Added a first draft for OWASP#234

In OWASP#234 @colesmj suggested to move the import of pydal into the sqlDumb function. This commit does this and if the import fails raises an UIError with an explanation on how to proceed. The text is just a first draft. To move the import the function get_table was also moved inside the sqlDump function.
raphaelahrens · Mar 13, 2024 · a53b3fd · a53b3fd
1 parent 4890300
commit a53b3fd
Showing 1 changed file with 21 additions and 13 deletions.
diff --git a/pytm/pytm.py b/pytm/pytm.py
@@ -21,8 +21,6 @@
 from weakref import WeakKeyDictionary
 from datetime import datetime
 
-from pydal import DAL, Field
-
 from .template_engine import SuperFormatter
 
 """ Helper functions """
@@ -1173,6 +1171,25 @@ def _stale(self, days):
         return ""
 
     def sqlDump(self, filename):
+        try:
+            from pydal import DAL, Field
+        except ImportError as e:
+            raise UIError(
+                e, """This feature requires the pyDAL package,
+    Please install the package via pip or your packagemanger of choice.
+                """
+            )
+
+        @lru_cache(maxsize=None)
+        def get_table(db, klass):
+            name = klass.__name__
+            fields = [
+                Field("SID" if i == "id" else i)
+                for i in dir(klass)
+                if not i.startswith("_") and not callable(getattr(klass, i))
+            ]
+            return db.define_table(name, fields)
+
         try:
             rmtree("./sqldump")
             os.mkdir("./sqldump")
@@ -1199,10 +1216,10 @@ def sqlDump(self, filename):
             Data,
             Finding,
         ):
-            self.get_table(db, klass)
+            get_table(db, klass)
 
         for e in TM._threats + TM._data + TM._elements + self.findings + [self]:
-            table = self.get_table(db, e.__class__)
+            table = get_table(db, e.__class__)
             row = {}
             for k, v in serialize(e).items():
                 if k == "id":
@@ -1212,15 +1229,6 @@ def sqlDump(self, filename):
 
         db.close()
 
-    @lru_cache(maxsize=None)
-    def get_table(self, db, klass):
-        name = klass.__name__
-        fields = [
-            Field("SID" if i == "id" else i)
-            for i in dir(klass)
-            if not i.startswith("_") and not callable(getattr(klass, i))
-        ]
-        return db.define_table(name, fields)
 
 
 class Controls: