xprofile: Stop using eval()

All we need is int(). Using eval() on user-provided data (or really at
all) is a Bad Idea.

Closes-Bug: #2091124
Change-Id: I39bb87f9d8e27f2f88410a087a120a0e9be1a243
(cherry picked from commit 199aa78fbe)

bandit.yaml

@@ -79,7 +79,7 @@
 # B703 : django_mark_safe
 
 # (optional) list included test IDs here, eg '[B101, B406]':
-tests: [B102, B103, B302, B303, B304, B305, B306, B308, B310, B401, B501, B502, B506, B601, B602, B609]
+tests: [B102, B103, B302, B303, B304, B305, B306, B307, B308, B310, B401, B501, B502, B506, B601, B602, B609]
 
 # (optional) list skipped test IDs here, eg '[B101, B406]':
 skips:

swift/common/middleware/x_profile/html_viewer.py

@@ -246,7 +246,7 @@ class HTMLViewer(object):
         if multiple:
             return value
         if isinstance(value, list):
-            return eval(value[0]) if isinstance(default, int) else value[0]
+            return int(value[0]) if isinstance(default, int) else value[0]
         else:
             return value
 

test/unit/common/middleware/test_xprofile.py

@@ -184,6 +184,25 @@ class TestProfileMiddleware(unittest.TestCase):
         new_profiler = self.app.profiler
         self.assertTrue(old_profiler != new_profiler)
 
+    def test_int_values(self):
+        for body in (
+            b"limit=os.system",
+            b"fulldirs=boom",
+        ):
+            environ = {'HTTP_HOST': 'localhost:8080',
+                       'PATH_INFO': '/__profile__',
+                       'REQUEST_METHOD': 'POST',
+                       'wsgi.input': BytesIO(body)}
+            resp = self.app(environ, self.start_response)
+            self.assertEqual(
+                self.got_statuses, ['500 Internal Server Error'], resp)
+            self.assertTrue(
+                resp.startswith(
+                    "Error on render profiling results: invalid literal "
+                    "for int() with base 10: "
+                ),
+                resp)
+
 
 class Test_profile_log(unittest.TestCase):