Skip to content

fix(trip_planner): replace unsafe eval() in calculator tool with AST … #118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sanjaysaini383 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(trip_planner): replace unsafe eval() in calculator tool with AST … #118

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ All notable changes to this repository are documented in this file.
- Missing `README.md` for `duffel-agent`, `deploy-agent-on-av`


### Fixed

- `Crewai-agents/trip_planner/tools/calculator_tools.py`: replace unsafe `eval()` in `CalculatorTools.calculate` with AST-based math evaluation so LLM-supplied input cannot execute arbitrary Python code

### Changed

- `README.md` rewritten with project overview, quickstart guide, categorized examples index table, folder structure, Docker instructions, and resource links
Expand Down
41 changes: 38 additions & 3 deletions Crewai-agents/trip_planner/tools/calculator_tools.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,50 @@
import ast
import operator
import re
from langchain.tools import tool

_ALLOWED_CHARS = re.compile(r"^[0-9+\-*/().\s]+$")
_BIN_OPS = {
ast.Add: operator.add,
ast.Sub: operator.sub,
ast.Mult: operator.mul,
ast.Div: operator.truediv,
}


def _eval_math_node(node: ast.AST) -> float:
if isinstance(node, ast.Constant) and isinstance(node.value, (int, float)):
return float(node.value)
if isinstance(node, ast.BinOp) and type(node.op) in _BIN_OPS:
left = _eval_math_node(node.left)
right = _eval_math_node(node.right)
if isinstance(node.op, ast.Div) and right == 0:
raise ZeroDivisionError("division by zero")
return _BIN_OPS[type(node.op)](left, right)
if isinstance(node, ast.UnaryOp) and isinstance(node.op, ast.USub):
return -_eval_math_node(node.operand)
raise ValueError("unsupported expression")


def _safe_eval_math(expression: str) -> float:
expr = expression.strip()
if not expr or not _ALLOWED_CHARS.match(expr):
raise ValueError("invalid characters")
tree = ast.parse(expr, mode="eval")
return _eval_math_node(tree.body)


class CalculatorTools:
@tool("Make a calculation")
def calculate(operation):
def calculate(operation: str):
"""Useful to perform any mathematical calculations,
like sum, minus, multiplication, division, etc.
The input to this tool should be a mathematical
expression, a couple examples are `200*7` or `5000/2*10`
"""
try:
return eval(operation)
except SyntaxError:
return _safe_eval_math(operation)
except ZeroDivisionError:
return "Error: Division by zero"
except (SyntaxError, ValueError, TypeError, OverflowError):
return "Error: Invalid syntax in mathematical expression"