diff options
author | SerenaFeng <feng.xiaowei@zte.com.cn> | 2016-09-09 16:50:48 +0800 |
---|---|---|
committer | SerenaFeng <feng.xiaowei@zte.com.cn> | 2016-09-14 10:53:33 +0800 |
commit | dd9e8643b72497eecdb4c80dc64f161b1562033b (patch) | |
tree | 29f8cd29a44ccac033bad571544df7aa3c487618 /utils/test/result_collection_api/opnfv_testapi/tests | |
parent | 21f8156390bfaba48f8427f5cda8515becf675b3 (diff) |
Fix security issues of eval-s in testapi
results from security audit show risks and recommendations to fix them
JIRA: RELENG-144
Change-Id: If128cc3ae230150a912b581dfb1ded543d851eb5
Signed-off-by: SerenaFeng <feng.xiaowei@zte.com.cn>
Diffstat (limited to 'utils/test/result_collection_api/opnfv_testapi/tests')
4 files changed, 10 insertions, 4 deletions
diff --git a/utils/test/result_collection_api/opnfv_testapi/tests/unit/fake_pymongo.py b/utils/test/result_collection_api/opnfv_testapi/tests/unit/fake_pymongo.py index 450969248..3dd87e603 100644 --- a/utils/test/result_collection_api/opnfv_testapi/tests/unit/fake_pymongo.py +++ b/utils/test/result_collection_api/opnfv_testapi/tests/unit/fake_pymongo.py @@ -181,6 +181,10 @@ class MemDb(object): self._check_keys(doc.get(key)) +def __getattr__(name): + return globals()[name] + + pods = MemDb() projects = MemDb() testcases = MemDb() diff --git a/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_dashboard.py b/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_dashboard.py index 8f729c0d0..27ec76385 100644 --- a/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_dashboard.py +++ b/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_dashboard.py @@ -8,9 +8,10 @@ ############################################################################## import unittest -from test_result import TestResultBase from opnfv_testapi.common.constants import HTTP_NOT_FOUND, HTTP_OK +from test_result import TestResultBase + class TestDashboardBase(TestResultBase): def setUp(self): @@ -63,7 +64,7 @@ class TestDashboardQuery(TestDashboardBase): if k == 'self' or k == 'uri': continue if v is None: - v = eval('self.' + k) + v = self.__getattribute__(k) if v != 'missing': uri += '{}={}&'.format(k, v) uri += 'pod={}&'.format(self.pod) diff --git a/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_fake_pymongo.py b/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_fake_pymongo.py index 9a1253e94..5f50ba867 100644 --- a/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_fake_pymongo.py +++ b/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_fake_pymongo.py @@ -115,7 +115,8 @@ class MyTest(AsyncHTTPTestCase): self.assertEqual(name_error, error) def _eval_pods_db(self, method, *args, **kwargs): - return eval('self.db.pods.%s(*args, **kwargs)' % method) + table_obj = vars(self.db)['pods'] + return table_obj.__getattribute__(method)(*args, **kwargs) if __name__ == '__main__': diff --git a/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_result.py b/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_result.py index eee06c6e5..8479b35cd 100644 --- a/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_result.py +++ b/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_result.py @@ -305,7 +305,7 @@ class TestResultGet(TestResultBase): def _set_query(self, *args): def get_value(arg): - return eval('self.' + arg) \ + return self.__getattribute__(arg) \ if arg != 'trust_indicator' else self.trust_indicator.current uri = '' for arg in args: |