From 8b195a5adb362c35c65ca4ab093543a1168fb221 Mon Sep 17 00:00:00 2001 From: changhaowuwu Date: Wed, 25 Feb 2026 22:08:01 +0100 Subject: [PATCH] security: replace eval() with safe boolean parsing Replace all uses of eval() on environment variables and command-line arguments with safe string comparison. eval() allows arbitrary code execution when given untrusted input, making it a security risk. The fix uses .lower() in ("true", "1", "yes") which produces identical behavior for all valid boolean inputs while preventing code injection. This pattern is already used in config.py. Affected files (10 call sites): - GPT_SoVITS/inference_webui.py (is_share, is_half) - GPT_SoVITS/inference_webui_fast.py (is_share, is_half) - GPT_SoVITS/prepare_datasets/1-get-text.py (is_half) - GPT_SoVITS/prepare_datasets/2-get-hubert-wav32k.py (is_half) - GPT_SoVITS/prepare_datasets/2-get-sv.py (is_half) - GPT_SoVITS/prepare_datasets/3-get-semantic.py (is_half) - tools/uvr5/webui.py (is_half, is_share) - tools/subfix_webui.py (is_share) --- GPT_SoVITS/inference_webui.py | 5 ++--- GPT_SoVITS/inference_webui_fast.py | 5 ++--- GPT_SoVITS/prepare_datasets/1-get-text.py | 2 +- GPT_SoVITS/prepare_datasets/2-get-hubert-wav32k.py | 2 +- GPT_SoVITS/prepare_datasets/2-get-sv.py | 2 +- GPT_SoVITS/prepare_datasets/3-get-semantic.py | 2 +- tools/subfix_webui.py | 2 +- tools/uvr5/webui.py | 4 ++-- 8 files changed, 11 insertions(+), 13 deletions(-) diff --git a/GPT_SoVITS/inference_webui.py b/GPT_SoVITS/inference_webui.py index a361ed58..6da6b8ca 100644 --- a/GPT_SoVITS/inference_webui.py +++ b/GPT_SoVITS/inference_webui.py @@ -83,11 +83,10 @@ cnhubert_base_path = os.environ.get("cnhubert_base_path", "GPT_SoVITS/pretrained bert_path = os.environ.get("bert_path", "GPT_SoVITS/pretrained_models/chinese-roberta-wwm-ext-large") infer_ttswebui = os.environ.get("infer_ttswebui", 9872) infer_ttswebui = int(infer_ttswebui) -is_share = os.environ.get("is_share", "False") -is_share = eval(is_share) +is_share = os.environ.get("is_share", "False").lower() in ("true", "1", "yes") if "_CUDA_VISIBLE_DEVICES" in os.environ: os.environ["CUDA_VISIBLE_DEVICES"] = os.environ["_CUDA_VISIBLE_DEVICES"] -is_half = eval(os.environ.get("is_half", "True")) and torch.cuda.is_available() +is_half = os.environ.get("is_half", "True").lower() in ("true", "1", "yes") and torch.cuda.is_available() # is_half=False punctuation = set(["!", "?", "…", ",", ".", "-", " "]) import gradio as gr diff --git a/GPT_SoVITS/inference_webui_fast.py b/GPT_SoVITS/inference_webui_fast.py index 92d145b3..fb09a8c6 100644 --- a/GPT_SoVITS/inference_webui_fast.py +++ b/GPT_SoVITS/inference_webui_fast.py @@ -44,12 +44,11 @@ logging.getLogger("torchaudio._extension").setLevel(logging.ERROR) infer_ttswebui = os.environ.get("infer_ttswebui", 9872) infer_ttswebui = int(infer_ttswebui) -is_share = os.environ.get("is_share", "False") -is_share = eval(is_share) +is_share = os.environ.get("is_share", "False").lower() in ("true", "1", "yes") if "_CUDA_VISIBLE_DEVICES" in os.environ: os.environ["CUDA_VISIBLE_DEVICES"] = os.environ["_CUDA_VISIBLE_DEVICES"] -is_half = eval(os.environ.get("is_half", "True")) and torch.cuda.is_available() +is_half = os.environ.get("is_half", "True").lower() in ("true", "1", "yes") and torch.cuda.is_available() gpt_path = os.environ.get("gpt_path", None) sovits_path = os.environ.get("sovits_path", None) cnhubert_base_path = os.environ.get("cnhubert_base_path", None) diff --git a/GPT_SoVITS/prepare_datasets/1-get-text.py b/GPT_SoVITS/prepare_datasets/1-get-text.py index 8d83e79a..bebb5715 100644 --- a/GPT_SoVITS/prepare_datasets/1-get-text.py +++ b/GPT_SoVITS/prepare_datasets/1-get-text.py @@ -13,7 +13,7 @@ opt_dir = os.environ.get("opt_dir") bert_pretrained_dir = os.environ.get("bert_pretrained_dir") import torch -is_half = eval(os.environ.get("is_half", "True")) and torch.cuda.is_available() +is_half = os.environ.get("is_half", "True").lower() in ("true", "1", "yes") and torch.cuda.is_available() version = os.environ.get("version", None) import traceback import os.path diff --git a/GPT_SoVITS/prepare_datasets/2-get-hubert-wav32k.py b/GPT_SoVITS/prepare_datasets/2-get-hubert-wav32k.py index 3a84c014..b8f55487 100644 --- a/GPT_SoVITS/prepare_datasets/2-get-hubert-wav32k.py +++ b/GPT_SoVITS/prepare_datasets/2-get-hubert-wav32k.py @@ -16,7 +16,7 @@ opt_dir = os.environ.get("opt_dir") cnhubert.cnhubert_base_path = os.environ.get("cnhubert_base_dir") import torch -is_half = eval(os.environ.get("is_half", "True")) and torch.cuda.is_available() +is_half = os.environ.get("is_half", "True").lower() in ("true", "1", "yes") and torch.cuda.is_available() import traceback import numpy as np diff --git a/GPT_SoVITS/prepare_datasets/2-get-sv.py b/GPT_SoVITS/prepare_datasets/2-get-sv.py index 80b0ad69..1e7a5de4 100644 --- a/GPT_SoVITS/prepare_datasets/2-get-sv.py +++ b/GPT_SoVITS/prepare_datasets/2-get-sv.py @@ -15,7 +15,7 @@ opt_dir = os.environ.get("opt_dir") sv_path = os.environ.get("sv_path") import torch -is_half = eval(os.environ.get("is_half", "True")) and torch.cuda.is_available() +is_half = os.environ.get("is_half", "True").lower() in ("true", "1", "yes") and torch.cuda.is_available() import traceback import torchaudio diff --git a/GPT_SoVITS/prepare_datasets/3-get-semantic.py b/GPT_SoVITS/prepare_datasets/3-get-semantic.py index ddb0607c..a0b592e3 100644 --- a/GPT_SoVITS/prepare_datasets/3-get-semantic.py +++ b/GPT_SoVITS/prepare_datasets/3-get-semantic.py @@ -28,7 +28,7 @@ else: version = "v3" import torch -is_half = eval(os.environ.get("is_half", "True")) and torch.cuda.is_available() +is_half = os.environ.get("is_half", "True").lower() in ("true", "1", "yes") and torch.cuda.is_available() import traceback import sys diff --git a/tools/subfix_webui.py b/tools/subfix_webui.py index 51a7dfad..531ceab5 100644 --- a/tools/subfix_webui.py +++ b/tools/subfix_webui.py @@ -420,6 +420,6 @@ if __name__ == "__main__": server_name="0.0.0.0", inbrowser=True, # quiet=True, - share=eval(args.is_share), + share=args.is_share.lower() in ("true", "1", "yes"), server_port=int(args.webui_port_subfix), ) diff --git a/tools/uvr5/webui.py b/tools/uvr5/webui.py index f5f8d3f6..305f6b5d 100644 --- a/tools/uvr5/webui.py +++ b/tools/uvr5/webui.py @@ -25,9 +25,9 @@ for name in os.listdir(weight_uvr5_root): uvr5_names.append(name.replace(".pth", "").replace(".ckpt", "")) device = sys.argv[1] -is_half = eval(sys.argv[2]) +is_half = sys.argv[2].lower() in ("true", "1", "yes") webui_port_uvr5 = int(sys.argv[3]) -is_share = eval(sys.argv[4]) +is_share = sys.argv[4].lower() in ("true", "1", "yes") def html_left(text, label="p"):