summaryrefslogtreecommitdiffstats
path: root/api/actions
diff options
context:
space:
mode:
authorchenjiankun <chenjiankun1@huawei.com>2016-11-28 15:06:08 +0000
committerchenjiankun <chenjiankun1@huawei.com>2016-11-30 03:45:08 +0000
commit053759a87b1d479b8083e352944baff3d12ff097 (patch)
tree5a7fb24b39ebd122b1807b08f468662e2c3460ae /api/actions
parent893294646833bed300586ee36040d4fde3c20842 (diff)
Bugfix: the API to get result do not work due to can't parse $
JIRA: YARDSTICK-429 The API to get result use $ to prevent sql injection. But it doesn't work. Change-Id: I130a847297f209fe26062317261f884c5665f5df Signed-off-by: chenjiankun <chenjiankun1@huawei.com>
Diffstat (limited to 'api/actions')
-rw-r--r--api/actions/result.py20
1 files changed, 13 insertions, 7 deletions
diff --git a/api/actions/result.py b/api/actions/result.py
index 9f606d2cb..10112ac68 100644
--- a/api/actions/result.py
+++ b/api/actions/result.py
@@ -7,6 +7,8 @@
# http://www.apache.org/licenses/LICENSE-2.0
##############################################################################
import logging
+import uuid
+import re
from api.utils import influx as influx_utils
from api.utils import common as common_utils
@@ -19,23 +21,27 @@ def getResult(args):
try:
measurement = args['measurement']
task_id = args['task_id']
+
+ if re.search("[^a-zA-Z0-9_-]", measurement):
+ raise ValueError('invalid measurement parameter')
+
+ uuid.UUID(task_id)
except KeyError:
- message = 'measurement and task_id must be needed'
+ message = 'measurement and task_id must be provided'
return common_utils.error_handler(message)
measurement = conf.TEST_CASE_PRE + measurement
- query_sql = "select * from $table where task_id='$task_id'"
- param = {'table': 'tasklist', 'task_id': task_id}
- data = common_utils.translate_to_str(influx_utils.query(query_sql, param))
+ query_template = "select * from %s where task_id='%s'"
+ query_sql = query_template % ('tasklist', task_id)
+ data = common_utils.translate_to_str(influx_utils.query(query_sql))
def _unfinished():
return common_utils.result_handler(0, [])
def _finished():
- param = {'table': measurement, 'task_id': task_id}
- data = common_utils.translate_to_str(influx_utils.query(query_sql,
- param))
+ query_sql = query_template % (measurement, task_id)
+ data = common_utils.translate_to_str(influx_utils.query(query_sql))
return common_utils.result_handler(1, data)