mljar · Oct 9, 2024 · Oct 9, 2024 · Oct 9, 2024 · Oct 9, 2024 · Feb 14, 2025
Showing with 21 additions and 7 deletions.

+6 −0 README.md

+6 −1 plotai/code/executor.py

+8 −5 plotai/plotai.py

+1 −1 setup.py
diff --git a/README.md b/README.md
@@ -23,6 +23,12 @@
 <a href="https://www.linkedin.com/in/aleksandra-p%C5%82o%C5%84ska-42047432/">👩‍💼 LinkedIn</a>
 </p>
 
+## Important securitiy risk
+
+The PlotAI executes code from LLM. It is using `exec()` function for this. 
+
+I commented out the `exec()` function in file `plotai/code/executor.py`. If you understand the security risks you need to remove comment to use the package.
+
 # PlotAI 🎨🤖 
 
 The easiest way to create plots in Python and Matplotlib. The `plotai` is using LLM to generate code and plots.

diff --git a/plotai/code/executor.py b/plotai/code/executor.py
@@ -12,7 +12,12 @@ def run(self, code, globals_env=None, locals_env=None):
                 if not line.startswith("```"):
                     tmp_code += line + "\n"
 
-            exec(tmp_code, globals_env, locals_env)
+            # please be aware of security issue with exec functions
+            # LLM can execute arbitrary code
+            # if you are aware of security issues, please uncomment below line
+
+            # exec(tmp_code, globals_env, locals_env)
+
         except Exception as e:
             return str(e)
         return None
diff --git a/plotai/plotai.py b/plotai/plotai.py
@@ -12,8 +12,9 @@ def __init__(self, *args, **kwargs):
         self.model_version = "gpt-3.5-turbo"
         # DataFrame to plot
         self.df, self.x, self.y, self.z = None, None, None, None
+        self.verbose = True
 
-        for expected_k in ["x", "y", "z", "df", "model_version"]:
+        for expected_k in ["x", "y", "z", "df", "model_version", "verbose"]:
             if expected_k in kwargs:
                 setattr(self, expected_k, kwargs[expected_k])
 
@@ -25,12 +26,14 @@ def __init__(self, *args, **kwargs):
 
     def make(self, prompt):
         p = Prompt(prompt, self.df, self.x, self.y, self.z)
-
-        Logger().log({"title": "Prompt", "details": p.value})
+
+        if self.verbose:
+            Logger().log({"title": "Prompt", "details": p.value})
 
         response = ChatGPT(model=self.model_version).chat(p.value)
-
-        Logger().log({"title": "Response", "details": response})
+
+        if self.verbose:
+            Logger().log({"title": "Response", "details": response})
 
         executor = Executor()
         error = executor.run(response, globals(), {"df":self.df, "x": self.x, "y": self.y, "z": self.z})

diff --git a/setup.py b/setup.py
@@ -10,7 +10,7 @@
 
 setup(
     name="plotai",
-    version="0.0.5",
+    version="0.0.7",
     description="Create plots in Python with AI",
     long_description=long_description,
     long_description_content_type="text/markdown",