[AIRFLOW-231] Do not eval user input in PrestoHook

Running `eval` represent a security threat as the interpreter can be hijacked by the service returning the string getting "evaled", in this case Presto. It turns out the code I'm changing here was written a long time ago and misguided, casting a python object to a string and then evaling it as a useless round trip. Closes #1584 from mistercrunch/security
apache · Jun 14, 2016 · 7d29698 · 7d29698
1 parent 717a4ae
commit 7d29698
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/airflow/hooks/presto_hook.py b/airflow/hooks/presto_hook.py
@@ -1,10 +1,11 @@
 from builtins import str
+import logging
+
 from pyhive import presto
 from pyhive.exc import DatabaseError
 
 from airflow.hooks.dbapi_hook import DbApiHook
 
-import logging
 logging.getLogger("pyhive").setLevel(logging.INFO)
 
 
@@ -65,8 +66,7 @@ def get_first(self, hql, parameters=None):
             return super(PrestoHook, self).get_first(
                 self._strip_sql(hql), parameters)
         except DatabaseError as e:
-            obj = eval(str(e))
-            raise PrestoException(obj['message'])
+            raise PrestoException(e[0]['message'])
 
     def get_pandas_df(self, hql, parameters=None):
         """
@@ -78,8 +78,7 @@ def get_pandas_df(self, hql, parameters=None):
             cursor.execute(self._strip_sql(hql), parameters)
             data = cursor.fetchall()
         except DatabaseError as e:
-            obj = eval(str(e))
-            raise PrestoException(obj['message'])
+            raise PrestoException(e[0]['message'])
         column_descriptions = cursor.description
         if data:
             df = pandas.DataFrame(data)