Webservice: Use ast.literal_eval() for parsing ZMQ requests
Description
We were using eval()
to parse incoming requests. This runs arbitrary code, so anyone who discovers the port number could run code as xcal/xcaltst. Even if we're not concerned about that, it makes the system harder to understand, because theoretically a valid request could include a function call that runs when it's eval-ed.
Looking at the scripts in this repo and the code in myMDC, I believe that requests are always Python literals (specifically, lists/tuples of strings). So we can use the safe ast.literal_eval()
function to parse them.
Using JSON would be a nicer approach (mentioned in detectors/calibration_workshop#261), but that would involve changes to the code making requests as well. Using literal_eval
is an easy change because it doesn't require any coordination with other code.
How Has This Been Tested?
Deployed on max-exfl017, tested submitting one run for correction and one dark calibration job (involving 3 runs) from mymdc test environment.
Types of changes
- Bug fix (non-breaking change which fixes an issue)
Checklist:
- My code follows the code style of this project.