fix security problem of some RESTful apps

It is not safe to use eval function because input data(request body) is not checked For example, someone can send this data to remove all files in the directory "import('os').system('rm -rf .')" I suggest to use json.loads to parse the request body if the data is json format or disable builtin functions like: eval(req.body, {"__builtins__":None}) In this patch, ast.literal_eval() is used to evaluate REST body, because ofctl_rest needs to be compatible with hexadecimal value or ascii byte array (e.g. "\x00\x00\x00\x01" in Experimenter) in order to keep usability. Signed-off-by: Takeshi <a86487817@gmail.com> Signed-off-by: IWASE Yusuke <iwase.yusuke0@gmail.com> Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
2026-05-05 12:26:11 +02:00 · 2014-11-10 09:04:36 +09:00 · 2014-11-10 09:04:36 +09:00 · 32a17fbec6
commit 32a17fbec6
parent f430528929
1 changed files with 7 additions and 6 deletions
--- a/ryu/app/ofctl_rest.py
+++ b/ryu/app/ofctl_rest.py
@ -16,6 +16,7 @@
 import logging

 import json
+import ast
 from webob import Response

 from ryu.base import app_manager
@ -155,7 +156,7 @@ class StatsController(ControllerBase):
            flow = {}
        else:
            try:
-                flow = eval(req.body)
+                flow = ast.literal_eval(req.body)
            except SyntaxError:
                LOG.debug('invalid syntax %s', req.body)
                return Response(status=400)
@ -326,7 +327,7 @@ class StatsController(ControllerBase):

    def mod_flow_entry(self, req, cmd, **_kwargs):
        try:
-            flow = eval(req.body)
+            flow = ast.literal_eval(req.body)
        except SyntaxError:
            LOG.debug('invalid syntax %s', req.body)
            return Response(status=400)
@ -380,7 +381,7 @@ class StatsController(ControllerBase):

    def mod_meter_entry(self, req, cmd, **_kwargs):
        try:
-            flow = eval(req.body)
+            flow = ast.literal_eval(req.body)
        except SyntaxError:
            LOG.debug('invalid syntax %s', req.body)
            return Response(status=400)
@ -413,7 +414,7 @@ class StatsController(ControllerBase):

    def mod_group_entry(self, req, cmd, **_kwargs):
        try:
-            group = eval(req.body)
+            group = ast.literal_eval(req.body)
        except SyntaxError:
            LOG.debug('invalid syntax %s', req.body)
            return Response(status=400)
@ -448,7 +449,7 @@ class StatsController(ControllerBase):

    def mod_port_behavior(self, req, cmd, **_kwargs):
        try:
-            port_config = eval(req.body)
+            port_config = ast.literal_eval(req.body)
        except SyntaxError:
            LOG.debug('invalid syntax %s', req.body)
            return Response(status=400)
@ -493,7 +494,7 @@ class StatsController(ControllerBase):
            return Response(status=404)

        try:
-            exp = eval(req.body)
+            exp = ast.literal_eval(req.body)
        except SyntaxError:
            LOG.debug('invalid syntax %s', req.body)
            return Response(status=400)