Skip to content

Commit f920722

Browse files
jsondaicopybara-github
jsondai
authored and
copybara-github
committed
fix: GenAI Client(evals) - patch for vulnerability in visualization
PiperOrigin-RevId: 840870138
1 parent 3eb38bf commit f920722

File tree

1 file changed

+7
-3
lines changed

1 file changed

+7
-3
lines changed

vertexai/_genai/_evals_visualization.py

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@
1414
#
1515
"""Visualization utilities for GenAI Evaluation SDK."""
1616

17+
import base64
1718
import json
1819
import logging
1920
from typing import Any, Optional
@@ -80,6 +81,7 @@ def stringify_cell(cell: Any) -> Optional[str]:
8081

8182
def _get_evaluation_html(eval_result_json: str) -> str:
8283
"""Returns a self-contained HTML for single evaluation visualization."""
84+
payload_b64 = base64.b64encode(eval_result_json.encode("utf-8")).decode("utf-8")
8385
return f"""
8486
<!DOCTYPE html>
8587
<html>
@@ -254,7 +256,7 @@ def _get_evaluation_html(eval_result_json: str) -> str:
254256
<div id="details-section"></div>
255257
</div>
256258
<script>
257-
var vizData_vertex_eval_sdk = {eval_result_json};
259+
var vizData_vertex_eval_sdk = JSON.parse(atob("{payload_b64}"));
258260
function formatDictVals(obj) {{
259261
if (typeof obj === 'string') return obj;
260262
if (obj === undefined || obj === null) return '';
@@ -556,6 +558,7 @@ def _get_evaluation_html(eval_result_json: str) -> str:
556558

557559
def _get_comparison_html(eval_result_json: str) -> str:
558560
"""Returns a self-contained HTML for a side-by-side eval comparison."""
561+
payload_b64 = base64.b64encode(eval_result_json.encode("utf-8")).decode("utf-8")
559562
return f"""
560563
<!DOCTYPE html>
561564
<html>
@@ -616,7 +619,7 @@ def _get_comparison_html(eval_result_json: str) -> str:
616619
<div id="details-section"></div>
617620
</div>
618621
<script>
619-
var vizData_vertex_eval_sdk = {eval_result_json};
622+
var vizData_vertex_eval_sdk = JSON.parse(atob("{payload_b64}"));
620623
function renderSummary(summaryMetrics, metadata) {{
621624
const container = document.getElementById('summary-section');
622625
if (!summaryMetrics || summaryMetrics.length === 0) {{ container.innerHTML = '<h2>Summary Metrics</h2><p>No summary metrics.</p>'; return; }}
@@ -696,6 +699,7 @@ def _get_comparison_html(eval_result_json: str) -> str:
696699

697700
def _get_inference_html(dataframe_json: str) -> str:
698701
"""Returns a self-contained HTML for displaying inference results."""
702+
payload_b64 = base64.b64encode(dataframe_json.encode("utf-8")).decode("utf-8")
699703
return f"""
700704
<!DOCTYPE html>
701705
<html>
@@ -746,7 +750,7 @@ def _get_inference_html(dataframe_json: str) -> str:
746750
<div id="results-table"></div>
747751
</div>
748752
<script>
749-
var vizData_vertex_eval_sdk = {dataframe_json};
753+
var vizData_vertex_eval_sdk = JSON.parse(atob("{payload_b64}"));
750754
var container_vertex_eval_sdk = document.getElementById('results-table');
751755
752756
function renderRubrics(cellValue) {{

0 commit comments

Comments
 (0)