From 863289bed94a18f9d49aa76685eac916554aee73 Mon Sep 17 00:00:00 2001
From: pycook <pycook@126.com>
Date: Mon, 6 Nov 2023 14:27:30 +0800
Subject: [PATCH] fix(api): Code scanning alerts (#254)

---
 cmdb-api/api/lib/cmdb/attribute.py                     | 5 +++--
 cmdb-api/api/lib/cmdb/auto_discovery/auto_discovery.py | 7 ++++---
 cmdb-api/api/lib/cmdb/search/ci/db/search.py           | 5 +++--
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/cmdb-api/api/lib/cmdb/attribute.py b/cmdb-api/api/lib/cmdb/attribute.py
index 20f40913..817bac26 100644
--- a/cmdb-api/api/lib/cmdb/attribute.py
+++ b/cmdb-api/api/lib/cmdb/attribute.py
@@ -81,8 +81,9 @@ def _get_choice_values_from_other(choice_other):
         elif choice_other.get('script'):
             try:
                 x = compile(choice_other['script'], '', "exec")
-                exec(x)
-                res = locals()['ChoiceValue']().values() or []
+                local_ns = {}
+                exec(x, {}, local_ns)
+                res = local_ns['ChoiceValue']().values() or []
                 return [[i, {}] for i in res]
             except Exception as e:
                 current_app.logger.error("get choice values from script: {}".format(e))
diff --git a/cmdb-api/api/lib/cmdb/auto_discovery/auto_discovery.py b/cmdb-api/api/lib/cmdb/auto_discovery/auto_discovery.py
index b135b002..cec57f58 100644
--- a/cmdb-api/api/lib/cmdb/auto_discovery/auto_discovery.py
+++ b/cmdb-api/api/lib/cmdb/auto_discovery/auto_discovery.py
@@ -36,9 +36,10 @@ def parse_plugin_script(script):
     attributes = []
     try:
         x = compile(script, '', "exec")
-        exec(x)
-        unique_key = locals()['AutoDiscovery']().unique_key
-        attrs = locals()['AutoDiscovery']().attributes() or []
+        local_ns = {}
+        exec(x, {}, local_ns)
+        unique_key = local_ns['AutoDiscovery']().unique_key
+        attrs = local_ns['AutoDiscovery']().attributes() or []
     except Exception as e:
         return abort(400, str(e))
 
diff --git a/cmdb-api/api/lib/cmdb/search/ci/db/search.py b/cmdb-api/api/lib/cmdb/search/ci/db/search.py
index fee72518..206e9214 100644
--- a/cmdb-api/api/lib/cmdb/search/ci/db/search.py
+++ b/cmdb-api/api/lib/cmdb/search/ci/db/search.py
@@ -9,6 +9,7 @@
 from flask import current_app
 from flask_login import current_user
 from jinja2 import Template
+from sqlalchemy import text
 
 from api.extensions import db
 from api.lib.cmdb.cache import AttributeCache
@@ -312,7 +313,7 @@ def _execute_sql(self, query_sql):
         start = time.time()
         execute = db.session.execute
         # current_app.logger.debug(v_query_sql)
-        res = execute(v_query_sql).fetchall()
+        res = execute(text(v_query_sql)).fetchall()
         end_time = time.time()
         current_app.logger.debug("query ci ids time is: {0}".format(end_time - start))
 
@@ -525,7 +526,7 @@ def _facet_build(self):
             if k:
                 table_name = TableMap(attr=attr).table_name
                 query_sql = FACET_QUERY.format(table_name, self.query_sql, attr.id)
-                result = db.session.execute(query_sql).fetchall()
+                result = db.session.execute(text(query_sql)).fetchall()
                 facet[k] = result
 
         facet_result = dict()