From dd9e8643b72497eecdb4c80dc64f161b1562033b Mon Sep 17 00:00:00 2001
From: SerenaFeng <feng.xiaowei@zte.com.cn>
Date: Fri, 9 Sep 2016 16:50:48 +0800
Subject: Fix security issues of eval-s in testapi

results from security audit show risks and recommendations to fix them

JIRA: RELENG-144

Change-Id: If128cc3ae230150a912b581dfb1ded543d851eb5
Signed-off-by: SerenaFeng <feng.xiaowei@zte.com.cn>
---
 .../result_collection_api/update/templates/changes_in_mongodb.py | 3 ++-
 .../result_collection_api/update/templates/update_mongodb.py     | 9 ++++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

(limited to 'utils/test/result_collection_api/update/templates')

diff --git a/utils/test/result_collection_api/update/templates/changes_in_mongodb.py b/utils/test/result_collection_api/update/templates/changes_in_mongodb.py
index 9744dd9fe..1a4d5a16f 100644
--- a/utils/test/result_collection_api/update/templates/changes_in_mongodb.py
+++ b/utils/test/result_collection_api/update/templates/changes_in_mongodb.py
@@ -45,6 +45,7 @@ docs_old2New = {
     #     ({'case_name': 'ovno'}, {'case_name': 'ocl'})
     # ]
     'results': [
-        ({'trust_indicator': 0}, {'trust_indicator': {'current': 0, 'histories': []}})
+        ({'trust_indicator': 0},
+         {'trust_indicator': {'current': 0, 'histories': []}})
     ]
 }
diff --git a/utils/test/result_collection_api/update/templates/update_mongodb.py b/utils/test/result_collection_api/update/templates/update_mongodb.py
index b1e378dd7..ba4334aa3 100644
--- a/utils/test/result_collection_api/update/templates/update_mongodb.py
+++ b/utils/test/result_collection_api/update/templates/update_mongodb.py
@@ -10,7 +10,8 @@ import argparse
 
 from pymongo import MongoClient
 
-from changes_in_mongodb import collections_old2New, fields_old2New, docs_old2New
+from changes_in_mongodb import collections_old2New, \
+    fields_old2New, docs_old2New
 from utils import main, parse_mongodb_url
 
 parser = argparse.ArgumentParser(description='Update MongoDBs')
@@ -54,11 +55,13 @@ def change_docs(a_dict):
 
 
 def eval_db(method, *args, **kwargs):
-    return eval('db.%s(*args, **kwargs)' % method)
+    exec_db = db.__getattribute__(method)
+    return exec_db(*args, **kwargs)
 
 
 def eval_collection(collection, method, *args, **kwargs):
-    return eval('db.%s.%s(*args, **kwargs)' % (collection, method))
+    exec_collection = db.__getattr__(collection)
+    return exec_collection.__getattribute__(method)(*args, **kwargs)
 
 
 def collection_update(a_dict, operator):
-- 
cgit 1.2.3-korg