langchain/tests/integration_tests/utilities
Jamal a2f191a322
Replace JIRA Arbitrary Code Execution vulnerability with finer grain API wrapper (#6992)
This fixes #4833 and the critical vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2023-34540

Previously, the JIRA API Wrapper had a mode that simply pipelined user
input into an `exec()` function.
[The intended use of the 'other' mode is to cover any of Atlassian's API
that don't have an existing
interface](cc33bde74f/langchain/tools/jira/prompt.py (L24))

Fortunately all of the [Atlassian JIRA API methods are subfunctions of
their `Jira`
class](https://atlassian-python-api.readthedocs.io/jira.html), so this
implementation calls these subfunctions directly.

As well as passing a string representation of the function to call, the
implementation flexibly allows for optionally passing args and/or
keyword-args. These are given as part of the dictionary input. Example:
```
    {
        "function": "update_issue_field",   #function to execute
        "args": [                           #list of ordered args similar to other examples in this JiraAPIWrapper
            "key",
            {"summary": "New summary"}
        ],
        "kwargs": {}                        #dict of key value keyword-args pairs
    }
```

the above is equivalent to `self.jira.update_issue_field("key",
{"summary": "New summary"})`

Alternate query schema designs are welcome to make querying easier
without passing and evaluating arbitrary python code. I considered
parsing (without evaluating) input python code and extracting the
function, args, and kwargs from there and then pipelining them into the
callable function via `*f(args, **kwargs)` - but this seemed more
direct.

@vowelparrot @dev2049

---------

Co-authored-by: Jamal Rahman <jamal.rahman@builder.ai>
2023-07-05 15:56:01 -04:00
..
__init__.py
test_arxiv.py ArxivAPIWrapper - doc_content_chars_max (#6063) 2023-06-15 22:16:42 -07:00
test_duckduckdgo_search_api.py Align names of search tools (#3620) 2023-04-26 16:21:34 -07:00
test_googlesearch_api.py Support params on GoogleSearchApiWrapper (#6810) (#7014) 2023-07-02 01:18:38 -06:00
test_googleserper_api.py Harrison/serper api bug (#4902) 2023-05-17 21:40:39 -07:00
test_jira_api.py Replace JIRA Arbitrary Code Execution vulnerability with finer grain API wrapper (#6992) 2023-07-05 15:56:01 -04:00
test_openweathermap.py
test_powerbi_api.py power bi api wrapper integration tests & bug fix (#4983) 2023-05-19 11:25:52 -04:00
test_pupmed.py Harrison/pubmed integration (#5664) 2023-06-03 16:25:28 -07:00
test_serpapi.py
test_twilio.py Tedma4/twilio tool (#5136) 2023-05-25 19:19:22 -07:00
test_wikipedia_api.py added Wikipedia document loader (#4141) 2023-05-06 09:32:45 -07:00
test_wolfram_alpha_api.py