From c9b7bd6b2cf01118cad74723663a7e504372884f Mon Sep 17 00:00:00 2001 From: Steven Dake Date: Sun, 12 Apr 2015 13:15:32 -0700 Subject: [PATCH] Remove unsafe usage of eval eval will execute a function before it has been determined to be a python data type. Instead, use ast.literal_eval which validates the object is a data type before executing it. See: http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html Change-Id: Ia3d74747e66d72e97a3fb9029bd51331c902f874 Partially-Implements: blueprint gate-bandit --- magnum/common/pythonk8sclient/client/swagger.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/magnum/common/pythonk8sclient/client/swagger.py b/magnum/common/pythonk8sclient/client/swagger.py index d5e5466..1625763 100644 --- a/magnum/common/pythonk8sclient/client/swagger.py +++ b/magnum/common/pythonk8sclient/client/swagger.py @@ -4,6 +4,7 @@ server communication, and is invariant across implementations. Specifics of the methods and models for each application are generated from the Swagger templates.""" +import ast import sys import os import re @@ -205,9 +206,9 @@ class ApiClient(object): return [self.deserialize(subObj, subClass) for subObj in obj] if (objClass in ['int', 'float', 'long', 'dict', 'list', 'str', 'bool', 'datetime']): - objClass = eval(objClass) + objClass = ast.literal_eval(objClass) else: # not a native type, must be model class - objClass = eval(objClass + '.' + objClass) + objClass = ast.literal_eval(objClass + '.' + objClass) if objClass in [int, long, float, dict, list, str, bool]: return objClass(obj) @@ -220,7 +221,7 @@ class ApiClient(object): if obj is not None and instance.attributeMap[attr] in obj and type(obj) in [list, dict]: value = obj[instance.attributeMap[attr]] if attrType in ['str', 'int', 'long', 'float', 'bool']: - attrType = eval(attrType) + attrType = ast.literal_eval(attrType) try: value = attrType(value) except UnicodeEncodeError: