diff --git a/CHANGELOG.md b/CHANGELOG.md index dfcfbf06..6e82d6d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Release History +## 2.1.3 (2019-04-24) + +**Bugfixes** + +- replace eval mechanism with builtins to prevent security vulnerabilities + ## 2.1.2 (2019-04-17) **Features** diff --git a/httprunner/__about__.py b/httprunner/__about__.py index 2a95ad4c..74d0888b 100644 --- a/httprunner/__about__.py +++ b/httprunner/__about__.py @@ -1,7 +1,7 @@ __title__ = 'HttpRunner' __description__ = 'One-stop solution for HTTP(S) testing.' __url__ = 'https://github.com/HttpRunner/HttpRunner' -__version__ = '2.1.2' +__version__ = '2.1.3' __author__ = 'debugtalk' __author_email__ = 'mail@debugtalk.com' __license__ = 'Apache-2.0' diff --git a/httprunner/parser.py b/httprunner/parser.py index 08c0bdbd..3fefb84b 100644 --- a/httprunner/parser.py +++ b/httprunner/parser.py @@ -1,6 +1,7 @@ # encoding: utf-8 import ast +import builtins import os import re @@ -277,11 +278,8 @@ def get_mapping_function(function_name, functions_mapping): try: # check if Python builtin functions - item_func = eval(function_name) - if callable(item_func): - # is builtin function - return item_func - except (NameError, TypeError): + return getattr(builtins, function_name) + except AttributeError: # is not builtin function raise exceptions.FunctionNotFound("{} is not found.".format(function_name)) diff --git a/tests/test_parser.py b/tests/test_parser.py index 0675f198..69147c50 100644 --- a/tests/test_parser.py +++ b/tests/test_parser.py @@ -437,6 +437,10 @@ class TestParserBasic(unittest.TestCase): self.assertEqual(var._string, "ABC{}{}") self.assertEqual(var.to_value(variables_mapping), "ABCTrueabc123") + # Python builtin functions + var = parser.LazyString("ABC${ord(a)}DEF${len(abcd)}", functions_mapping, check_variables_set) + self.assertEqual(var._string, "ABC{}DEF{}") + self.assertEqual(var.to_value(variables_mapping), "ABC97DEF4") def test_parse_variable(self): """ variable format ${var} and $var