xprofile: Stop using eval()

All we need is int(). Using eval() on user-provided data (or really at
all) is a Bad Idea.

Closes-Bug: #2091124
Change-Id: I39bb87f9d8e27f2f88410a087a120a0e9be1a243
This commit is contained in:
Tim Burke 2024-12-05 13:43:13 -08:00
parent b371c38fc5
commit 199aa78fbe
3 changed files with 21 additions and 2 deletions

View File

@ -79,7 +79,7 @@
# B703 : django_mark_safe # B703 : django_mark_safe
# (optional) list included test IDs here, eg '[B101, B406]': # (optional) list included test IDs here, eg '[B101, B406]':
tests: [B102, B103, B302, B303, B304, B305, B306, B308, B310, B401, B501, B502, B506, B601, B602, B609] tests: [B102, B103, B302, B303, B304, B305, B306, B307, B308, B310, B401, B501, B502, B506, B601, B602, B609]
# (optional) list skipped test IDs here, eg '[B101, B406]': # (optional) list skipped test IDs here, eg '[B101, B406]':
skips: skips:

View File

@ -245,7 +245,7 @@ class HTMLViewer(object):
if multiple: if multiple:
return value return value
if isinstance(value, list): if isinstance(value, list):
return eval(value[0]) if isinstance(default, int) else value[0] return int(value[0]) if isinstance(default, int) else value[0]
else: else:
return value return value

View File

@ -188,6 +188,25 @@ class TestProfileMiddleware(unittest.TestCase):
new_profiler = self.app.profiler new_profiler = self.app.profiler
self.assertTrue(old_profiler != new_profiler) self.assertTrue(old_profiler != new_profiler)
def test_int_values(self):
for body in (
b"limit=os.system",
b"fulldirs=boom",
):
environ = {'HTTP_HOST': 'localhost:8080',
'PATH_INFO': '/__profile__',
'REQUEST_METHOD': 'POST',
'wsgi.input': BytesIO(body)}
resp = self.app(environ, self.start_response)
self.assertEqual(
self.got_statuses, ['500 Internal Server Error'], resp)
self.assertTrue(
resp.startswith(
"Error on render profiling results: invalid literal "
"for int() with base 10: "
),
resp)
class Test_profile_log(unittest.TestCase): class Test_profile_log(unittest.TestCase):