Bug 758750 - Remove use of eval in pulp
Summary: Remove use of eval in pulp
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Pulp
Classification: Retired
Component: z_other
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: Sprint 30
Assignee: Sayli Karmarkar
QA Contact: Preethi Thomas
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-30 16:24 UTC by James Slagle
Modified: 2015-03-23 01:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-24 20:11:08 UTC


Attachments (Terms of Use)

Description James Slagle 2011-11-30 16:24:50 UTC
We have a couple of uses of the python function eval() in the pulp server.  We need to remove this usage b/c it can allow arbitrary code execution.

The 2 instances I see are in webservices/controllers/repositories.py and webservices/controllers/consumers.py.  They are eval()'ing url query parameters, so we should probably fix this.

There are also some uses in the client, which should probably also be fixed.  Instead of using eval, we can just run the user input through json.loads before sending it to the server.  Or, if the intent is to have the user specify python dict or json syntax on the command line, we could have a more friendly interface by using a command line option like:
--option key:value

Comment 1 Sayli Karmarkar 2011-12-02 04:12:25 UTC
commit 333b1f6475b51eac9cc28795c966e37ab5e7ec74
Author: Sayli Karmarkar <skarmark>
Date:   Thu Dec 1 20:08:59 2011 -0800

    Making pulp 'eval' free and updating repo list --note to accept a note in key:value format instead of dictionary

Comment 2 Jeff Ortel 2011-12-03 00:00:46 UTC
build: 0.254.

Comment 3 Preethi Thomas 2011-12-09 19:57:37 UTC
verified

[root@preethi ~]# rpm -q pulp
pulp-0.0.254-4.fc15.noarch


[root@preethi ~]#  pulp-admin -u admin -p admin repo  add_note --id=test --key=test --value=test
Successfully added key-value pair test:test

Comment 4 Preethi Thomas 2012-02-24 20:11:08 UTC
Pulp v1.0 is released
Closed Current Release.


Note You need to log in before you can comment on or make changes to this bug.