From 2336d789d4cecd053d93db8e9598aabd89661b33 Mon Sep 17 00:00:00 2001 From: Eric Harney Date: Fri, 15 Jan 2016 16:52:56 -0500 Subject: [PATCH] Reduce use of eval() Calling eval() is less than ideal security practice, and does not appear to be needed in these instances. Convert to ast.literal_eval() which is a safer mechanism for parsing inputs like this. Change-Id: I102f28cfa2a643f36a4d4174cef09c6f7576a804 --- cinder/tests/unit/test_ssh_utils.py | 2 +- cinder/volume/drivers/emc/emc_vmax_common.py | 5 +++-- cinder/volume/drivers/emc/emc_vmax_fc.py | 4 +++- cinder/volume/drivers/fujitsu/eternus_dx_common.py | 3 ++- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/cinder/tests/unit/test_ssh_utils.py b/cinder/tests/unit/test_ssh_utils.py index ecc959587..552b82d38 100644 --- a/cinder/tests/unit/test_ssh_utils.py +++ b/cinder/tests/unit/test_ssh_utils.py @@ -175,7 +175,7 @@ class SSHPoolTestCase(test.TestCase): @mock.patch('six.moves.builtins.open') @mock.patch('paramiko.SSHClient') def test_closed_reopened_ssh_connections(self, mock_sshclient, mock_open): - mock_sshclient.return_value = eval('FakeSSHClient')() + mock_sshclient.return_value = FakeSSHClient() sshpool = ssh_utils.SSHPool("127.0.0.1", 22, 10, "test", password="test", diff --git a/cinder/volume/drivers/emc/emc_vmax_common.py b/cinder/volume/drivers/emc/emc_vmax_common.py index 089502246..e6501f8ad 100644 --- a/cinder/volume/drivers/emc/emc_vmax_common.py +++ b/cinder/volume/drivers/emc/emc_vmax_common.py @@ -13,6 +13,7 @@ # License for the specific language governing permissions and limitations # under the License. +import ast import inspect import os.path @@ -1325,7 +1326,7 @@ class EMCVMAXCommon(object): self.conn = self._get_ecom_connection() if isinstance(loc, six.string_types): - name = eval(loc) + name = ast.literal_eval(loc) keys = name['keybindings'] systemName = keys['SystemName'] @@ -3948,7 +3949,7 @@ class EMCVMAXCommon(object): version = None try: if isinstance(loc, six.string_types): - name = eval(loc) + name = ast.literal_eval(loc) version = name['version'] except KeyError: pass diff --git a/cinder/volume/drivers/emc/emc_vmax_fc.py b/cinder/volume/drivers/emc/emc_vmax_fc.py index cf33cc6fb..6df21ebce 100644 --- a/cinder/volume/drivers/emc/emc_vmax_fc.py +++ b/cinder/volume/drivers/emc/emc_vmax_fc.py @@ -13,6 +13,8 @@ # License for the specific language governing permissions and limitations # under the License. +import ast + from oslo_log import log as logging import six @@ -201,7 +203,7 @@ class EMCVMAXFCDriver(driver.FibreChannelDriver): data = {'driver_volume_type': 'fibre_channel', 'data': {}} loc = volume['provider_location'] - name = eval(loc) + name = ast.literal_eval(loc) storage_system = name['keybindings']['SystemName'] LOG.debug("Start FC detach process for volume: %(volume)s.", {'volume': volume['name']}) diff --git a/cinder/volume/drivers/fujitsu/eternus_dx_common.py b/cinder/volume/drivers/fujitsu/eternus_dx_common.py index 5a4d25f9d..561c44a14 100644 --- a/cinder/volume/drivers/fujitsu/eternus_dx_common.py +++ b/cinder/volume/drivers/fujitsu/eternus_dx_common.py @@ -19,6 +19,7 @@ """ Cinder Volume driver for Fujitsu ETERNUS DX S3 series. """ +import ast import base64 import hashlib import six @@ -1293,7 +1294,7 @@ class FJDXCommon(object): volumename = self._create_volume_name(volume['id']) try: - location = eval(volume['provider_location']) + location = ast.literal_eval(volume['provider_location']) classname = location['classname'] bindings = location['keybindings'] -- 2.45.2