Code Review
/
releng.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
review
|
tree
raw
|
inline
| side by side
Fix security issues of eval-s in testapi
[releng.git]
/
utils
/
test
/
result_collection_api
/
opnfv_testapi
/
resources
/
handlers.py
diff --git
a/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py
b/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py
index
f98c35e
..
5059f5d
100644
(file)
--- a/
utils/test/result_collection_api/opnfv_testapi/resources/handlers.py
+++ b/
utils/test/result_collection_api/opnfv_testapi/resources/handlers.py
@@
-23,8
+23,8
@@
import json
from datetime import datetime
import json
from datetime import datetime
-from tornado.web import RequestHandler, asynchronous, HTTPError
from tornado import gen
from tornado import gen
+from tornado.web import RequestHandler, asynchronous, HTTPError
from models import CreateResponse
from opnfv_testapi.common.constants import DEFAULT_REPRESENTATION, \
from models import CreateResponse
from opnfv_testapi.common.constants import DEFAULT_REPRESENTATION, \
@@
-217,7
+217,8
@@
class GenericApiHandler(RequestHandler):
return equal, query
def _eval_db(self, table, method, *args, **kwargs):
return equal, query
def _eval_db(self, table, method, *args, **kwargs):
- return eval('self.db.%s.%s(*args, **kwargs)' % (table, method))
+ exec_collection = self.db.__getattr__(table)
+ return exec_collection.__getattribute__(method)(*args, **kwargs)
def _eval_db_find_one(self, query, table=None):
if table is None:
def _eval_db_find_one(self, query, table=None):
if table is None: