Security Risk: Lack of Filtering for LLM Function Execution

[glmgbj233]

Problem Description In the file GeniA/genia/llm_function/python_function.py, the evaluate method directly executes user-configured Python classes and methods via reflection, without any filtering or security checks.

Risk Analysis

1. Arbitrary Code Execution: An attacker could execute arbitrary Python code through a specially crafted function_config parameter.
2. Privilege Escalation: It might be possible to bypass system privilege restrictions and perform dangerous operations.
3. Data Leakage: Sensitive data could be accessed or modified.

Steps to Reproduce

1. Configure a Python class containing a malicious method.
2. Pass the configuration of this class through the LLM interface.
3. Observe the method being executed unconditionally.

Suggested Fixes

1. Implement a method allowlist mechanism.
2. Add a privilege checking layer.
3. Strictly validate input parameters.
4. Consider a sandboxed execution environment.

Relevant Code

def evaluate(self, function_config: dict, parameters: dict) -> Any:
        try:
            fq_class_name = function_config.get("class")
            module_name_str, _, class_name = fq_class_name.rpartition(".")
            module = importlib.import_module(module_name_str)
            # class_name = self.sanitize_input(class_name)
            class_obj = getattr(module, class_name)
            if class_obj:
                instance = class_obj()  # Instantiate the class
                method = getattr(instance, function_config.get("method"))  # Get the method object
                return str(method(**parameters))  # Invoke the method
            else:
                self.logger.error("Class %s not found.", class_name)
                raise Exception("function config error: {}".format(function_config))
        except Exception as e:
            error_str = "{}: {}".format(type(e).__name__, str(e))
            self.logger.exception(error_str)
            return error_str