fix(api): Code scanning alerts (#254)

veops · Nov 6, 2023 · 2ae4aee · 2ae4aee
1 parent 46238b8
commit 2ae4aee
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 7 deletions.
diff --git a/cmdb-api/api/lib/cmdb/attribute.py b/cmdb-api/api/lib/cmdb/attribute.py
@@ -81,8 +81,9 @@ def _get_choice_values_from_other(choice_other):
         elif choice_other.get('script'):
             try:
                 x = compile(choice_other['script'], '', "exec")
-                exec(x)
-                res = locals()['ChoiceValue']().values() or []
+                local_ns = {}
+                exec(x, {}, local_ns)
+                res = local_ns['ChoiceValue']().values() or []
                 return [[i, {}] for i in res]
             except Exception as e:
                 current_app.logger.error("get choice values from script: {}".format(e))

diff --git a/cmdb-api/api/lib/cmdb/auto_discovery/auto_discovery.py b/cmdb-api/api/lib/cmdb/auto_discovery/auto_discovery.py
@@ -36,9 +36,10 @@ def parse_plugin_script(script):
     attributes = []
     try:
         x = compile(script, '', "exec")
-        exec(x)
-        unique_key = locals()['AutoDiscovery']().unique_key
-        attrs = locals()['AutoDiscovery']().attributes() or []
+        local_ns = {}
+        exec(x, {}, local_ns)
+        unique_key = local_ns['AutoDiscovery']().unique_key
+        attrs = local_ns['AutoDiscovery']().attributes() or []
     except Exception as e:
         return abort(400, str(e))
 

diff --git a/cmdb-api/api/lib/cmdb/search/ci/db/search.py b/cmdb-api/api/lib/cmdb/search/ci/db/search.py
@@ -9,6 +9,7 @@
 from flask import current_app
 from flask_login import current_user
 from jinja2 import Template
+from sqlalchemy import text
 
 from api.extensions import db
 from api.lib.cmdb.cache import AttributeCache
@@ -312,7 +313,7 @@ def _execute_sql(self, query_sql):
         start = time.time()
         execute = db.session.execute
         # current_app.logger.debug(v_query_sql)
-        res = execute(v_query_sql).fetchall()
+        res = execute(text(v_query_sql)).fetchall()
         end_time = time.time()
         current_app.logger.debug("query ci ids time is: {0}".format(end_time - start))
 
@@ -525,7 +526,7 @@ def _facet_build(self):
             if k:
                 table_name = TableMap(attr=attr).table_name
                 query_sql = FACET_QUERY.format(table_name, self.query_sql, attr.id)
-                result = db.session.execute(query_sql).fetchall()
+                result = db.session.execute(text(query_sql)).fetchall()
                 facet[k] = result
 
         facet_result = dict()