Use json.loads instead of eval for JSON parsing

Also fixed error messages.

Change-Id: I998d6929ad05d9b5bc4e07f27f3f9cbf2dd64c68
Closes-Bug: #1895688

blazar_dashboard/api/client.py

@@ -10,6 +10,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import json
 import logging
 
 from horizon import exceptions
@@ -46,7 +47,7 @@ class Host(base.APIDictWrapper):
         cpu_info_dict = getattr(self, 'cpu_info', '{}')
         if not cpu_info_dict:
             cpu_info_dict = '{}'
-        return eval(cpu_info_dict)
+        return json.loads(cpu_info_dict)
 
     def extra_capabilities(self):
         excaps = {}

blazar_dashboard/content/hosts/forms.py

@@ -10,6 +10,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import json
 import logging
 
 from django.utils.translation import ugettext_lazy as _
@@ -54,11 +55,11 @@ class UpdateForm(forms.SelfHandlingForm):
 
         values = cleaned_data.get('values')
         try:
-            values = eval(values)
+            values = json.loads(values)
             cleaned_data['values'] = values
-        except (SyntaxError, NameError):
+        except json.JSONDecodeError:
             raise forms.ValidationError(
-                _('Values must written in JSON')
+                _('Values must be written in JSON')
             )
 
         return cleaned_data

blazar_dashboard/content/hosts/workflows.py

@@ -10,6 +10,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import json
 import logging
 
 from django.utils.translation import ugettext_lazy as _
@@ -79,11 +80,11 @@ class AddExtraCapsAction(workflows.Action):
 
         if extra_caps:
             try:
-                extra_caps = eval(extra_caps)
+                extra_caps = json.loads(extra_caps)
                 cleaned_data['extra_caps'] = extra_caps
-            except (SyntaxError, NameError):
+            except json.JSONDecodeError:
                 raise forms.ValidationError(
-                    _('Extra capabilities must written in JSON')
+                    _('Extra capabilities must be written in JSON')
                 )
 
         return cleaned_data

blazar_dashboard/content/leases/forms.py

@@ -14,6 +14,7 @@
 #    under the License.
 
 import datetime
+import json
 import logging
 import re
 
@@ -339,11 +340,11 @@ class UpdateForm(forms.SelfHandlingForm):
 
         if reservations:
             try:
-                reservations = eval(reservations)
+                reservations = json.loads(reservations)
                 cleaned_data['reservations'] = reservations
-            except (SyntaxError, NameError):
+            except json.JSONDecodeError:
                 raise forms.ValidationError(
-                    _('Reservation values must written in JSON')
+                    _('Reservation values must be written in JSON')
                 )
 
         if not (lease_name or start_time or end_time or reservations):

blazar_dashboard/test/test_data/blazar_data.py

@@ -142,7 +142,7 @@ host_sample1 = {
     "updated_at": None,
     "hypervisor_hostname": "compute-1",
     "memory_mb": 4096,
-    "cpu_info": "{'dummy': 'true'}",
+    "cpu_info": "{\"dummy\": \"true\"}",
     "vcpus": 1,
     "service_name": "blazar",
     "hypervisor_version": 2005000,
@@ -160,7 +160,7 @@ host_sample2 = {
     "updated_at": None,
     "hypervisor_hostname": "compute-2",
     "memory_mb": 4096,
-    "cpu_info": "{'dummy': 'true'}",
+    "cpu_info": "{\"dummy\": \"true\"}",
     "vcpus": 1,
     "service_name": "blazar",
     "hypervisor_version": 2005000,

releasenotes/notes/remove-use-of-eval-ef359dec791c97cd.yaml

@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Uses ``json.loads` instead of ``eval()`` for JSON parsing, which could
+    allow users of the Blazar dashboard to trigger code execution on the
+    Horizon host as the user the Horizon service runs under.