Slice,
+        ast.keyword,
+        ast.BinOp,
+        ast.UnaryOp,
+        ast.Compare,
+        *ALLOWED_BINOP,
+        *ALLOWED_UNARY,
+        *ALLOWED_CMPOP,
+    )
+
+    def __init__(self, df_name: str = "df"):
+        self.df_name = df_name
+        self.depth = 0
+        self.chain = 0
+
+    # Depth guard
+    def generic_visit(self, node: ast.AST) -> None:
+        self.depth += 1
+        if self.depth > MAX_DEPTH:
+            raise UnsafeCommandError("AST nesting too deep")
+        super().generic_visit(node)
+        self.depth -= 1
+
+    # Literal validation
+    def visit_Constant(self, node: ast.Constant) -> None:
+        _literal_ok(node)
+
+    # Arithmetic
+    def visit_BinOp(self, node: ast.BinOp) -> None:
+        if not isinstance(node.op, self.ALLOWED_BINOP):
+            raise UnsafeCommandError("operator not allowed")
+        self.generic_visit(node)
+
+    def visit_UnaryOp(self, node: ast.UnaryOp) -> None:
+        if not isinstance(node.op, self.ALLOWED_UNARY):
+            raise UnsafeCommandError("unary operator not allowed")
+        self.generic_visit(node)
+
+    # Comparisons
+    def visit_Compare(self, node: ast.Compare) -> None:
+        if not all(isinstance(op, self.ALLOWED_CMPOP) for op in node.ops):
+            raise UnsafeCommandError("comparison operator not allowed")
+        for comp in node.comparators:
+            _literal_ok(comp)
+        self.generic_visit(node)
+
+    # Subscripts
+    def visit_Subscript(self, node: ast.Subscript) -> None:
+        if not _literal_ok(node.slice):
+            raise UnsafeCommandError("subscript must be literal")
+        self.generic_visit(node)
+
+    # Method calls
+    def visit_Call(self, node: ast.Call) -> None:
+        if not isinstance(node.func, ast.Attribute):
+            raise UnsafeCommandError("only DataFrame method calls allowed")
+
+        method = node.func.attr
+        self.chain += 1
+        if self.chain > MAX_CHAIN:
+            raise UnsafeCommandError("method-chain too long")
+        if method not in WHITELISTED_DF_METHODS:
+            raise UnsafeCommandError(f"method '{method}' not permitted")
+
+        # kwarg / arg checks
+        for kw in node.keywords:
+            if kw.arg in BLOCKED_KW:
+                raise UnsafeCommandError(f"kwarg '{kw.arg}' is blocked")
+            _literal_ok(kw.value)
+        for arg in node.args:
+            _literal_ok(arg)
+
+        try:
+            self.generic_visit(node)
+        finally:
+            self.chain -= 1
+
+    # Names
+    def visit_Name(self, node: ast.Name) -> None:
+        if node.id != self.df_name:
+            raise UnsafeCommandError(f"unexpected variable '{node.id}'")
+
+    # Top-level gate
+    def visit(self, node: ast.AST) -> None:
+        if not isinstance(node, self.ALLOWED_NODES):
+            raise UnsafeCommandError(f"disallowed node {type(node).__name__}")
+        super().visit(node)
+
+
+def sanitize_command(expr: str, df_name: str = "df") -> str:
+    """
+    Validate *expr*; return it unchanged if it passes all rules,
+    else raise UnsafeCommandError with the first violation encountered.
+    """
+    tree = ast.parse(expr, mode="eval")
+    CommandValidator(df_name).visit(tree)
+    return expr
+
+
+def stringify(x: Any) -> str:
+    # Convert x to DataFrame if it is not one already
+    if isinstance(x, pd.Series):
+        df = x.to_frame()
+    elif not isinstance(x, pd.DataFrame):
+        return str(x)
+    else:
+        df = x
+
+    # Truncate long text columns to 1000 characters
+    for col in df.columns:
+        if df[col].dtype == object:
+            df[col] = df[col].apply(
+                lambda item: (
+                    (item[:1000] + "...")
+                    if isinstance(item, str) and len(item) > 1000
+                    else item
+                )
+            )
+
+    # Limit to 10 rows
+    df = df.head(10)
+
+    # Convert to string
+    return df.to_string(index=False)  # type: ignore

{langroid-0.53.14 → langroid-0.53.15}/langroid/vector_store/base.py

@@ -14,7 +14,7 @@ from langroid.utils.algorithms.graph import components, topological_sort
 from langroid.utils.configuration import settings
 from langroid.utils.object_registry import ObjectRegistry
 from langroid.utils.output.printing import print_long_text
-from langroid.utils.pandas_utils import stringify
+from langroid.utils.pandas_utils import sanitize_command, stringify
 from langroid.utils.pydantic_utils import flatten_dict
 
 logger = logging.getLogger(__name__)
@@ -159,11 +159,12 @@ class VectorStore(ABC):
         df = pd.DataFrame(dicts)
 
         try:
-            # SECURITY: Use Python's eval() with NO globals and only {"df": df}
-            # in locals. This allows pandas operations on `df` while preventing
-            # access to builtins or other potentially harmful global functions,
-            # mitigating risks associated with executing untrusted `calc` strings.
-            result = eval(calc, {}, {"df": df})  # type: ignore
+            # SECURITY MITIGATION: Eval input is sanitized to prevent most common
+            # code injection attack vectors.
+            vars = {"df": df}
+            calc = sanitize_command(calc)
+            code = compile(calc, "<calc>", "eval")
+            result = eval(code, vars, {})
         except Exception as e:
             # return error message so LLM can fix the calc string if needed
             err = f"""

{langroid-0.53.14 → langroid-0.53.15}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "langroid"
-version = "0.53.14"
+version = "0.53.15"
 authors = [
     {name = "Prasad Chalasani", email = "pchalasani@gmail.com"},
 ]

langroid-0.53.14/langroid/utils/pandas_utils.py

@@ -1,30 +0,0 @@
-from typing import Any
-
-import pandas as pd
-
-
-def stringify(x: Any) -> str:
-    # Convert x to DataFrame if it is not one already
-    if isinstance(x, pd.Series):
-        df = x.to_frame()
-    elif not isinstance(x, pd.DataFrame):
-        return str(x)
-    else:
-        df = x
-
-    # Truncate long text columns to 1000 characters
-    for col in df.columns:
-        if df[col].dtype == object:
-            df[col] = df[col].apply(
-                lambda item: (
-                    (item[:1000] + "...")
-                    if isinstance(item, str) and len(item) > 1000
-                    else item
-                )
-            )
-
-    # Limit to 10 rows
-    df = df.head(10)
-
-    # Convert to string
-    return df.to_string(index=False)  # type: ignore