diff --git a/src/power_grid_model_ds/_core/model/grids/base.py b/src/power_grid_model_ds/_core/model/grids/base.py index 727eed17..924cde63 100644 --- a/src/power_grid_model_ds/_core/model/grids/base.py +++ b/src/power_grid_model_ds/_core/model/grids/base.py @@ -149,6 +149,10 @@ def empty(cls: Type[G], graph_model: type[BaseGraphModel] = RustworkxGraphModel) def from_cache(cls: Type[Self], cache_path: Path, load_graphs: bool = True) -> Self: """Read from cache and build .graphs from arrays + WARNING: This function uses pickle.load() which can execute arbitrary code. + Only load pickle files from trusted sources. Never load pickle files from + untrusted or unauthenticated sources as this could lead to arbitrary code execution. + Args: cache_path (Path): The path to the cache load_graphs (bool, optional): Whether to load the graphs. Defaults to True. diff --git a/src/power_grid_model_ds/_core/visualizer/callbacks/search_form.py b/src/power_grid_model_ds/_core/visualizer/callbacks/search_form.py index 7a04268f..a34a610e 100644 --- a/src/power_grid_model_ds/_core/visualizer/callbacks/search_form.py +++ b/src/power_grid_model_ds/_core/visualizer/callbacks/search_form.py @@ -22,6 +22,8 @@ def search_element(group: str, column: str, operator: str, value: str, styleshee if not group or not column or not value: raise PreventUpdate + sanitized_value = str(value).strip().replace("\\", "\\\\").replace('"', '\\"') + # Determine if we're working with a node or an edge type if group == "node": style = { @@ -32,9 +34,9 @@ def search_element(group: str, column: str, operator: str, value: str, styleshee style = {"line-color": CYTO_COLORS["highlighted"], "target-arrow-color": CYTO_COLORS["highlighted"]} if column == "id": - selector = f'[{column} {operator} "{value}"]' + selector = f'[{column} {operator} "{sanitized_value}"]' else: - selector = f"[{column} {operator} {value}]" + selector = f"[{column} {operator} {sanitized_value}]" new_style = { "selector": selector,