Merge pull request #241 from griptape-ai:fix/security

Fix/security
griptape-ai · Jan 26, 2025 · d5764d0 · d5764d0
2 parents 68f5422 + 4e737df
commit d5764d0
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed 
 ### Security   -->
 
+## [2.1.16] - 2025-26-01
+### Changed
+- Modified RAG code to not use `eval` cmd due to security concerns.
+### Fixed
+- Fixed issue with Griptape Cloud Structure node not being created.
+
 ## [2.1.15] - 2025-26-01
 ### Added
 - **Griptape Serper Web Driver** based on the Griptape Extension https://github.com/mertdeveci5/griptape-serper-driver-extension.

diff --git a/js/gtUIUtils.js b/js/gtUIUtils.js
@@ -141,7 +141,8 @@ export function gtUIAddUrlButtonWidget(
   widgetName
 ) {
   chainCallback(nodeType.prototype, "onNodeCreated", function () {
-    const buttonCallback = createUrlCallback(baseurl);
+    let buttonCallback = createUrlCallback(baseurl);
+    console.log(widgetName);
     if (widgetName != "") {
       buttonCallback = createUrlCallbackWithWidget(baseurl, widgetName, this);
     }

diff --git a/nodes/rag/gtUIBaseRagModule.py b/nodes/rag/gtUIBaseRagModule.py
@@ -1,3 +1,4 @@
+import ast
 from typing import Any, Tuple
 
 from griptape.engines.rag.modules import BaseRagModule
@@ -31,7 +32,9 @@ def ensure_dict(self, params):
         elif isinstance(params, str):
             # Try to evaluate the string as a dictionary
             try:
-                return eval(f"dict({params})")
+                # Convert string to AST
+                tree = ast.literal_eval(f"dict({params})")
+                return tree
             except Exception:
                 # If evaluation fails, try to parse it as JSON
                 import json

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "comfyui-griptape"
-version = "2.1.15"
+version = "2.1.16"
 description = "Griptape LLM(Large Language Model) Nodes for ComfyUI."
 authors = ["Jason Schleifer <[email protected]>"]
 readme = "README.md"
@@ -9,7 +9,7 @@ readme = "README.md"
 [project]
 name = "comfyui-griptape"
 description = "Griptape LLM(Large Language Model) Nodes for ComfyUI."
-version = "2.1.15" 
+version = "2.1.16" 
 license = {file = "LICENSE"}
 dependencies = ["attrs>=24.3.0,<25.0.0", "openai>=1.58.1,<2.0.0", "griptape[all]>=1.1.3", "python-dotenv", "poetry==1.8.5", "griptape-black-forest @ git+https://github.com/griptape-ai/griptape-black-forest.git", "griptape_serper_driver_extension @ git+https://github.com/mertdeveci5/griptape-serper-driver-extension.git"]