def create_default(self): default = None if self.python_create_default and getattr(settings,'MR_REPORTS_ALLOW_NATIVE_PYTHON_CODE_EXEC_ON_SERVER',False): #Pre-supply context with white-listed imports. WARNING: this is probably a security risk! #If adding more imports here, also update maybe_safe_eval.modules_whitelist, and put a reload a few lines down. import datetime context = {'datetime':datetime} #Django saves newlines with \r\n, but to eval we just want \n (or we'll get a syntax error) code_to_run = self.python_create_default.replace('\r\n','\n') maybe_safe_eval(code_to_run, context = context, timeout_secs = 5) #pull out calculated default value default = context['default'] #Reload any whitelisted modules (in case semi-untrusted code messed with them.) #(Won't always help but it's better than nothing) reload(datetime) return default
def create_default(self): default = None if self.python_create_default and getattr( settings, 'MR_REPORTS_ALLOW_NATIVE_PYTHON_CODE_EXEC_ON_SERVER', False): #Pre-supply context with white-listed imports. WARNING: this is probably a security risk! #If adding more imports here, also update maybe_safe_eval.modules_whitelist, and put a reload a few lines down. import datetime context = {'datetime': datetime} #Django saves newlines with \r\n, but to eval we just want \n (or we'll get a syntax error) code_to_run = self.python_create_default.replace('\r\n', '\n') maybe_safe_eval(code_to_run, context=context, timeout_secs=5) #pull out calculated default value default = context['default'] #Reload any whitelisted modules (in case semi-untrusted code messed with them.) #(Won't always help but it's better than nothing) reload(datetime) return default
def run_query(self, submitted_parameters): conn = self.connection.get_db_connection() #TODO: re-use across object query = text(self.query) if submitted_parameters: result = conn.execute(query, **submitted_parameters.cleaned_data) else: result = conn.execute(query) columns = [item[0] for item in result.cursor.description] data = result.fetchall() #Python post processing on data (if any) if self.python_post_processing and getattr(settings,'MR_REPORTS_ALLOW_NATIVE_PYTHON_CODE_EXEC_ON_SERVER',False): context = {'data':data} #Django saves newlines with \r\n, but to eval we just want \n (or we'll get a syntax error) code_to_run = self.python_post_processing.replace('\r\n','\n') maybe_safe_eval(code_to_run, context = context, timeout_secs = 10) #pull out calculated default value data = context['data'] return data, columns
def run_query(self, submitted_parameters): conn = self.connection.get_db_connection() #TODO: re-use across object query = text(self.query) if submitted_parameters: result = conn.execute(query, **submitted_parameters.cleaned_data) else: result = conn.execute(query) columns = [item[0] for item in result.cursor.description] data = result.fetchall() #Python post processing on data (if any) if self.python_post_processing and getattr( settings, 'MR_REPORTS_ALLOW_NATIVE_PYTHON_CODE_EXEC_ON_SERVER', False): context = {'data': data} #Django saves newlines with \r\n, but to eval we just want \n (or we'll get a syntax error) code_to_run = self.python_post_processing.replace('\r\n', '\n') maybe_safe_eval(code_to_run, context=context, timeout_secs=10) #pull out calculated default value data = context['data'] return data, columns