From 053759a87b1d479b8083e352944baff3d12ff097 Mon Sep 17 00:00:00 2001
From: chenjiankun <chenjiankun1@huawei.com>
Date: Mon, 28 Nov 2016 15:06:08 +0000
Subject: Bugfix: the API to get result do not work due to can't parse $

JIRA: YARDSTICK-429

The API to get result use $ to prevent sql injection. But it doesn't
work.

Change-Id: I130a847297f209fe26062317261f884c5665f5df
Signed-off-by: chenjiankun <chenjiankun1@huawei.com>
---
 api/actions/result.py | 20 +++++++++++++-------
 api/yardstick.ini     |  2 +-
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/api/actions/result.py b/api/actions/result.py
index 9f606d2cb..10112ac68 100644
--- a/api/actions/result.py
+++ b/api/actions/result.py
@@ -7,6 +7,8 @@
 # http://www.apache.org/licenses/LICENSE-2.0
 ##############################################################################
 import logging
+import uuid
+import re
 
 from api.utils import influx as influx_utils
 from api.utils import common as common_utils
@@ -19,23 +21,27 @@ def getResult(args):
     try:
         measurement = args['measurement']
         task_id = args['task_id']
+
+        if re.search("[^a-zA-Z0-9_-]", measurement):
+            raise ValueError('invalid measurement parameter')
+
+        uuid.UUID(task_id)
     except KeyError:
-        message = 'measurement and task_id must be needed'
+        message = 'measurement and task_id must be provided'
         return common_utils.error_handler(message)
 
     measurement = conf.TEST_CASE_PRE + measurement
 
-    query_sql = "select * from $table where task_id='$task_id'"
-    param = {'table': 'tasklist', 'task_id': task_id}
-    data = common_utils.translate_to_str(influx_utils.query(query_sql, param))
+    query_template = "select * from %s where task_id='%s'"
+    query_sql = query_template % ('tasklist', task_id)
+    data = common_utils.translate_to_str(influx_utils.query(query_sql))
 
     def _unfinished():
         return common_utils.result_handler(0, [])
 
     def _finished():
-        param = {'table': measurement, 'task_id': task_id}
-        data = common_utils.translate_to_str(influx_utils.query(query_sql,
-                                                                param))
+        query_sql = query_template % (measurement, task_id)
+        data = common_utils.translate_to_str(influx_utils.query(query_sql))
 
         return common_utils.result_handler(1, data)
 
diff --git a/api/yardstick.ini b/api/yardstick.ini
index 535022960..01025c2ef 100644
--- a/api/yardstick.ini
+++ b/api/yardstick.ini
@@ -12,5 +12,5 @@ chmod-socket = 666
 callable = app
 enable-threads = true
 close-on-exec = 1
-daemonize=/home/kklt/kklt/api/uwsgi.log
+daemonize=/home/opnfv/repos/yardstick/api/uwsgi.log
 socket = /home/opnfv/repos/yardstick/api/yardstick.sock
-- 
cgit 1.2.3-korg