Fix security issues of eval-s in testapi

[releng.git] / utils / test / result_collection_api / opnfv_testapi / resources / handlers.py

diff --git a/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py b/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py
index 8737011..5059f5d 100644 (file)
--- a/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py
+++ b/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py
@@ -23,8 +23,8 @@
 import json
 from datetime import datetime
 
-from tornado.web import RequestHandler, asynchronous, HTTPError
 from tornado import gen
+from tornado.web import RequestHandler, asynchronous, HTTPError
 
 from models import CreateResponse
 from opnfv_testapi.common.constants import DEFAULT_REPRESENTATION, \
@@ -198,9 +198,8 @@ class GenericApiHandler(RequestHandler):
         comparing values
         """
         if not (new_value is None):
-            if len(new_value) > 0:
-                if new_value != old_value:
-                    edit_request[key] = new_value
+            if new_value != old_value:
+                edit_request[key] = new_value
 
         return edit_request
 
@@ -218,7 +217,8 @@ class GenericApiHandler(RequestHandler):
         return equal, query
 
     def _eval_db(self, table, method, *args, **kwargs):
-        return eval('self.db.%s.%s(*args, **kwargs)' % (table, method))
+        exec_collection = self.db.__getattr__(table)
+        return exec_collection.__getattribute__(method)(*args, **kwargs)
 
     def _eval_db_find_one(self, query, table=None):
         if table is None: