Fix security issues of eval-s in testapi

[releng.git] / utils / test / result_collection_api / opnfv_testapi / resources / handlers.py

diff --git a/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py b/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py
index 4b39b24..5059f5d 100644 (file)
--- a/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py
+++ b/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py
@@ -23,13 +23,13 @@
 import json
 from datetime import datetime
 
-from tornado.web import RequestHandler, asynchronous, HTTPError
 from tornado import gen
+from tornado.web import RequestHandler, asynchronous, HTTPError
 
 from models import CreateResponse
 from opnfv_testapi.common.constants import DEFAULT_REPRESENTATION, \
     HTTP_BAD_REQUEST, HTTP_NOT_FOUND, HTTP_FORBIDDEN
-from opnfv_testapi.tornado_swagger_ui.tornado_swagger import swagger
+from opnfv_testapi.tornado_swagger import swagger
 
 
 class GenericApiHandler(RequestHandler):
@@ -96,8 +96,10 @@ class GenericApiHandler(RequestHandler):
                 code, message = error(data)
                 raise HTTPError(code, message)
 
-        data.creation_date = datetime.now()
-        _id = yield self._eval_db(self.table, 'insert', data.format())
+        if self.table != 'results':
+            data.creation_date = datetime.now()
+        _id = yield self._eval_db(self.table, 'insert', data.format(),
+                                  check_keys=False)
         if 'name' in self.json_args:
             resource = data.name
         else:
@@ -106,11 +108,15 @@ class GenericApiHandler(RequestHandler):
 
     @asynchronous
     @gen.coroutine
-    def _list(self, query=None, res_op=None, *args):
+    def _list(self, query=None, res_op=None, *args, **kwargs):
         if query is None:
             query = {}
         data = []
         cursor = self._eval_db(self.table, 'find', query)
+        if 'sort' in kwargs:
+            cursor = cursor.sort(kwargs.get('sort'))
+        if 'last' in kwargs:
+            cursor = cursor.limit(kwargs.get('last'))
         while (yield cursor.fetch_next):
             data.append(self.format_data(cursor.next_object()))
         if res_op is None:
@@ -169,7 +175,8 @@ class GenericApiHandler(RequestHandler):
         edit_request.update(self._update_requests(data))
 
         """ Updating the DB """
-        yield self._eval_db(self.table, 'update', query, edit_request)
+        yield self._eval_db(self.table, 'update', query, edit_request,
+                            check_keys=False)
         edit_request['_id'] = str(data._id)
         self.finish_request(edit_request)
 
@@ -191,9 +198,8 @@ class GenericApiHandler(RequestHandler):
         comparing values
         """
         if not (new_value is None):
-            if len(new_value) > 0:
-                if new_value != old_value:
-                    edit_request[key] = new_value
+            if new_value != old_value:
+                edit_request[key] = new_value
 
         return edit_request
 
@@ -210,8 +216,9 @@ class GenericApiHandler(RequestHandler):
             query[key] = new
         return equal, query
 
-    def _eval_db(self, table, method, *args):
-        return eval('self.db.%s.%s(*args)' % (table, method))
+    def _eval_db(self, table, method, *args, **kwargs):
+        exec_collection = self.db.__getattr__(table)
+        return exec_collection.__getattribute__(method)(*args, **kwargs)
 
     def _eval_db_find_one(self, query, table=None):
         if table is None: