Fix security issues of eval-s in testapi

results from security audit show risks and recommendations to fix them

JIRA: RELENG-144

Change-Id: If128cc3ae230150a912b581dfb1ded543d851eb5
Signed-off-by: SerenaFeng <feng.xiaowei@zte.com.cn>

diff --git a/utils/test/result_collection_api/opnfv_testapi/dashboard/bottlenecks2Dashboard.py b/utils/test/result_collection_api/opnfv_testapi/dashboard/bottlenecks2Dashboard.py
index 2e106be..f5e3d9a 100755 (executable)
--- a/utils/test/result_collection_api/opnfv_testapi/dashboard/bottlenecks2Dashboard.py
+++ b/utils/test/result_collection_api/opnfv_testapi/dashboard/bottlenecks2Dashboard.py
@@ -48,8 +48,8 @@ def format_bottlenecks_for_dashboard(case, results):
     then build the call to the specific method
     """
     if check_bottlenecks_case_exist(case):
-        cmd = "format_" + case + "_for_dashboard(results)"
-        res = eval(cmd)
+        cmd = "format_" + case + "_for_dashboard"
+        res = globals()[cmd](results)
     else:
         res = []
         print "Test cases not declared"

diff --git a/utils/test/result_collection_api/opnfv_testapi/dashboard/dashboard_utils.py b/utils/test/result_collection_api/opnfv_testapi/dashboard/dashboard_utils.py
index 121875d..42c6358 100644 (file)
--- a/utils/test/result_collection_api/opnfv_testapi/dashboard/dashboard_utils.py
+++ b/utils/test/result_collection_api/opnfv_testapi/dashboard/dashboard_utils.py
@@ -14,7 +14,6 @@
 #
 # v0.1: basic example
 #
-import os
 import re
 import sys
 from functest2Dashboard import format_functest_for_dashboard, \
@@ -47,8 +46,8 @@ def check_dashboard_ready_project(test_project):
 
 
 def check_dashboard_ready_case(project, case):
-    cmd = "check_" + project + "_case_exist(case)"
-    return eval(cmd)
+    cmd = "check_" + project + "_case_exist"
+    return globals()[cmd](case)
 
 
 def get_dashboard_projects():
@@ -73,6 +72,5 @@ def get_dashboard_result(project, case, results=None):
     # project: project name
     # results: array of raw results pre-filterded
     # according to the parameters of the request
-    cmd = "format_" + project + "_for_dashboard(case,results)"
-    res = eval(cmd)
-    return res
+    cmd = "format_" + project + "_for_dashboard"
+    return globals()[cmd](case, results)

diff --git a/utils/test/result_collection_api/opnfv_testapi/dashboard/doctor2Dashboard.py b/utils/test/result_collection_api/opnfv_testapi/dashboard/doctor2Dashboard.py
index 38b23ab..5b1f190 100644 (file)
--- a/utils/test/result_collection_api/opnfv_testapi/dashboard/doctor2Dashboard.py
+++ b/utils/test/result_collection_api/opnfv_testapi/dashboard/doctor2Dashboard.py
@@ -36,8 +36,8 @@ def format_doctor_for_dashboard(case, results):
         # note we add _case because testcase and project had the same name
         # TODO refactoring...looks fine at the beginning wit only 1 project
         # not very ugly now and clearly not optimized...
-        cmd = "format_" + case.replace('-','_') + "_case_for_dashboard(results)"
-        res = eval(cmd)
+        cmd = "format_" + case.replace('-','_') + "_case_for_dashboard"
+        res = globals()[cmd](results)
     else:
         res = []
     return res

diff --git a/utils/test/result_collection_api/opnfv_testapi/dashboard/functest2Dashboard.py b/utils/test/result_collection_api/opnfv_testapi/dashboard/functest2Dashboard.py
index 86521b9..01697f7 100644 (file)
--- a/utils/test/result_collection_api/opnfv_testapi/dashboard/functest2Dashboard.py
+++ b/utils/test/result_collection_api/opnfv_testapi/dashboard/functest2Dashboard.py
@@ -34,8 +34,8 @@ def format_functest_for_dashboard(case, results):
     then build the call to the specific method
     """
     if check_functest_case_exist(case):
-        cmd = "format_" + case + "_for_dashboard(results)"
-        res = eval(cmd)
+        cmd = "format_" + case + "_for_dashboard"
+        res = globals()[cmd](results)
     else:
         res = []
         print "Test cases not declared"

diff --git a/utils/test/result_collection_api/opnfv_testapi/dashboard/promise2Dashboard.py b/utils/test/result_collection_api/opnfv_testapi/dashboard/promise2Dashboard.py
index 84f43a7..c96341f 100644 (file)
--- a/utils/test/result_collection_api/opnfv_testapi/dashboard/promise2Dashboard.py
+++ b/utils/test/result_collection_api/opnfv_testapi/dashboard/promise2Dashboard.py
@@ -14,9 +14,6 @@
 # a new method format_<Test_case>_for_dashboard(results)
 # v0.1: basic example with methods for odl, Tempest, Rally and vPing
 #
-import re
-import datetime
-
 
 def get_promise_cases():
     """
@@ -36,8 +33,8 @@ def format_promise_for_dashboard(case, results):
         # note we add _case because testcase and project had the same name
         # TODO refactoring...looks fine at the beginning wit only 1 project
         # not very ugly now and clearly not optimized...
-        cmd = "format_" + case + "_case_for_dashboard(results)"
-        res = eval(cmd)
+        cmd = "format_" + case + "_case_for_dashboard"
+        res = globals()[cmd](results)
     else:
         res = []
         print "Test cases not declared"

diff --git a/utils/test/result_collection_api/opnfv_testapi/dashboard/yardstick2Dashboard.py b/utils/test/result_collection_api/opnfv_testapi/dashboard/yardstick2Dashboard.py
index 4f022d5..4df4b50 100644 (file)
--- a/utils/test/result_collection_api/opnfv_testapi/dashboard/yardstick2Dashboard.py
+++ b/utils/test/result_collection_api/opnfv_testapi/dashboard/yardstick2Dashboard.py
@@ -16,7 +16,6 @@
 #       Fio, Lmbench, Perf, Cyclictest.
 #
 
-
 def get_yardstick_cases():
     """
     get the list of the supported test cases
@@ -33,8 +32,8 @@ def format_yardstick_for_dashboard(case, results):
     then build the call to the specific method
     """
     if check_yardstick_case_exist(case):
-        cmd = "format_" + case + "_for_dashboard(results)"
-        res = eval(cmd)
+        cmd = "format_" + case + "_for_dashboard"
+        res = globals()[cmd](results)
     else:
         res = []
         print "Test cases not declared"

diff --git a/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py b/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py
index f98c35e..5059f5d 100644 (file)
--- a/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py
+++ b/utils/test/result_collection_api/opnfv_testapi/resources/handlers.py
@@ -23,8 +23,8 @@
 import json
 from datetime import datetime
 
-from tornado.web import RequestHandler, asynchronous, HTTPError
 from tornado import gen
+from tornado.web import RequestHandler, asynchronous, HTTPError
 
 from models import CreateResponse
 from opnfv_testapi.common.constants import DEFAULT_REPRESENTATION, \
@@ -217,7 +217,8 @@ class GenericApiHandler(RequestHandler):
         return equal, query
 
     def _eval_db(self, table, method, *args, **kwargs):
-        return eval('self.db.%s.%s(*args, **kwargs)' % (table, method))
+        exec_collection = self.db.__getattr__(table)
+        return exec_collection.__getattribute__(method)(*args, **kwargs)
 
     def _eval_db_find_one(self, query, table=None):
         if table is None:

diff --git a/utils/test/result_collection_api/opnfv_testapi/tests/unit/fake_pymongo.py b/utils/test/result_collection_api/opnfv_testapi/tests/unit/fake_pymongo.py
index 4509692..3dd87e6 100644 (file)
--- a/utils/test/result_collection_api/opnfv_testapi/tests/unit/fake_pymongo.py
+++ b/utils/test/result_collection_api/opnfv_testapi/tests/unit/fake_pymongo.py
@@ -181,6 +181,10 @@ class MemDb(object):
                 self._check_keys(doc.get(key))
 
 
+def __getattr__(name):
+    return globals()[name]
+
+
 pods = MemDb()
 projects = MemDb()
 testcases = MemDb()

diff --git a/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_dashboard.py b/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_dashboard.py
index 8f729c0..27ec763 100644 (file)
--- a/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_dashboard.py
+++ b/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_dashboard.py
@@ -8,9 +8,10 @@
 ##############################################################################
 import unittest
 
-from test_result import TestResultBase
 from opnfv_testapi.common.constants import HTTP_NOT_FOUND, HTTP_OK
 
+from test_result import TestResultBase
+
 
 class TestDashboardBase(TestResultBase):
     def setUp(self):
@@ -63,7 +64,7 @@ class TestDashboardQuery(TestDashboardBase):
             if k == 'self' or k == 'uri':
                 continue
             if v is None:
-                v = eval('self.' + k)
+                v = self.__getattribute__(k)
             if v != 'missing':
                 uri += '{}={}&'.format(k, v)
         uri += 'pod={}&'.format(self.pod)

diff --git a/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_fake_pymongo.py b/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_fake_pymongo.py
index 9a1253e..5f50ba8 100644 (file)
--- a/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_fake_pymongo.py
+++ b/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_fake_pymongo.py
@@ -115,7 +115,8 @@ class MyTest(AsyncHTTPTestCase):
             self.assertEqual(name_error, error)
 
     def _eval_pods_db(self, method, *args, **kwargs):
-        return eval('self.db.pods.%s(*args, **kwargs)' % method)
+        table_obj = vars(self.db)['pods']
+        return table_obj.__getattribute__(method)(*args, **kwargs)
 
 
 if __name__ == '__main__':

diff --git a/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_result.py b/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_result.py
index eee06c6..8479b35 100644 (file)
--- a/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_result.py
+++ b/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_result.py
@@ -305,7 +305,7 @@ class TestResultGet(TestResultBase):
 
     def _set_query(self, *args):
         def get_value(arg):
-            return eval('self.' + arg) \
+            return self.__getattribute__(arg) \
                 if arg != 'trust_indicator' else self.trust_indicator.current
         uri = ''
         for arg in args:

diff --git a/utils/test/result_collection_api/update/templates/changes_in_mongodb.py b/utils/test/result_collection_api/update/templates/changes_in_mongodb.py
index 9744dd9..1a4d5a1 100644 (file)
--- a/utils/test/result_collection_api/update/templates/changes_in_mongodb.py
+++ b/utils/test/result_collection_api/update/templates/changes_in_mongodb.py
@@ -45,6 +45,7 @@ docs_old2New = {
     #     ({'case_name': 'ovno'}, {'case_name': 'ocl'})
     # ]
     'results': [
-        ({'trust_indicator': 0}, {'trust_indicator': {'current': 0, 'histories': []}})
+        ({'trust_indicator': 0},
+         {'trust_indicator': {'current': 0, 'histories': []}})
     ]
 }

diff --git a/utils/test/result_collection_api/update/templates/update_mongodb.py b/utils/test/result_collection_api/update/templates/update_mongodb.py
index b1e378d..ba4334a 100644 (file)
--- a/utils/test/result_collection_api/update/templates/update_mongodb.py
+++ b/utils/test/result_collection_api/update/templates/update_mongodb.py
@@ -10,7 +10,8 @@ import argparse
 
 from pymongo import MongoClient
 
-from changes_in_mongodb import collections_old2New, fields_old2New, docs_old2New
+from changes_in_mongodb import collections_old2New, \
+    fields_old2New, docs_old2New
 from utils import main, parse_mongodb_url
 
 parser = argparse.ArgumentParser(description='Update MongoDBs')
@@ -54,11 +55,13 @@ def change_docs(a_dict):
 
 
 def eval_db(method, *args, **kwargs):
-    return eval('db.%s(*args, **kwargs)' % method)
+    exec_db = db.__getattribute__(method)
+    return exec_db(*args, **kwargs)
 
 
 def eval_collection(collection, method, *args, **kwargs):
-    return eval('db.%s.%s(*args, **kwargs)' % (collection, method))
+    exec_collection = db.__getattr__(collection)
+    return exec_collection.__getattribute__(method)(*args, **kwargs)
 
 
 def collection_update(a_dict, operator):