Skip to content

Webservice: Use ast.literal_eval() for parsing ZMQ requests

Thomas Kluyver requested to merge literal-eval into master

Description

We were using eval() to parse incoming requests. This runs arbitrary code, so anyone who discovers the port number could run code as xcal/xcaltst. Even if we're not concerned about that, it makes the system harder to understand, because theoretically a valid request could include a function call that runs when it's eval-ed.

Looking at the scripts in this repo and the code in myMDC, I believe that requests are always Python literals (specifically, lists/tuples of strings). So we can use the safe ast.literal_eval() function to parse them.

Using JSON would be a nicer approach (mentioned in detectors/calibration_workshop#261), but that would involve changes to the code making requests as well. Using literal_eval is an easy change because it doesn't require any coordination with other code.

How Has This Been Tested?

Deployed on max-exfl017, tested submitting one run for correction and one dark calibration job (involving 3 runs) from mymdc test environment.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • My code follows the code style of this project.

Reviewers

@danilevc @ahmedk

Merge request reports