Fix security issues of eval-s in testapi

results from security audit show risks and recommendations to fix them JIRA: RELENG-144 Change-Id: If128cc3ae230150a912b581dfb1ded543d851eb5 Signed-off-by: SerenaFeng <feng.xiaowei@zte.com.cn>
author: SerenaFeng <feng.xiaowei@zte.com.cn> 2016-09-09 16:50:48 +0800
committer: SerenaFeng <feng.xiaowei@zte.com.cn> 2016-09-14 10:53:33 +0800
commit: 6e52f48dbad2d39ebe124e6926e78fd0bca29adb (patch)
tree: bd39217f7d4eccef1eb5acdbdd8f2325665e7a86 /result_collection_api/opnfv_testapi/resources/handlers.py
parent: 4f3f6bd997e5bdc528da6c36da59e0d2d464ef83 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/result_collection_api/opnfv_testapi/resources/handlers.py b/result_collection_api/opnfv_testapi/resources/handlers.py
index f98c35e..5059f5d 100644
--- a/result_collection_api/opnfv_testapi/resources/handlers.py
+++ b/result_collection_api/opnfv_testapi/resources/handlers.py
@@ -23,8 +23,8 @@
 import json
 from datetime import datetime
 
-from tornado.web import RequestHandler, asynchronous, HTTPError
 from tornado import gen
+from tornado.web import RequestHandler, asynchronous, HTTPError
 
 from models import CreateResponse
 from opnfv_testapi.common.constants import DEFAULT_REPRESENTATION, \
@@ -217,7 +217,8 @@ class GenericApiHandler(RequestHandler):
         return equal, query
 
     def _eval_db(self, table, method, *args, **kwargs):
-        return eval('self.db.%s.%s(*args, **kwargs)' % (table, method))
+        exec_collection = self.db.__getattr__(table)
+        return exec_collection.__getattribute__(method)(*args, **kwargs)
 
     def _eval_db_find_one(self, query, table=None):
         if table is None:
author	SerenaFeng <feng.xiaowei@zte.com.cn>	2016-09-09 16:50:48 +0800
committer	SerenaFeng <feng.xiaowei@zte.com.cn>	2016-09-14 10:53:33 +0800
commit	6e52f48dbad2d39ebe124e6926e78fd0bca29adb (patch)
tree	bd39217f7d4eccef1eb5acdbdd8f2325665e7a86 /result_collection_api/opnfv_testapi/resources/handlers.py
parent	4f3f6bd997e5bdc528da6c36da59e0d2d464ef83 (diff)