An attacker could access random URL from the executing server if model is crafted. It happens
because pd.read_json checks if the parameter is string contains URL and loads it in the case. The
fix enforcing using parameter as a JSON.
Co-authored-by: Alex Barouski <barouski@fb.com>
This commit adds the model_to_dict and model_from_dict functions, using
all of the logic that previously lived in model_to_json and
model_from_json, and converting those functions to simply reuse the new
ones.
This is useful because sometimes the user may want to serialize the dict
in some other way (e.g. another JSON serialization library such as ujson
or orjson, or something entirely different).
