eval 安全性处理

hb_server/apps/wf/models.py

@@ -39,6 +39,7 @@ class State(CommonAModel):
     PARTICIPANT_TYPE_ROBOT = 6
     PARTICIPANT_TYPE_FIELD = 7
     PARTICIPANT_TYPE_PARENT_FIELD = 8
+    PARTICIPANT_TYPE_FORMCODE = 9
     state_participanttype_choices = (
         (0, '无处理人'),
         (PARTICIPANT_TYPE_PERSONAL, '个人'),
@@ -48,7 +49,8 @@ class State(CommonAModel):
         (PARTICIPANT_TYPE_VARIABLE, '变量'),
         (PARTICIPANT_TYPE_ROBOT, '脚本'),
         (PARTICIPANT_TYPE_FIELD, '工单的字段'),
-        (PARTICIPANT_TYPE_PARENT_FIELD, '父工单的字段')
+        (PARTICIPANT_TYPE_PARENT_FIELD, '父工单的字段'),
+        (PARTICIPANT_TYPE_FORMCODE, '代码获取')
     )
     STATE_DISTRIBUTE_TYPE_ACTIVE = 1 # 主动接单
     STATE_DISTRIBUTE_TYPE_DIRECT = 2 # 直接处理(当前为多人的情况，都可以处理，而不需要先接单)

hb_server/apps/wf/services.py

@@ -119,7 +119,7 @@ class WfService(object):
             for i in transition.condition_expression:
                 expression = i['expression'].format(**ticket_all_value)
                 import datetime, time  # 用于支持条件表达式中对时间的操作
-                if eval(expression):
+                if eval(expression, {"__builtins__":None}, {'datetime':datetime, 'time':time}):
                     destination_state = State.objects.get(pk=i['target_state'])
         return destination_state
     

hb_server/apps/wf/views.py

@@ -15,6 +15,7 @@ from apps.wf.services import WfService
 from rest_framework.exceptions import APIException, PermissionDenied
 from rest_framework import status
 from django.db.models import Count
+
 # Create your views here.
 class WorkflowViewSet(CreateUpdateModelAMixin, ModelViewSet):
     perms_map = {'get': '*', 'post': 'workflow_create',