Fix security and typo bugs in physchem_filters.py#107
Fix security and typo bugs in physchem_filters.py#107hmacdope merged 2 commits intoOpenADMET:mainfrom
Conversation
eval(f"dm.descriptors.{self.name}") is a code injection risk since
self.name comes from user configuration. Using getattr(dm.descriptors,
self.name) achieves the same dynamic attribute lookup safely.
Signed-off-by: Nikolenko.Sergei <Nikolenko.Sergei@icloud.com>
The DistanceFilter.calculate() method called self.set_mols() which does not exist on the class. The correct method is self.get_mols() inherited from the base class, causing an AttributeError at runtime. Signed-off-by: Nikolenko.Sergei <Nikolenko.Sergei@icloud.com>
|
Hi @SergeiNikolenko thanks for the contribution. Can I ask what brought you here and what you are hoping to achieve with the toolkit? |
Codecov Report❌ Patch coverage is 🚀 New features to boost your workflow:
|
|
Hi @hmacdope! Thank you for getting back to me. I really appreciate the work you’re doing — it’s genuinely exciting and very relevant to what we’re building. |
|
At the moment, I’m going through the codebase to better understand the architecture and design decisions. I may submit some PRs if I find improvements or additions that seem useful. |
|
No problem! Appreciate any and all bug fixes. May I suggest that the core of our work on the modelling side is done over at |
2 participants
Description
Fix two bugs in
openadmet/toolkit/filtering/physchem_filters.py:Unsafe dynamic code execution in DatamolFilter (line ~504):
eval(f"dm.descriptors.{self.name}")allows arbitrary code execution through crafted descriptor names. Replaced with safegetattr(dm.descriptors, self.name)which is functionally identical but eliminates the injection risk.AttributeError in ProximityFilter.calculate (line ~215):
self.set_mols(smiles=smiles)calls a non-existent method. The correct method isself.get_mols()(defined inBaseFilter). This causesAttributeErrorwhencalculate()is called withmols=None.Status
Developers certificate of origin