From b57e76738c53ca82d88658b82f2d82d1c7839c7d Mon Sep 17 00:00:00 2001 From: Massimiliano Pippi <mpippi@gmail.com> Date: Thu, 27 Feb 2025 22:12:47 +0100 Subject: [PATCH] fix: escape user input before shelling out command (#17953) --- llama-index-cli/llama_index/cli/rag/base.py | 10 ++++++---- llama-index-cli/pyproject.toml | 4 ++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/llama-index-cli/llama_index/cli/rag/base.py b/llama-index-cli/llama_index/cli/rag/base.py index 105362a9e2..204c61cfce 100644 --- a/llama-index-cli/llama_index/cli/rag/base.py +++ b/llama-index-cli/llama_index/cli/rag/base.py @@ -1,5 +1,6 @@ import asyncio import os +import shlex import shutil from argparse import ArgumentParser from glob import iglob @@ -14,8 +15,8 @@ from llama_index.core import ( from llama_index.core.base.embeddings.base import BaseEmbedding from llama_index.core.base.response.schema import ( RESPONSE_TYPE, - StreamingResponse, Response, + StreamingResponse, ) from llama_index.core.bridge.pydantic import BaseModel, Field, field_validator from llama_index.core.chat_engine import CondenseQuestionChatEngine @@ -159,7 +160,7 @@ class RagCLI(BaseModel): if chat_engine is not None: return chat_engine - if values.get("query_pipeline", None) is None: + if values.get("query_pipeline") is None: values["query_pipeline"] = cls.query_pipeline_from_ingestion_pipeline( query_pipeline=None, values=values ) @@ -231,7 +232,8 @@ class RagCLI(BaseModel): # Append the `--files` argument to the history file with open(f"{self.persist_dir}/{RAG_HISTORY_FILE_NAME}", "a") as f: - f.write(str(files) + "\n") + for file in files: + f.write(str(file) + "\n") if create_llama: if shutil.which("npx") is None: @@ -289,7 +291,7 @@ class RagCLI(BaseModel): "none", "--engine", "context", - f"--files {path}", + f"--files {shlex.quote(path)}", ] os.system(" ".join(command_args)) diff --git a/llama-index-cli/pyproject.toml b/llama-index-cli/pyproject.toml index 812b8379f0..0723406f04 100644 --- a/llama-index-cli/pyproject.toml +++ b/llama-index-cli/pyproject.toml @@ -14,7 +14,7 @@ disallow_untyped_defs = true # Remove venv skip when integrated with pre-commit exclude = ["_static", "build", "examples", "notebooks", "venv"] ignore_missing_imports = true -python_version = "3.8" +python_version = "3.9" [tool.poetry] authors = ["llamaindex"] @@ -32,7 +32,7 @@ maintainers = [ name = "llama-index-cli" packages = [{include = "llama_index/"}] readme = "README.md" -version = "0.4.0" +version = "0.4.1" [tool.poetry.dependencies] python = ">=3.9,<4.0" -- GitLab