Merge pull request #4228 from CodeVigilanteOfficial/fix_rce_eval

Update utils.py (fix dangerous code)
2024-06-17 12:43:29 -07:00 · 2024-06-17 12:43:29 -07:00 · fcea4c22ad
commit fcea4c22ad
parent 2b9e9533b8 ef87a75f77
1 changed files with 4 additions and 7 deletions
--- a/litellm/utils.py
+++ b/litellm/utils.py
@ -7182,14 +7182,11 @@ def get_secret(
                    b64_flag = _is_base64(encrypted_secret)
                    if b64_flag == True:  # if passed in as encoded b64 string
                        encrypted_secret = base64.b64decode(encrypted_secret)
-                    if not isinstance(encrypted_secret, bytes):
-                        # If it's not, assume it's a string and encode it to bytes
-                        ciphertext = eval(
-                            encrypted_secret.encode()
-                        )  # assuming encrypted_secret is something like - b'\n$\x00D\xac\xb4/t)07\xe5\xf6..'
-                    else:
                        ciphertext = encrypted_secret
-
+                    else:
+                        raise ValueError(
+                            f"Google KMS requires the encrypted secret to be encoded in base64"
+                        )#fix for this vulnerability https://huntr.com/bounties/ae623c2f-b64b-4245-9ed4-f13a0a5824ce
                    response = client.decrypt(
                        request={
                            "name": litellm._google_kms_resource_name,