Avoid to use eval in pythonk8sclient

The deserialize function that swagger uses includes the usage of eval. It is posible to completely destroy a system using eval, so eval usage is removed in this patch. This fixes the failure of bandit non-voting gate. http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html Change-Id: Id13ea30d07a66d9a812677840c29c48662f43f6f Closes-Bug: #1459717
2015-09-11 10:00:44 +08:00 · 2015-09-11 10:00:44 +08:00 · f641cc291e
commit f641cc291e
parent b222d8af97
1 changed files with 8 additions and 4 deletions
--- a/magnum/common/pythonk8sclient/swagger_client/api_client.py
+++ b/magnum/common/pythonk8sclient/swagger_client/api_client.py
@ -17,6 +17,7 @@ Copyright 2015 SmartBear Software
 """

 from __future__ import absolute_import
+import __builtin__
 from . import models
 from .rest import RESTClient
 from .rest import ApiException
@ -257,12 +258,15 @@ class ApiClient(object):

            # convert str to class
            # for native types
-            if klass in ['int', 'float', 'str', 'bool',
-                         "date", 'datetime', "object"]:
-                klass = eval(klass)
+            if klass in ['int', 'float', 'str', 'bool', 'object']:
+                klass = getattr(__builtin__, klass)
+            elif klass == 'date':
+                klass = date
+            elif klass == 'datetime':
+                klass = datetime
            # for model types
            else:
-                klass = eval('models.' + klass)
+                klass = getattr(models, klass)

        if klass in [int, float, str, bool]:
            return self.__deserialize_primitive(data, klass)