From 199aa78fbe647f336fecf6d3b76d07964b841128 Mon Sep 17 00:00:00 2001 From: Tim Burke Date: Thu, 5 Dec 2024 13:43:13 -0800 Subject: [PATCH] xprofile: Stop using eval() All we need is int(). Using eval() on user-provided data (or really at all) is a Bad Idea. Closes-Bug: #2091124 Change-Id: I39bb87f9d8e27f2f88410a087a120a0e9be1a243 --- bandit.yaml | 2 +- .../middleware/x_profile/html_viewer.py | 2 +- test/unit/common/middleware/test_xprofile.py | 19 +++++++++++++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/bandit.yaml b/bandit.yaml index 7e9f585420..a33fd24451 100644 --- a/bandit.yaml +++ b/bandit.yaml @@ -79,7 +79,7 @@ # B703 : django_mark_safe # (optional) list included test IDs here, eg '[B101, B406]': -tests: [B102, B103, B302, B303, B304, B305, B306, B308, B310, B401, B501, B502, B506, B601, B602, B609] +tests: [B102, B103, B302, B303, B304, B305, B306, B307, B308, B310, B401, B501, B502, B506, B601, B602, B609] # (optional) list skipped test IDs here, eg '[B101, B406]': skips: diff --git a/swift/common/middleware/x_profile/html_viewer.py b/swift/common/middleware/x_profile/html_viewer.py index 3b1ecfeeca..9e4efda53c 100644 --- a/swift/common/middleware/x_profile/html_viewer.py +++ b/swift/common/middleware/x_profile/html_viewer.py @@ -245,7 +245,7 @@ class HTMLViewer(object): if multiple: return value if isinstance(value, list): - return eval(value[0]) if isinstance(default, int) else value[0] + return int(value[0]) if isinstance(default, int) else value[0] else: return value diff --git a/test/unit/common/middleware/test_xprofile.py b/test/unit/common/middleware/test_xprofile.py index 69e3fb45db..39df9d42e4 100644 --- a/test/unit/common/middleware/test_xprofile.py +++ b/test/unit/common/middleware/test_xprofile.py @@ -188,6 +188,25 @@ class TestProfileMiddleware(unittest.TestCase): new_profiler = self.app.profiler self.assertTrue(old_profiler != new_profiler) + def test_int_values(self): + for body in ( + b"limit=os.system", + b"fulldirs=boom", + ): + environ = {'HTTP_HOST': 'localhost:8080', + 'PATH_INFO': '/__profile__', + 'REQUEST_METHOD': 'POST', + 'wsgi.input': BytesIO(body)} + resp = self.app(environ, self.start_response) + self.assertEqual( + self.got_statuses, ['500 Internal Server Error'], resp) + self.assertTrue( + resp.startswith( + "Error on render profiling results: invalid literal " + "for int() with base 10: " + ), + resp) + class Test_profile_log(unittest.TestCase):