diff options
| author | Gleb Zimin <gzimin@mirantis.com> | 2018-03-22 17:18:03 +0400 |
|---|---|---|
| committer | Akihiro Motoki <amotoki@gmail.com> | 2018-04-12 02:30:09 +0000 |
| commit | 2cf52672b7cf19e1b4c318cc3be5b998d89f5e82 (patch) | |
| tree | 060da84bcc636098bf57e9ed03513141366dbf4a /neutronclient/neutron | |
| parent | 19d0609888ba479caac274325dcaec5fc8117ca0 (diff) | |
| download | python-neutronclient-2cf52672b7cf19e1b4c318cc3be5b998d89f5e82.tar.gz | |
Replace insecure function eval
In neutronclient we use a eval function for processing
CLI neutron arguments. This function possible insecure because
eval get argument from client side. Instead of it we can use
a dict with allowed types which is more secure.
Closes-Bug: #1762938
Change-Id: Idde55d1b9206e9ef8742464825709f098d488a8e
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Diffstat (limited to 'neutronclient/neutron')
| -rw-r--r-- | neutronclient/neutron/v2_0/__init__.py | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/neutronclient/neutron/v2_0/__init__.py b/neutronclient/neutron/v2_0/__init__.py index c1dbc11..a5b262c 100644 --- a/neutronclient/neutron/v2_0/__init__.py +++ b/neutronclient/neutron/v2_0/__init__.py @@ -185,6 +185,14 @@ def parse_args_to_dict(values_specs): current_item = None # the str after 'type=' current_type_str = None + # dict of allowed types + allowed_type_dict = { + 'bool': utils.str2bool, + 'dict': utils.str2dict, + 'int': int, + 'str': str, + } + for _item in values_specs_copy: if _item.startswith('--'): # Deal with previous argument if any @@ -215,12 +223,16 @@ def parse_args_to_dict(values_specs): _("Invalid values_specs %s") % ' '.join(values_specs)) if 'type' not in current_arg: current_type_str = _item.split('=', 2)[1] - current_arg.update({'type': eval(current_type_str)}) - if current_type_str == 'bool': - current_arg.update({'type': utils.str2bool}) - elif current_type_str == 'dict': - current_arg.update({'type': utils.str2dict}) - continue + if current_type_str in allowed_type_dict: + current_arg['type'] = allowed_type_dict[current_type_str] + continue + else: + raise exceptions.CommandError( + _("Invalid value_specs {valspec}: type {curtypestr}" + " is not supported").format( + valspec=' '.join(values_specs), + curtypestr=current_type_str)) + elif _item == 'list=true': _list_flag = True continue @@ -240,7 +252,6 @@ def parse_args_to_dict(values_specs): if _item.startswith('---'): raise exceptions.CommandError( _("Invalid values_specs %s") % ' '.join(values_specs)) - _values_specs.append(_item) # Deal with last one argument |