1 files changed, 13 insertions, 7 deletions

diff --git a/api/actions/result.py b/api/actions/result.py
index 9f606d2cb..10112ac68 100644
--- a/api/actions/result.py
+++ b/api/actions/result.py
@@ -7,6 +7,8 @@
 # http://www.apache.org/licenses/LICENSE-2.0
 ##############################################################################
 import logging
+import uuid
+import re
 
 from api.utils import influx as influx_utils
 from api.utils import common as common_utils
@@ -19,23 +21,27 @@ def getResult(args):
     try:
         measurement = args['measurement']
         task_id = args['task_id']
+
+        if re.search("[^a-zA-Z0-9_-]", measurement):
+            raise ValueError('invalid measurement parameter')
+
+        uuid.UUID(task_id)
     except KeyError:
-        message = 'measurement and task_id must be needed'
+        message = 'measurement and task_id must be provided'
         return common_utils.error_handler(message)
 
     measurement = conf.TEST_CASE_PRE + measurement
 
-    query_sql = "select * from $table where task_id='$task_id'"
-    param = {'table': 'tasklist', 'task_id': task_id}
-    data = common_utils.translate_to_str(influx_utils.query(query_sql, param))
+    query_template = "select * from %s where task_id='%s'"
+    query_sql = query_template % ('tasklist', task_id)
+    data = common_utils.translate_to_str(influx_utils.query(query_sql))
 
     def _unfinished():
         return common_utils.result_handler(0, [])
 
     def _finished():
-        param = {'table': measurement, 'task_id': task_id}
-        data = common_utils.translate_to_str(influx_utils.query(query_sql,
-                                                                param))
+        query_sql = query_template % (measurement, task_id)
+        data = common_utils.translate_to_str(influx_utils.query(query_sql))
 
         return common_utils.result_handler(1, data)