-
Notifications
You must be signed in to change notification settings - Fork 607
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Review Bandit reported vulnerabilities #5398
Conversation
CI MESSAGE: [13825705]: BUILD STARTED |
CI MESSAGE: [13825705]: BUILD FAILED |
CI MESSAGE: [13828118]: BUILD STARTED |
f"it requires `magnitude_bin` parameter to select the magnitude from the " | ||
f"`mag_range`.\nError in augmentation: {self}." | ||
f"The augmentation `{self.name}` has `mag_range` specified, " # nosec B608 | ||
f" so when called, it requires `magnitude_bin` parameter to select " |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick: there's double space between specified,
and so when
now.
f" so when called, it requires `magnitude_bin` parameter to select " | |
f"so when called, it requires `magnitude_bin` parameter to select " |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
@@ -141,11 +142,11 @@ def _get_carray_eval_lambda(self, dtype, ndim): | |||
eval_string += "shape[{}]".format(i) | |||
eval_string += ", " if i + 1 != ndim else "), " | |||
eval_string += "dtype=np.{})".format(_to_numpy[dtype]) | |||
return njit(eval(eval_string)) | |||
return njit(ast.literal_eval(eval_string)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does that work?
From https://docs.python.org/3/library/ast.html#ast.literal_eval:
The string or node provided may only consist of the following Python literal structures: strings, bytes, numbers, tuples, lists, dicts, sets, booleans, None and Ellipsis.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm quite sure it won't work. We're generating code here. The key part is that it's as trusted as the program itself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure if literal_eval can do what eval does here.
The strings that are built here are very strucured, I think we could get away with eval - we don't pass any unsanitized data from the user to the eval here, do we?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reverted
CI MESSAGE: [13828118]: BUILD FAILED |
CI MESSAGE: [13834922]: BUILD STARTED |
CI MESSAGE: [13834922]: BUILD PASSED |
CI MESSAGE: [13848996]: BUILD STARTED |
- silence warnings when applicable - fix usage of python eval Signed-off-by: Janusz Lisiecki <jlisiecki@nvidia.com>
CI MESSAGE: [13849041]: BUILD STARTED |
CI MESSAGE: [13849041]: BUILD PASSED |
Category:
Other (e.g. Documentation, Tests, Configuration)
Description:
Additional information:
Affected modules and functionalities:
Key points relevant for the review:
Tests:
Checklist
Documentation
DALI team only
Requirements
REQ IDs: N/A
JIRA TASK: N/A