fix: replace eval mechanism with builtins to prevent security vulnerabilities

2026-05-12 02:21:29 +08:00 · 2019-04-24 15:43:57 +08:00
parent a8b0159f40
commit 648c44e1c1
4 changed files with 14 additions and 6 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Release History

+## 2.1.3 (2019-04-24)
+
+**Bugfixes**
+
+- replace eval mechanism with builtins to prevent security vulnerabilities
+
 ## 2.1.2 (2019-04-17)

 **Features**
--- a/httprunner/about.py
+++ b/httprunner/about.py
@@ -1,7 +1,7 @@
 __title__ = 'HttpRunner'
 __description__ = 'One-stop solution for HTTP(S) testing.'
 __url__ = 'https://github.com/HttpRunner/HttpRunner'
-__version__ = '2.1.2'
+__version__ = '2.1.3'
 __author__ = 'debugtalk'
 __author_email__ = 'mail@debugtalk.com'
 __license__ = 'Apache-2.0'
--- a/httprunner/parser.py
+++ b/httprunner/parser.py
@@ -1,6 +1,7 @@
 # encoding: utf-8

 import ast
+import builtins
 import os
 import re

@@ -277,11 +278,8 @@ def get_mapping_function(function_name, functions_mapping):

    try:
        # check if Python builtin functions
-        item_func = eval(function_name)
-        if callable(item_func):
-            # is builtin function
-            return item_func
-    except (NameError, TypeError):
+        return getattr(builtins, function_name)
+    except AttributeError:
        # is not builtin function
        raise exceptions.FunctionNotFound("{} is not found.".format(function_name))

--- a/tests/test_parser.py
+++ b/tests/test_parser.py
@@ -437,6 +437,10 @@ class TestParserBasic(unittest.TestCase):
        self.assertEqual(var._string, "ABC{}{}")
        self.assertEqual(var.to_value(variables_mapping), "ABCTrueabc123")

+        # Python builtin functions
+        var = parser.LazyString("ABC${ord(a)}DEF${len(abcd)}", functions_mapping, check_variables_set)
+        self.assertEqual(var._string, "ABC{}DEF{}")
+        self.assertEqual(var.to_value(variables_mapping), "ABC97DEF4")

    def test_parse_variable(self):
        """ variable format ${var} and $var