phoenix/litellm
1
0
Fork 0
forked from phoenix/litellm-mirror
Code Pull requests Activity

Merge pull request #4228 from CodeVigilanteOfficial/fix_rce_eval

Browse source 
Update utils.py (fix dangerous code)
This commit is contained in:
Krish Dholakia 2024-06-17 12:43:29 -07:00 committed by GitHub
commit fcea4c22ad
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 4 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

11
litellm/utils.py
View file

@ -7182,14 +7182,11 @@ def get_secret(
b64_flag = _is_base64(encrypted_secret) b64_flag = _is_base64(encrypted_secret)
if b64_flag == True: # if passed in as encoded b64 string if b64_flag == True: # if passed in as encoded b64 string
encrypted_secret = base64.b64decode(encrypted_secret) encrypted_secret = base64.b64decode(encrypted_secret)
if not isinstance(encrypted_secret, bytes):
# If it's not, assume it's a string and encode it to bytes
ciphertext = eval(
encrypted_secret.encode()
) # assuming encrypted_secret is something like - b'\n$\x00D\xac\xb4/t)07\xe5\xf6..'
else:
ciphertext = encrypted_secret ciphertext = encrypted_secret
else:
raise ValueError(
f"Google KMS requires the encrypted secret to be encoded in base64"
)#fix for this vulnerability https://huntr.com/bounties/ae623c2f-b64b-4245-9ed4-f13a0a5824ce
response = client.decrypt( response = client.decrypt(
request={ request={
"name": litellm._google_kms_resource_name, "name": litellm._google_kms_resource_name,