Skip to content

Mint security eval fix #11273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Mint security eval fix #11273

wants to merge 11 commits into from
+1 −1

Conversation

juanmichelini
Copy link
Contributor

Changed eval call for ast.literal_eval call to fix Vulnerability report.

  • This change is worth documenting at https://docs.all-hands.dev/
  • Include this change in the Release Notes. If checked, you must provide an end-user friendly description for your change below

End-user friendly description of the problem this fixes or functionality this introduces.

Summarize what the PR does, explaining any non-trivial design decisions.

Link of any specific issues this addresses:

xingyaoww
xingyaoww requested changes Oct 7, 2025
View reviewed changes
Copy link
Collaborator

@xingyaoww xingyaoww left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually i think this probably won't work since this is intentionally executing code

@juanmichelini
Copy link
Contributor Author

Actually i think this probably won't work since this is intentionally executing code

my bad, took the comment
# Converting the string answer to a number/list/bool/option
literlly.

I understand then that it is executing code like 1+2, and then converts it to 3?

xingyaoww
xingyaoww approved these changes Oct 7, 2025
View reviewed changes
Copy link
Collaborator

@xingyaoww xingyaoww left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh my bad, actually look through this again, @juanmichelini you are probably right 😭

@xingyaoww xingyaoww enabled auto-merge (squash) October 7, 2025 19:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rbren rbren rbren approved these changes

@xingyaoww xingyaoww xingyaoww approved these changes

@neubig neubig Awaiting requested review from neubig neubig is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@juanmichelini @rbren @xingyaoww @neubig