x/python-k8sclient
Code Issues Proposed changes

Remove unsafe usage of eval

Browse Source 
eval will execute a function before it has been determined to be
a python data type.  Instead, use ast.literal_eval which validates
the object is a data type before executing it.

See:
    http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html

(copied from Ia3d74747e66d72e97a3fb9029bd51331c902f874)

Change-Id: Iae0d42f8d14f66d6ea6cf2201646d8a796cc0cc9
This commit is contained in:
Davanum Srinivas 2016-04-22 14:12:34 -04:00
parent 5d1a429016
commit 7b1385dd3e
1 changed files with 3 additions and 2 deletions

5
k8sclient/client/api_client.py

@ -21,6 +21,7 @@ from . import models
from .rest import RESTClient from .rest import RESTClient
from .rest import ApiException from .rest import ApiException
import ast
import os import os
import re import re
import urllib import urllib
@ -259,10 +260,10 @@ class ApiClient(object):
# for native types # for native types
if klass in ['int', 'float', 'str', 'bool', if klass in ['int', 'float', 'str', 'bool',
"date", 'datetime', "object"]: "date", 'datetime', "object"]:
klass = eval(klass) klass = ast.literal_eval(klass)
# for model types # for model types
else: else:
klass = eval('models.' + klass) klass = ast.literal_eval('models.' + klass)
if klass in [int, float, str, bool]: if klass in [int, float, str, bool]:
return self.__deserialize_primitive(data, klass) return self.__deserialize_primitive(data, klass)