fix security problem of some RESTful apps

I'm very sorry I didn't include rest_firewall.py and rest_qos.py in my patch.
I suggested for ofctl_rest.py only...

Here is the patch for rest_firewall.py and rest_qos.py.

---------------------------------------------------------------
Subject: [PATCH] fix security problem of some RESTful apps

It is not safe to use eval function because input data(request body) is not checked
For example, someone can send this data to remove all files in the directory
"import('os').system('rm -rf .')"

I suggest to use json.loads to parse the request body if the data is json format
or disable builtin functions like:
eval(req.body, {"__builtins__":None})

Signed-off-by: Takeshi <a86487817@gmail.com>
Signed-off-by: IWASE Yusuke <iwase.yusuke0@gmail.com>
Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>

ryu/app/rest_firewall.py

@@ -492,7 +492,7 @@ class FirewallController(ControllerBase):
 
     def _set_rule(self, req, switchid, vlan_id=VLANID_NONE):
         try:
-            rule = eval(req.body)
+            rule = json.loads(req.body)
         except SyntaxError:
             FirewallController._LOGGER.debug('invalid syntax %s', req.body)
             return Response(status=400)
@@ -516,7 +516,7 @@ class FirewallController(ControllerBase):
 
     def _delete_rule(self, req, switchid, vlan_id=VLANID_NONE):
         try:
-            ruleid = eval(req.body)
+            ruleid = json.loads(req.body)
         except SyntaxError:
             FirewallController._LOGGER.debug('invalid syntax %s', req.body)
             return Response(status=400)

ryu/app/rest_qos.py

@@ -499,7 +499,7 @@ class QoSController(ControllerBase):
 
     def _access_switch(self, req, switchid, vlan_id, func, waiters):
         try:
-            rest = eval(req.body) if req.body else {}
+            rest = json.loads(req.body) if req.body else {}
         except SyntaxError:
             QoSController._LOGGER.debug('invalid syntax %s', req.body)
             return Response(status=400)