fix: Resolve tool_call ACE + prompt injection from chat history

[kdestin]

Description

This pull request resolves 2 security issues:

• Replaces all uses of eval with ast.literal_eval
  • Notably resolves an issue where parsing a tool call would execute arbitrary python
• Resolves an issue where a maliciously crafted message could arbitrarily add extra entries of any role to the chat history

Related to ICM 31000000356466

All Promptflow Contribution checklist:

• The pull request does not introduce [breaking changes].
• CHANGELOG is updated for new features, bug fixes or other significant changes.
• I have read the contribution guidelines.
• I confirm that all new dependencies are compatible with the MIT license.
• Create an issue and link to the pull request to get dedicated review from promptflow team. Learn more: suggested workflow.

General Guidelines and Best Practices

• Title of the pull request is clear and informative.
• There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

• Pull request includes test coverage for the included changes.

[github-actions]

promptflow-evals test result

  9 files  ±  0    9 suites  ±0   59m 24s ⏱️ + 44m 59s
 19 tests  - 106   12 ✅  -   113   7 💤 + 7  0 ❌ ±0 
171 runs   - 954  108 ✅  - 1 017  63 💤 +63  0 ❌ ±0 

Results for commit d8a3f7f. ± Comparison against base commit 6b38d80.

This pull request removes 125 and adds 19 tests. Note that renamed tests count towards both.

tests.evals.unittests.test_batch_run_context.TestBatchRunContext ‑ test_batch_timeout_custom
tests.evals.unittests.test_batch_run_context.TestBatchRunContext ‑ test_batch_timeout_default
tests.evals.unittests.test_batch_run_context.TestBatchRunContext ‑ test_with_codeclient
tests.evals.unittests.test_batch_run_context.TestBatchRunContext ‑ test_with_pfclient
tests.evals.unittests.test_built_in_evaluator.TestBuiltInEvaluators ‑ test_fluency_evaluator
tests.evals.unittests.test_built_in_evaluator.TestBuiltInEvaluators ‑ test_fluency_evaluator_empty_string
tests.evals.unittests.test_built_in_evaluator.TestBuiltInEvaluators ‑ test_fluency_evaluator_non_string_inputs
tests.evals.unittests.test_chat_evaluator.TestChatEvaluator ‑ test_conversation_validation_invalid_citations
tests.evals.unittests.test_chat_evaluator.TestChatEvaluator ‑ test_conversation_validation_missing_role
tests.evals.unittests.test_chat_evaluator.TestChatEvaluator ‑ test_conversation_validation_normal
…

tests.evals.e2etests.test_adv_simulator.TestAdvSimulator ‑ test_adv_conversation_sim_responds_with_responses
tests.evals.e2etests.test_adv_simulator.TestAdvSimulator ‑ test_adv_eci_sim_responds_with_responses
tests.evals.e2etests.test_adv_simulator.TestAdvSimulator ‑ test_adv_protected_matierial_sim_responds_with_responses
tests.evals.e2etests.test_adv_simulator.TestAdvSimulator ‑ test_adv_qa_sim_responds_with_one_response
tests.evals.e2etests.test_adv_simulator.TestAdvSimulator ‑ test_adv_rewrite_sim_responds_with_responses
tests.evals.e2etests.test_adv_simulator.TestAdvSimulator ‑ test_adv_sim_init_with_prod_url
tests.evals.e2etests.test_adv_simulator.TestAdvSimulator ‑ test_adv_sim_order_randomness
tests.evals.e2etests.test_adv_simulator.TestAdvSimulator ‑ test_adv_sim_order_randomness_with_jailbreak
tests.evals.e2etests.test_adv_simulator.TestAdvSimulator ‑ test_adv_summarization_jailbreak_sim_responds_with_responses
tests.evals.e2etests.test_adv_simulator.TestAdvSimulator ‑ test_adv_summarization_sim_responds_with_responses
…

♻️ This comment has been updated with latest results.