From 435bb2a2c806d622531ab1d50bf6a4f6e1fb68b6 Mon Sep 17 00:00:00 2001
From: thexqn <thexqn@gmail.com>
Date: Fri, 4 Apr 2025 19:19:42 +0800
Subject: [PATCH] =?UTF-8?q?fix(api):=20=E4=BD=BF=E7=94=A8=20ast.literal=5F?=
 =?UTF-8?q?eval=20=E4=BB=A3=E6=9B=BF=20eval,=E5=8F=96=E6=B6=88=E4=B8=8D?=
 =?UTF-8?q?=E6=AD=A3=E7=A1=AE=E7=9A=84=E8=AE=A1=E7=AE=97=E5=B1=9E=E6=80=A7?=
 =?UTF-8?q?=E5=80=BC=E8=BF=94=E5=9B=9E=E3=80=82=20(#688)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix(api): 使用 ast.literal_eval 代替 eval,取消不正确的计算属性值返回。

* fix(api): 修复属性值计算逻辑，直接返回渲染结果。
---
 cmdb-api/api/lib/cmdb/value.py | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/cmdb-api/api/lib/cmdb/value.py b/cmdb-api/api/lib/cmdb/value.py
index 007b1fe..593ef18 100644
--- a/cmdb-api/api/lib/cmdb/value.py
+++ b/cmdb-api/api/lib/cmdb/value.py
@@ -180,14 +180,15 @@ class AttributeValueManager(object):
 
     @staticmethod
     def _compute_attr_value_from_expr(expr, ci_dict):
-        t = jinja2.Template(expr).render(ci_dict)
-
         try:
-            return eval(t)
+            result = jinja2.Template(expr).render(ci_dict)
+            return result
         except Exception as e:
-            current_app.logger.warning(str(e))
-            return t
-
+            current_app.logger.warning(
+                f"Expression evaluation error - Expression: '{expr}'"
+                f"Input parameters: {ci_dict}, Error type: {type(e).__name__}, Error message: {str(e)}"
+            )
+            return None
     @staticmethod
     def _compute_attr_value_from_script(script, ci_dict):
         script = jinja2.Template(script).render(ci_dict)