fix(api): Code scanning alerts (#254)

2023-11-06 14:27:30 +08:00 · 2023-11-06 14:27:30 +08:00 · 2ae4aeee67
parent 46238b8b51
commit 2ae4aeee67
3 changed files with 10 additions and 7 deletions
--- a/cmdb-api/api/lib/cmdb/attribute.py
+++ b/cmdb-api/api/lib/cmdb/attribute.py
@ -81,8 +81,9 @@ class AttributeManager(object):
        elif choice_other.get('script'):
            try:
                x = compile(choice_other['script'], '', "exec")
-                exec(x)
-                res = locals()['ChoiceValue']().values() or []
+                local_ns = {}
+                exec(x, {}, local_ns)
+                res = local_ns['ChoiceValue']().values() or []
                return [[i, {}] for i in res]
            except Exception as e:
                current_app.logger.error("get choice values from script: {}".format(e))
--- a/cmdb-api/api/lib/cmdb/auto_discovery/auto_discovery.py
+++ b/cmdb-api/api/lib/cmdb/auto_discovery/auto_discovery.py
@ -36,9 +36,10 @@ def parse_plugin_script(script):
    attributes = []
    try:
        x = compile(script, '', "exec")
-        exec(x)
-        unique_key = locals()['AutoDiscovery']().unique_key
-        attrs = locals()['AutoDiscovery']().attributes() or []
+        local_ns = {}
+        exec(x, {}, local_ns)
+        unique_key = local_ns['AutoDiscovery']().unique_key
+        attrs = local_ns['AutoDiscovery']().attributes() or []
    except Exception as e:
        return abort(400, str(e))

--- a/cmdb-api/api/lib/cmdb/search/ci/db/search.py
+++ b/cmdb-api/api/lib/cmdb/search/ci/db/search.py
@ -9,6 +9,7 @@ import time
 from flask import current_app
 from flask_login import current_user
 from jinja2 import Template
+from sqlalchemy import text

 from api.extensions import db
 from api.lib.cmdb.cache import AttributeCache
@ -312,7 +313,7 @@ class Search(object):
        start = time.time()
        execute = db.session.execute
        # current_app.logger.debug(v_query_sql)
-        res = execute(v_query_sql).fetchall()
+        res = execute(text(v_query_sql)).fetchall()
        end_time = time.time()
        current_app.logger.debug("query ci ids time is: {0}".format(end_time - start))

@ -525,7 +526,7 @@ class Search(object):
            if k:
                table_name = TableMap(attr=attr).table_name
                query_sql = FACET_QUERY.format(table_name, self.query_sql, attr.id)
-                result = db.session.execute(query_sql).fetchall()
+                result = db.session.execute(text(query_sql)).fetchall()
                facet[k] = result

        facet_result = dict()