Bug 758750

Summary: Remove use of eval in pulp
Product: [Retired] Pulp Reporter: James Slagle <jslagle>
Component: z_otherAssignee: Sayli Karmarkar <skarmark>
Status: CLOSED CURRENTRELEASE QA Contact: Preethi Thomas <pthomas>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: cperry
Target Milestone: ---Keywords: Triaged
Target Release: Sprint 30   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-24 20:11:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description James Slagle 2011-11-30 16:24:50 UTC 
We have a couple of uses of the python function eval() in the pulp server.  We need to remove this usage b/c it can allow arbitrary code execution.

The 2 instances I see are in webservices/controllers/repositories.py and webservices/controllers/consumers.py.  They are eval()'ing url query parameters, so we should probably fix this.

There are also some uses in the client, which should probably also be fixed.  Instead of using eval, we can just run the user input through json.loads before sending it to the server.  Or, if the intent is to have the user specify python dict or json syntax on the command line, we could have a more friendly interface by using a command line option like:
--option key:value
Comment 1 Sayli Karmarkar 2011-12-02 04:12:25 UTC 
commit 333b1f6475b51eac9cc28795c966e37ab5e7ec74
Author: Sayli Karmarkar <skarmark>
Date:   Thu Dec 1 20:08:59 2011 -0800

    Making pulp 'eval' free and updating repo list --note to accept a note in key:value format instead of dictionary
Comment 2 Jeff Ortel 2011-12-03 00:00:46 UTC 
build: 0.254.
Comment 3 Preethi Thomas 2011-12-09 19:57:37 UTC 
verified

[root@preethi ~]# rpm -q pulp
pulp-0.0.254-4.fc15.noarch


[root@preethi ~]#  pulp-admin -u admin -p admin repo  add_note --id=test --key=test --value=test
Successfully added key-value pair test:test
Comment 4 Preethi Thomas 2012-02-24 20:11:08 UTC 
Pulp v1.0 is released
Closed Current Release.