From 32a17fbec6e1e61c4dc50fb24048069afcaa621a Mon Sep 17 00:00:00 2001
From: Yusuke Iwase <iwase.yusuke0@gmail.com>
Date: Mon, 10 Nov 2014 09:04:36 +0900
Subject: [PATCH] fix security problem of some RESTful apps

It is not safe to use eval function because input data(request body)
is not checked For example, someone can send this data to remove all
files in the directory "import('os').system('rm -rf .')"

I suggest to use json.loads to parse the request body if the data is
json format or disable builtin functions like: eval(req.body,
{"__builtins__":None})

In this patch, ast.literal_eval() is used to evaluate REST body,
because ofctl_rest needs to be compatible with hexadecimal value
or ascii byte array (e.g. "\x00\x00\x00\x01" in Experimenter)
in order to keep usability.

Signed-off-by: Takeshi <a86487817@gmail.com>
Signed-off-by: IWASE Yusuke <iwase.yusuke0@gmail.com>
Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
---
 ryu/app/ofctl_rest.py | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/ryu/app/ofctl_rest.py b/ryu/app/ofctl_rest.py
index 125554f2..338d59e2 100644
--- a/ryu/app/ofctl_rest.py
+++ b/ryu/app/ofctl_rest.py
@@ -16,6 +16,7 @@
 import logging
 
 import json
+import ast
 from webob import Response
 
 from ryu.base import app_manager
@@ -155,7 +156,7 @@ class StatsController(ControllerBase):
             flow = {}
         else:
             try:
-                flow = eval(req.body)
+                flow = ast.literal_eval(req.body)
             except SyntaxError:
                 LOG.debug('invalid syntax %s', req.body)
                 return Response(status=400)
@@ -326,7 +327,7 @@ class StatsController(ControllerBase):
 
     def mod_flow_entry(self, req, cmd, **_kwargs):
         try:
-            flow = eval(req.body)
+            flow = ast.literal_eval(req.body)
         except SyntaxError:
             LOG.debug('invalid syntax %s', req.body)
             return Response(status=400)
@@ -380,7 +381,7 @@ class StatsController(ControllerBase):
 
     def mod_meter_entry(self, req, cmd, **_kwargs):
         try:
-            flow = eval(req.body)
+            flow = ast.literal_eval(req.body)
         except SyntaxError:
             LOG.debug('invalid syntax %s', req.body)
             return Response(status=400)
@@ -413,7 +414,7 @@ class StatsController(ControllerBase):
 
     def mod_group_entry(self, req, cmd, **_kwargs):
         try:
-            group = eval(req.body)
+            group = ast.literal_eval(req.body)
         except SyntaxError:
             LOG.debug('invalid syntax %s', req.body)
             return Response(status=400)
@@ -448,7 +449,7 @@ class StatsController(ControllerBase):
 
     def mod_port_behavior(self, req, cmd, **_kwargs):
         try:
-            port_config = eval(req.body)
+            port_config = ast.literal_eval(req.body)
         except SyntaxError:
             LOG.debug('invalid syntax %s', req.body)
             return Response(status=400)
@@ -493,7 +494,7 @@ class StatsController(ControllerBase):
             return Response(status=404)
 
         try:
-            exp = eval(req.body)
+            exp = ast.literal_eval(req.body)
         except SyntaxError:
             LOG.debug('invalid syntax %s', req.body)
             return Response(status=400)