diff options
| author |   SerenaFeng <feng.xiaowei@zte.com.cn> | 2016-09-09 16:50:48 +0800 |
|---|---|---|
| committer | SerenaFeng <feng.xiaowei@zte.com.cn> | 2016-09-14 10:53:33 +0800 |
| commit | 6e52f48dbad2d39ebe124e6926e78fd0bca29adb (patch) | |
| tree | bd39217f7d4eccef1eb5acdbdd8f2325665e7a86 /result_collection_api/opnfv_testapi/tests/unit | |
| parent | 4f3f6bd997e5bdc528da6c36da59e0d2d464ef83 (diff) | |
Fix security issues of eval-s in testapi
results from security audit show risks and recommendations to fix them
JIRA: RELENG-144
Change-Id: If128cc3ae230150a912b581dfb1ded543d851eb5
Signed-off-by: SerenaFeng <feng.xiaowei@zte.com.cn>
Diffstat (limited to 'result_collection_api/opnfv_testapi/tests/unit')
4 files changed, 10 insertions, 4 deletions
diff --git a/result_collection_api/opnfv_testapi/tests/unit/fake_pymongo.py b/result_collection_api/opnfv_testapi/tests/unit/fake_pymongo.py index 4509692..3dd87e6 100644 --- a/result_collection_api/opnfv_testapi/tests/unit/fake_pymongo.py +++ b/result_collection_api/opnfv_testapi/tests/unit/fake_pymongo.py @@ -181,6 +181,10 @@ class MemDb(object): self._check_keys(doc.get(key)) +def __getattr__(name): + return globals()[name] + + pods = MemDb() projects = MemDb() testcases = MemDb() diff --git a/result_collection_api/opnfv_testapi/tests/unit/test_dashboard.py b/result_collection_api/opnfv_testapi/tests/unit/test_dashboard.py index 8f729c0..27ec763 100644 --- a/result_collection_api/opnfv_testapi/tests/unit/test_dashboard.py +++ b/result_collection_api/opnfv_testapi/tests/unit/test_dashboard.py @@ -8,9 +8,10 @@ ############################################################################## import unittest -from test_result import TestResultBase from opnfv_testapi.common.constants import HTTP_NOT_FOUND, HTTP_OK +from test_result import TestResultBase + class TestDashboardBase(TestResultBase): def setUp(self): @@ -63,7 +64,7 @@ class TestDashboardQuery(TestDashboardBase): if k == 'self' or k == 'uri': continue if v is None: - v = eval('self.' + k) + v = self.__getattribute__(k) if v != 'missing': uri += '{}={}&'.format(k, v) uri += 'pod={}&'.format(self.pod) diff --git a/result_collection_api/opnfv_testapi/tests/unit/test_fake_pymongo.py b/result_collection_api/opnfv_testapi/tests/unit/test_fake_pymongo.py index 9a1253e..5f50ba8 100644 --- a/result_collection_api/opnfv_testapi/tests/unit/test_fake_pymongo.py +++ b/result_collection_api/opnfv_testapi/tests/unit/test_fake_pymongo.py @@ -115,7 +115,8 @@ class MyTest(AsyncHTTPTestCase): self.assertEqual(name_error, error) def _eval_pods_db(self, method, *args, **kwargs): - return eval('self.db.pods.%s(*args, **kwargs)' % method) + table_obj = vars(self.db)['pods'] + return table_obj.__getattribute__(method)(*args, **kwargs) if __name__ == '__main__': diff --git a/result_collection_api/opnfv_testapi/tests/unit/test_result.py b/result_collection_api/opnfv_testapi/tests/unit/test_result.py index eee06c6..8479b35 100644 --- a/result_collection_api/opnfv_testapi/tests/unit/test_result.py +++ b/result_collection_api/opnfv_testapi/tests/unit/test_result.py @@ -305,7 +305,7 @@ class TestResultGet(TestResultBase): def _set_query(self, *args): def get_value(arg): - return eval('self.' + arg) \ + return self.__getattribute__(arg) \ if arg != 'trust_indicator' else self.trust_indicator.current uri = '' for arg in args: |