From f641cc291e3ae48719729ca21811146da2c4f14b Mon Sep 17 00:00:00 2001 From: Hua Wang Date: Fri, 11 Sep 2015 10:00:44 +0800 Subject: [PATCH] Avoid to use eval in pythonk8sclient The deserialize function that swagger uses includes the usage of eval. It is posible to completely destroy a system using eval, so eval usage is removed in this patch. This fixes the failure of bandit non-voting gate. http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html Change-Id: Id13ea30d07a66d9a812677840c29c48662f43f6f Closes-Bug: #1459717 --- .../pythonk8sclient/swagger_client/api_client.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/magnum/common/pythonk8sclient/swagger_client/api_client.py b/magnum/common/pythonk8sclient/swagger_client/api_client.py index 02099f0..6d24a3a 100644 --- a/magnum/common/pythonk8sclient/swagger_client/api_client.py +++ b/magnum/common/pythonk8sclient/swagger_client/api_client.py @@ -17,6 +17,7 @@ Copyright 2015 SmartBear Software """ from __future__ import absolute_import +import __builtin__ from . import models from .rest import RESTClient from .rest import ApiException @@ -257,12 +258,15 @@ class ApiClient(object): # convert str to class # for native types - if klass in ['int', 'float', 'str', 'bool', - "date", 'datetime', "object"]: - klass = eval(klass) + if klass in ['int', 'float', 'str', 'bool', 'object']: + klass = getattr(__builtin__, klass) + elif klass == 'date': + klass = date + elif klass == 'datetime': + klass = datetime # for model types else: - klass = eval('models.' + klass) + klass = getattr(models, klass) if klass in [int, float, str, bool]: return self.__deserialize_primitive(data, klass)