Updated examples/benchmarks/TRA/src/model.py to fix security vulnerability [python.lang.security.audit.eval-detected.eval-detected]

[anupamme]

Context and Purpose:

This PR automatically remediates a security vulnerability:

• Description: Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
• Rule ID: python.lang.security.audit.eval-detected.eval-detected
• Severity: HIGH
• File: examples/benchmarks/TRA/src/model.py
• Lines Affected: 54 - 54

This change is necessary to protect the application from potential security risks associated with this vulnerability.

Solution Implemented:

The automated remediation process has applied the necessary changes to the affected code in examples/benchmarks/TRA/src/model.py to resolve the identified issue.

Please review the changes to ensure they are correct and integrate as expected.

[SunsetWolf]

Hi, @anupamme
Thank you for your contribution to qlib. Running the code based on your changes results in: It doesn't work because.

ast.literal_eval can only handle literals: numbers, strings, lists, dictionaries, tuples.

But model_type is “LSTM” (or similar model class name), which is a name node (ast.Name) in AST, not a literal.

Can you fix this issue?

[Abhijais4896]

self.model = eval(model_type)(**model_config).to(device)

[Abhijais4896]

import ast

Copyright (c) Microsoft Corporation.

Licensed under the MIT License.

    self.logger = get_module_logger("TRA")
    self.logger.info("TRA Model...")

    self.model = eval(model_type)(**model_config).to(device)
    self.model = ast.literal_eval(model_type)(**model_config).to(device)
    if model_init_state:
        self.model.load_state_dict(torch.load(model_init_state, map_location="cpu")["model"])
    if freeze_model:

[anupamme]

@microsoft-github-policy-service agree

[anupamme]

@SunsetWolf I've made the changes - pls review.