diff --git a/blazar_dashboard/api/client.py b/blazar_dashboard/api/client.py index df506f7..1d876b2 100644 --- a/blazar_dashboard/api/client.py +++ b/blazar_dashboard/api/client.py @@ -12,6 +12,7 @@ from __future__ import absolute_import +import json import logging from horizon import exceptions @@ -48,7 +49,7 @@ class Host(base.APIDictWrapper): cpu_info_dict = getattr(self, 'cpu_info', '{}') if not cpu_info_dict: cpu_info_dict = '{}' - return eval(cpu_info_dict) + return json.loads(cpu_info_dict) def extra_capabilities(self): excaps = {} diff --git a/blazar_dashboard/content/hosts/forms.py b/blazar_dashboard/content/hosts/forms.py index 956dbea..800ba72 100644 --- a/blazar_dashboard/content/hosts/forms.py +++ b/blazar_dashboard/content/hosts/forms.py @@ -10,6 +10,7 @@ # License for the specific language governing permissions and limitations # under the License. +import json import logging from django.utils.translation import ugettext_lazy as _ @@ -54,11 +55,11 @@ class UpdateForm(forms.SelfHandlingForm): values = cleaned_data.get('values') try: - values = eval(values) + values = json.loads(values) cleaned_data['values'] = values - except (SyntaxError, NameError): + except json.JSONDecodeError: raise forms.ValidationError( - _('Values must written in JSON') + _('Values must be written in JSON') ) return cleaned_data diff --git a/blazar_dashboard/content/hosts/workflows.py b/blazar_dashboard/content/hosts/workflows.py index 1e5fd04..1b3a958 100644 --- a/blazar_dashboard/content/hosts/workflows.py +++ b/blazar_dashboard/content/hosts/workflows.py @@ -10,6 +10,7 @@ # License for the specific language governing permissions and limitations # under the License. +import json import logging from django.utils.translation import ugettext_lazy as _ @@ -79,11 +80,11 @@ class AddExtraCapsAction(workflows.Action): if extra_caps: try: - extra_caps = eval(extra_caps) + extra_caps = json.loads(extra_caps) cleaned_data['extra_caps'] = extra_caps - except (SyntaxError, NameError): + except json.JSONDecodeError: raise forms.ValidationError( - _('Extra capabilities must written in JSON') + _('Extra capabilities must be written in JSON') ) return cleaned_data diff --git a/blazar_dashboard/content/leases/forms.py b/blazar_dashboard/content/leases/forms.py index 6b88d5b..76bda24 100644 --- a/blazar_dashboard/content/leases/forms.py +++ b/blazar_dashboard/content/leases/forms.py @@ -14,6 +14,7 @@ # under the License. import datetime +import json import logging import re @@ -339,11 +340,11 @@ class UpdateForm(forms.SelfHandlingForm): if reservations: try: - reservations = eval(reservations) + reservations = json.loads(reservations) cleaned_data['reservations'] = reservations - except (SyntaxError, NameError): + except json.JSONDecodeError: raise forms.ValidationError( - _('Reservation values must written in JSON') + _('Reservation values must be written in JSON') ) if not (lease_name or start_time or end_time or reservations): diff --git a/blazar_dashboard/test/test_data/blazar_data.py b/blazar_dashboard/test/test_data/blazar_data.py index 173e351..4d17547 100644 --- a/blazar_dashboard/test/test_data/blazar_data.py +++ b/blazar_dashboard/test/test_data/blazar_data.py @@ -142,7 +142,7 @@ host_sample1 = { "updated_at": None, "hypervisor_hostname": "compute-1", "memory_mb": 4096, - "cpu_info": "{'dummy': 'true'}", + "cpu_info": "{\"dummy\": \"true\"}", "vcpus": 1, "service_name": "blazar", "hypervisor_version": 2005000, @@ -160,7 +160,7 @@ host_sample2 = { "updated_at": None, "hypervisor_hostname": "compute-2", "memory_mb": 4096, - "cpu_info": "{'dummy': 'true'}", + "cpu_info": "{\"dummy\": \"true\"}", "vcpus": 1, "service_name": "blazar", "hypervisor_version": 2005000, diff --git a/releasenotes/notes/remove-use-of-eval-ef359dec791c97cd.yaml b/releasenotes/notes/remove-use-of-eval-ef359dec791c97cd.yaml new file mode 100644 index 0000000..fad73a1 --- /dev/null +++ b/releasenotes/notes/remove-use-of-eval-ef359dec791c97cd.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + Uses ``json.loads` instead of ``eval()`` for JSON parsing, which could + allow users of the Blazar dashboard to trigger code execution on the + Horizon host as the user the Horizon service runs under.