Use json.loads instead of eval for JSON parsing

Also fixed error messages.

Change-Id: I998d6929ad05d9b5bc4e07f27f3f9cbf2dd64c68
Closes-Bug: #1895688
This commit is contained in:
Lukas Euler 2020-09-15 15:25:40 +02:00 committed by Pierre Riteau
parent 3dac655641
commit 33c58438ab
6 changed files with 22 additions and 12 deletions

View File

@ -10,6 +10,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
import json
import logging import logging
from horizon import exceptions from horizon import exceptions
@ -46,7 +47,7 @@ class Host(base.APIDictWrapper):
cpu_info_dict = getattr(self, 'cpu_info', '{}') cpu_info_dict = getattr(self, 'cpu_info', '{}')
if not cpu_info_dict: if not cpu_info_dict:
cpu_info_dict = '{}' cpu_info_dict = '{}'
return eval(cpu_info_dict) return json.loads(cpu_info_dict)
def extra_capabilities(self): def extra_capabilities(self):
excaps = {} excaps = {}

View File

@ -10,6 +10,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
import json
import logging import logging
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
@ -54,11 +55,11 @@ class UpdateForm(forms.SelfHandlingForm):
values = cleaned_data.get('values') values = cleaned_data.get('values')
try: try:
values = eval(values) values = json.loads(values)
cleaned_data['values'] = values cleaned_data['values'] = values
except (SyntaxError, NameError): except json.JSONDecodeError:
raise forms.ValidationError( raise forms.ValidationError(
_('Values must written in JSON') _('Values must be written in JSON')
) )
return cleaned_data return cleaned_data

View File

@ -10,6 +10,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
import json
import logging import logging
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
@ -79,11 +80,11 @@ class AddExtraCapsAction(workflows.Action):
if extra_caps: if extra_caps:
try: try:
extra_caps = eval(extra_caps) extra_caps = json.loads(extra_caps)
cleaned_data['extra_caps'] = extra_caps cleaned_data['extra_caps'] = extra_caps
except (SyntaxError, NameError): except json.JSONDecodeError:
raise forms.ValidationError( raise forms.ValidationError(
_('Extra capabilities must written in JSON') _('Extra capabilities must be written in JSON')
) )
return cleaned_data return cleaned_data

View File

@ -14,6 +14,7 @@
# under the License. # under the License.
import datetime import datetime
import json
import logging import logging
import re import re
@ -339,11 +340,11 @@ class UpdateForm(forms.SelfHandlingForm):
if reservations: if reservations:
try: try:
reservations = eval(reservations) reservations = json.loads(reservations)
cleaned_data['reservations'] = reservations cleaned_data['reservations'] = reservations
except (SyntaxError, NameError): except json.JSONDecodeError:
raise forms.ValidationError( raise forms.ValidationError(
_('Reservation values must written in JSON') _('Reservation values must be written in JSON')
) )
if not (lease_name or start_time or end_time or reservations): if not (lease_name or start_time or end_time or reservations):

View File

@ -142,7 +142,7 @@ host_sample1 = {
"updated_at": None, "updated_at": None,
"hypervisor_hostname": "compute-1", "hypervisor_hostname": "compute-1",
"memory_mb": 4096, "memory_mb": 4096,
"cpu_info": "{'dummy': 'true'}", "cpu_info": "{\"dummy\": \"true\"}",
"vcpus": 1, "vcpus": 1,
"service_name": "blazar", "service_name": "blazar",
"hypervisor_version": 2005000, "hypervisor_version": 2005000,
@ -160,7 +160,7 @@ host_sample2 = {
"updated_at": None, "updated_at": None,
"hypervisor_hostname": "compute-2", "hypervisor_hostname": "compute-2",
"memory_mb": 4096, "memory_mb": 4096,
"cpu_info": "{'dummy': 'true'}", "cpu_info": "{\"dummy\": \"true\"}",
"vcpus": 1, "vcpus": 1,
"service_name": "blazar", "service_name": "blazar",
"hypervisor_version": 2005000, "hypervisor_version": 2005000,

View File

@ -0,0 +1,6 @@
---
security:
- |
Uses ``json.loads` instead of ``eval()`` for JSON parsing, which could
allow users of the Blazar dashboard to trigger code execution on the
Horizon host as the user the Horizon service runs under.