Use json.loads instead of eval for JSON parsing
Also fixed error messages. Change-Id: I998d6929ad05d9b5bc4e07f27f3f9cbf2dd64c68 Closes-Bug: #1895688
This commit is contained in:
parent
3dac655641
commit
33c58438ab
@ -10,6 +10,7 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
import json
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
from horizon import exceptions
|
from horizon import exceptions
|
||||||
@ -46,7 +47,7 @@ class Host(base.APIDictWrapper):
|
|||||||
cpu_info_dict = getattr(self, 'cpu_info', '{}')
|
cpu_info_dict = getattr(self, 'cpu_info', '{}')
|
||||||
if not cpu_info_dict:
|
if not cpu_info_dict:
|
||||||
cpu_info_dict = '{}'
|
cpu_info_dict = '{}'
|
||||||
return eval(cpu_info_dict)
|
return json.loads(cpu_info_dict)
|
||||||
|
|
||||||
def extra_capabilities(self):
|
def extra_capabilities(self):
|
||||||
excaps = {}
|
excaps = {}
|
||||||
|
@ -10,6 +10,7 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
import json
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
from django.utils.translation import ugettext_lazy as _
|
from django.utils.translation import ugettext_lazy as _
|
||||||
@ -54,11 +55,11 @@ class UpdateForm(forms.SelfHandlingForm):
|
|||||||
|
|
||||||
values = cleaned_data.get('values')
|
values = cleaned_data.get('values')
|
||||||
try:
|
try:
|
||||||
values = eval(values)
|
values = json.loads(values)
|
||||||
cleaned_data['values'] = values
|
cleaned_data['values'] = values
|
||||||
except (SyntaxError, NameError):
|
except json.JSONDecodeError:
|
||||||
raise forms.ValidationError(
|
raise forms.ValidationError(
|
||||||
_('Values must written in JSON')
|
_('Values must be written in JSON')
|
||||||
)
|
)
|
||||||
|
|
||||||
return cleaned_data
|
return cleaned_data
|
||||||
|
@ -10,6 +10,7 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
import json
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
from django.utils.translation import ugettext_lazy as _
|
from django.utils.translation import ugettext_lazy as _
|
||||||
@ -79,11 +80,11 @@ class AddExtraCapsAction(workflows.Action):
|
|||||||
|
|
||||||
if extra_caps:
|
if extra_caps:
|
||||||
try:
|
try:
|
||||||
extra_caps = eval(extra_caps)
|
extra_caps = json.loads(extra_caps)
|
||||||
cleaned_data['extra_caps'] = extra_caps
|
cleaned_data['extra_caps'] = extra_caps
|
||||||
except (SyntaxError, NameError):
|
except json.JSONDecodeError:
|
||||||
raise forms.ValidationError(
|
raise forms.ValidationError(
|
||||||
_('Extra capabilities must written in JSON')
|
_('Extra capabilities must be written in JSON')
|
||||||
)
|
)
|
||||||
|
|
||||||
return cleaned_data
|
return cleaned_data
|
||||||
|
@ -14,6 +14,7 @@
|
|||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
import datetime
|
import datetime
|
||||||
|
import json
|
||||||
import logging
|
import logging
|
||||||
import re
|
import re
|
||||||
|
|
||||||
@ -339,11 +340,11 @@ class UpdateForm(forms.SelfHandlingForm):
|
|||||||
|
|
||||||
if reservations:
|
if reservations:
|
||||||
try:
|
try:
|
||||||
reservations = eval(reservations)
|
reservations = json.loads(reservations)
|
||||||
cleaned_data['reservations'] = reservations
|
cleaned_data['reservations'] = reservations
|
||||||
except (SyntaxError, NameError):
|
except json.JSONDecodeError:
|
||||||
raise forms.ValidationError(
|
raise forms.ValidationError(
|
||||||
_('Reservation values must written in JSON')
|
_('Reservation values must be written in JSON')
|
||||||
)
|
)
|
||||||
|
|
||||||
if not (lease_name or start_time or end_time or reservations):
|
if not (lease_name or start_time or end_time or reservations):
|
||||||
|
@ -142,7 +142,7 @@ host_sample1 = {
|
|||||||
"updated_at": None,
|
"updated_at": None,
|
||||||
"hypervisor_hostname": "compute-1",
|
"hypervisor_hostname": "compute-1",
|
||||||
"memory_mb": 4096,
|
"memory_mb": 4096,
|
||||||
"cpu_info": "{'dummy': 'true'}",
|
"cpu_info": "{\"dummy\": \"true\"}",
|
||||||
"vcpus": 1,
|
"vcpus": 1,
|
||||||
"service_name": "blazar",
|
"service_name": "blazar",
|
||||||
"hypervisor_version": 2005000,
|
"hypervisor_version": 2005000,
|
||||||
@ -160,7 +160,7 @@ host_sample2 = {
|
|||||||
"updated_at": None,
|
"updated_at": None,
|
||||||
"hypervisor_hostname": "compute-2",
|
"hypervisor_hostname": "compute-2",
|
||||||
"memory_mb": 4096,
|
"memory_mb": 4096,
|
||||||
"cpu_info": "{'dummy': 'true'}",
|
"cpu_info": "{\"dummy\": \"true\"}",
|
||||||
"vcpus": 1,
|
"vcpus": 1,
|
||||||
"service_name": "blazar",
|
"service_name": "blazar",
|
||||||
"hypervisor_version": 2005000,
|
"hypervisor_version": 2005000,
|
||||||
|
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
Uses ``json.loads` instead of ``eval()`` for JSON parsing, which could
|
||||||
|
allow users of the Blazar dashboard to trigger code execution on the
|
||||||
|
Horizon host as the user the Horizon service runs under.
|
Loading…
x
Reference in New Issue
Block a user