Ea001 38cefd88e2 Fix tag_feas code injection in retrieval ranking (#13923) ...

## Summary
- remove eval-based parsing from retrieval rank feature scoring
- validate `tag_feas` at write time in chunk APIs and SDK routes
- add regression tests for safe parsing and malicious payload rejection

## Details
`tag_feas` is intended to be structured rank-feature data, but the
retrieval ranking path was evaluating stored values as Python
expressions. This change treats `tag_feas` strictly as data.

### What changed
- replace `eval()` in `rag/nlp/search.py` with safe parsing via
`json.loads()` and optional `ast.literal_eval()` compatibility for
legacy Python-dict strings
- strictly filter parsed values down to `dict[str, finite number]`
- reject invalid `tag_feas` payloads at write time in web chunk routes
and SDK document chunk routes
- add focused regression tests to prove executable strings are ignored
and invalid payloads are rejected

## Validation
- `python -m pytest test/unit_test/common/test_tag_feature_utils.py
test/unit_test/rag/test_rank_feature_scores.py -q`

---------

Co-authored-by: unknown <zhenglinkai@CCN.Local>
Co-authored-by: Yingfeng Zhang <yingfeng.zhang@gmail.com>

2026-04-15 16:31:11 +08:00

..

apps

Fix tag_feas code injection in retrieval ranking (#13923)

2026-04-15 16:31:11 +08:00

common

Feat：admin api (#10642)

2025-10-18 16:09:48 +08:00

db

fix(dialog): restore decorated answer in async_ask final SSE event (#13917)

2026-04-15 14:10:36 +08:00

utils

Refactor: Merge document update API (#13962)

2026-04-09 11:17:38 +08:00

__init__.py

Fix: incorrect async chat streamly output (#11679)

2025-12-03 11:15:45 +08:00

constants.py

Feat/memory (#11812)

2025-12-10 13:34:08 +08:00

ragflow_server.py

Disable flask and quart debug (#14042)

2026-04-10 18:01:49 +08:00

settings.py

Move api.settings to common.settings (#11036)

2025-11-06 09:36:38 +08:00

validation.py

Fix errors detected by Ruff (#3918)

2024-12-08 14:21:12 +08:00