Browse Source

Use json.loads instead of eval for JSON parsing

Also fixed error messages.

Change-Id: I998d6929ad05d9b5bc4e07f27f3f9cbf2dd64c68
Closes-Bug: #1895688
(cherry picked from commit 33c58438ab)
tags/1.3.1^0
Lukas Euler 2 months ago
committed by Pierre Riteau
parent
commit
ee10b2c5c1
6 changed files with 22 additions and 12 deletions
  1. +2
    -1
      blazar_dashboard/api/client.py
  2. +4
    -3
      blazar_dashboard/content/hosts/forms.py
  3. +4
    -3
      blazar_dashboard/content/hosts/workflows.py
  4. +4
    -3
      blazar_dashboard/content/leases/forms.py
  5. +2
    -2
      blazar_dashboard/test/test_data/blazar_data.py
  6. +6
    -0
      releasenotes/notes/remove-use-of-eval-ef359dec791c97cd.yaml

+ 2
- 1
blazar_dashboard/api/client.py View File

@@ -12,6 +12,7 @@

from __future__ import absolute_import

import json
import logging

from horizon import exceptions
@@ -48,7 +49,7 @@ class Host(base.APIDictWrapper):
cpu_info_dict = getattr(self, 'cpu_info', '{}')
if not cpu_info_dict:
cpu_info_dict = '{}'
return eval(cpu_info_dict)
return json.loads(cpu_info_dict)

def extra_capabilities(self):
excaps = {}


+ 4
- 3
blazar_dashboard/content/hosts/forms.py View File

@@ -10,6 +10,7 @@
# License for the specific language governing permissions and limitations
# under the License.

import json
import logging

from django.utils.translation import ugettext_lazy as _
@@ -54,11 +55,11 @@ class UpdateForm(forms.SelfHandlingForm):

values = cleaned_data.get('values')
try:
values = eval(values)
values = json.loads(values)
cleaned_data['values'] = values
except (SyntaxError, NameError):
except json.JSONDecodeError:
raise forms.ValidationError(
_('Values must written in JSON')
_('Values must be written in JSON')
)

return cleaned_data

+ 4
- 3
blazar_dashboard/content/hosts/workflows.py View File

@@ -10,6 +10,7 @@
# License for the specific language governing permissions and limitations
# under the License.

import json
import logging

from django.utils.translation import ugettext_lazy as _
@@ -79,11 +80,11 @@ class AddExtraCapsAction(workflows.Action):

if extra_caps:
try:
extra_caps = eval(extra_caps)
extra_caps = json.loads(extra_caps)
cleaned_data['extra_caps'] = extra_caps
except (SyntaxError, NameError):
except json.JSONDecodeError:
raise forms.ValidationError(
_('Extra capabilities must written in JSON')
_('Extra capabilities must be written in JSON')
)

return cleaned_data


+ 4
- 3
blazar_dashboard/content/leases/forms.py View File

@@ -14,6 +14,7 @@
# under the License.

import datetime
import json
import logging
import re

@@ -339,11 +340,11 @@ class UpdateForm(forms.SelfHandlingForm):

if reservations:
try:
reservations = eval(reservations)
reservations = json.loads(reservations)
cleaned_data['reservations'] = reservations
except (SyntaxError, NameError):
except json.JSONDecodeError:
raise forms.ValidationError(
_('Reservation values must written in JSON')
_('Reservation values must be written in JSON')
)

if not (lease_name or start_time or end_time or reservations):


+ 2
- 2
blazar_dashboard/test/test_data/blazar_data.py View File

@@ -142,7 +142,7 @@ host_sample1 = {
"updated_at": None,
"hypervisor_hostname": "compute-1",
"memory_mb": 4096,
"cpu_info": "{'dummy': 'true'}",
"cpu_info": "{\"dummy\": \"true\"}",
"vcpus": 1,
"service_name": "blazar",
"hypervisor_version": 2005000,
@@ -160,7 +160,7 @@ host_sample2 = {
"updated_at": None,
"hypervisor_hostname": "compute-2",
"memory_mb": 4096,
"cpu_info": "{'dummy': 'true'}",
"cpu_info": "{\"dummy\": \"true\"}",
"vcpus": 1,
"service_name": "blazar",
"hypervisor_version": 2005000,


+ 6
- 0
releasenotes/notes/remove-use-of-eval-ef359dec791c97cd.yaml View File

@@ -0,0 +1,6 @@
---
security:
- |
Uses ``json.loads` instead of ``eval()`` for JSON parsing, which could
allow users of the Blazar dashboard to trigger code execution on the
Horizon host as the user the Horizon service runs under.

Loading…
Cancel
Save