Removed eval, fixed security vulnerability

2023-11-27 05:45:45 +03:00 · 2023-11-27 05:45:45 +03:00 · 8c4799c634
commit 8c4799c634
parent 5506b2d8a6
2 changed files with 5 additions and 2 deletions
--- a/cmd_chat/client/client.py
+++ b/cmd_chat/client/client.py
@ -1,4 +1,5 @@
 import os 
+import ast 
 import time
 import platform
 import threading
@ -115,7 +116,7 @@ class Client(RSAService):
        while True:
            try:
                time.sleep(0.05)
-                response = eval(ws.recv())
+                response = ast.literal_eval(ws.recv().decode('utf-8'))
                if last_try == response:
                    continue
                last_try = response
--- a/cmd_chat/server/services.py
+++ b/cmd_chat/server/services.py
@ -1,3 +1,4 @@
+import ast
 from sanic import Websocket
 from cmd_chat.server.models import Message

@ -5,7 +6,8 @@ from cmd_chat.server.models import Message
 async def _get_bytes_and_serialize(
    ws: Websocket
 ) -> dict:
-    return eval(await ws.recv())
+    ws_data = await ws.recv()
+    return ast.literal_eval(ws_data.decode('utf-8'))


 async def _check_ws_for_close_status(