fix: do not use eval in RequestDB

chaen · sfayer · commit 99f1af88b525 · 2026-05-15T15:54:56.000+01:00
diff --git a/src/DIRAC/RequestManagementSystem/DB/RequestDB.py b/src/DIRAC/RequestManagementSystem/DB/RequestDB.py
@@ -40,6 +40,7 @@
     TEXT,
     BigInteger,
     distinct,
+    inspect,
 )
 
 # # from DIRAC
@@ -188,6 +189,38 @@ class RequestDB:
     db holding requests
     """
 
+    @staticmethod
+    def _get_column(table_name, column_name):
+        """Resolve supported ORM column attributes without evaluating input."""
+
+        models = {"Request": Request, "Operation": Operation}
+        aliases = {"Status": "_Status"}
+
+        model = models.get(table_name)
+        if model is None:
+            raise ValueError(f"Unknown table '{table_name}'")
+
+        resolved_name = aliases.get(column_name, column_name)
+        if resolved_name not in inspect(model).column_attrs:
+            raise ValueError(f"Unknown {table_name} attribute '{column_name}'")
+
+        return getattr(model, resolved_name)
+
+    @classmethod
+    def _apply_web_filter(cls, query, table_name, column_name, value):
+        column = cls._get_column(table_name, column_name)
+        if isinstance(value, list):
+            return query.filter(column.in_(value))
+        return query.filter(column == value)
+
+    @classmethod
+    def _get_order_expression(cls, table_name, column_name, direction):
+        column = cls._get_column(table_name, column_name)
+        normalized_direction = direction.lower()
+        if normalized_direction not in {"asc", "desc"}:
+            raise ValueError(f"Unknown sort direction '{direction}'")
+        return getattr(column, normalized_direction)()
+
     def __getDBConnectionInfo(self, fullname):
         """Collect from the CS all the info needed to connect to the DB.
         This should be in a base class eventually
@@ -659,13 +692,12 @@ def getRequestSummaryWeb(self, selectDict, sortList, startItem, maxItems):
                     elif key == "Status":
                         key = "_Status"
 
-                    if isinstance(value, list):
-                        summaryQuery = summaryQuery.filter(eval(f"{tableName}.{key}.in_({value})"))
-                    else:
-                        summaryQuery = summaryQuery.filter(eval(f"{tableName}.{key}") == value)
+                    summaryQuery = self._apply_web_filter(summaryQuery, tableName, key, value)
 
             if sortList:
-                summaryQuery = summaryQuery.order_by(eval(f"Request.{sortList[0][0]}.{sortList[0][1].lower()}()"))
+                summaryQuery = summaryQuery.order_by(
+                    self._get_order_expression("Request", sortList[0][0], sortList[0][1])
+                )
 
             try:
                 requestLists = summaryQuery.all()
@@ -699,6 +731,8 @@ def getRequestSummaryWeb(self, selectDict, sortList, startItem, maxItems):
             resultDict["TotalRecords"] = nRequests
 
             return S_OK(resultDict)
+        except ValueError as e:
+            return S_ERROR(str(e))
         #
         except Exception as e:
             self.log.exception("getRequestSummaryWeb: unexpected exception", lException=e)
@@ -718,17 +752,15 @@ def getRequestCountersWeb(self, groupingAttribute, selectDict):
 
         session = self.DBSession()
 
-        if groupingAttribute == "Type":
-            groupingAttribute = "Operation.Type"
-        elif groupingAttribute == "Status":
-            groupingAttribute = "Request._Status"
-        else:
-            groupingAttribute = f"Request.{groupingAttribute}"
-
         try:
+            if groupingAttribute == "Type":
+                groupingColumn = self._get_column("Operation", "Type")
+            else:
+                groupingColumn = self._get_column("Request", groupingAttribute)
+
             summaryQuery = session.query(
-                eval(groupingAttribute), func.count(Request.RequestID)  # pylint: disable=not-callable
-            )
+                groupingColumn, func.count(Request.RequestID)
+            )  # pylint: disable=not-callable,no-member
 
             for key, value in selectDict.items():
                 if key == "ToDate":
@@ -743,12 +775,9 @@ def getRequestCountersWeb(self, groupingAttribute, selectDict):
                     elif key == "Status":
                         key = "_Status"
 
-                    if isinstance(value, list):
-                        summaryQuery = summaryQuery.filter(eval(f"{objectType}.{key}.in_({value})"))
-                    else:
-                        summaryQuery = summaryQuery.filter(eval(f"{objectType}.{key}") == value)
+                    summaryQuery = self._apply_web_filter(summaryQuery, objectType, key, value)
 
-            summaryQuery = summaryQuery.group_by(eval(groupingAttribute))
+            summaryQuery = summaryQuery.group_by(groupingColumn)
 
             try:
                 requestLists = summaryQuery.all()
@@ -760,6 +789,8 @@ def getRequestCountersWeb(self, groupingAttribute, selectDict):
 
             return S_OK(resultDict)
 
+        except ValueError as e:
+            return S_ERROR(str(e))
         except Exception as e:
             self.log.exception("getRequestSummaryWeb: unexpected exception", lException=e)
             return S_ERROR(f"getRequestSummaryWeb: unexpected exception : {e}")
@@ -772,11 +803,11 @@ def getDistinctValues(self, tableName, columnName):
 
         session = self.DBSession()
         distinctValues = []
-        if columnName == "Status":
-            columnName = "_Status"
         try:
-            result = session.query(distinct(eval(f"{tableName}.{columnName}"))).all()
+            result = session.query(distinct(self._get_column(tableName, columnName))).all()
             distinctValues = [dist[0] for dist in result]
+        except ValueError as e:
+            return S_ERROR(str(e))
         except NoResultFound:
             pass
         except Exception as e:
