From ef87a75f7709d0dc06d189a262c219ddf83d6123 Mon Sep 17 00:00:00 2001
From: CodeVigilante <keubig2@gmail.com>
Date: Sun, 16 Jun 2024 22:49:28 +0200
Subject: [PATCH] Update utils.py

fix dangerous code for this vulnerability https://huntr.com/bounties/ae623c2f-b64b-4245-9ed4-f13a0a5824ce
---
 litellm/utils.py | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/litellm/utils.py b/litellm/utils.py
index 6bc33d73d..df18fc19b 100644
--- a/litellm/utils.py
+++ b/litellm/utils.py
@@ -7174,14 +7174,11 @@ def get_secret(
                     b64_flag = _is_base64(encrypted_secret)
                     if b64_flag == True:  # if passed in as encoded b64 string
                         encrypted_secret = base64.b64decode(encrypted_secret)
-                    if not isinstance(encrypted_secret, bytes):
-                        # If it's not, assume it's a string and encode it to bytes
-                        ciphertext = eval(
-                            encrypted_secret.encode()
-                        )  # assuming encrypted_secret is something like - b'\n$\x00D\xac\xb4/t)07\xe5\xf6..'
-                    else:
                         ciphertext = encrypted_secret
-
+                    else:
+                        raise ValueError(
+                            f"Google KMS requires the encrypted secret to be encoded in base64"
+                        )#fix for this vulnerability https://huntr.com/bounties/ae623c2f-b64b-4245-9ed4-f13a0a5824ce
                     response = client.decrypt(
                         request={
                             "name": litellm._google_kms_resource_name,