From dd9e8643b72497eecdb4c80dc64f161b1562033b Mon Sep 17 00:00:00 2001 From: SerenaFeng Date: Fri, 9 Sep 2016 16:50:48 +0800 Subject: Fix security issues of eval-s in testapi results from security audit show risks and recommendations to fix them JIRA: RELENG-144 Change-Id: If128cc3ae230150a912b581dfb1ded543d851eb5 Signed-off-by: SerenaFeng --- utils/test/result_collection_api/opnfv_testapi/resources/handlers.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'utils/test/result_collection_api/opnfv_testapi/resources') diff --git a/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py b/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py index f98c35e8f..5059f5d77 100644 --- a/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py +++ b/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py @@ -23,8 +23,8 @@ import json from datetime import datetime -from tornado.web import RequestHandler, asynchronous, HTTPError from tornado import gen +from tornado.web import RequestHandler, asynchronous, HTTPError from models import CreateResponse from opnfv_testapi.common.constants import DEFAULT_REPRESENTATION, \ @@ -217,7 +217,8 @@ class GenericApiHandler(RequestHandler): return equal, query def _eval_db(self, table, method, *args, **kwargs): - return eval('self.db.%s.%s(*args, **kwargs)' % (table, method)) + exec_collection = self.db.__getattr__(table) + return exec_collection.__getattribute__(method)(*args, **kwargs) def _eval_db_find_one(self, query, table=None): if table is None: -- cgit 1.2.3-korg