Avoid using eval to parse id_charset

[jvkersch]

The register objects code uses the builtin eval function twice to assemble a set of valid characters for object IDs, for example:

drs-filer/drs_filer/ga4gh/drs/endpoints/register_objects.py

Line 56 in bf420d0

id_charset = eval(id_charset)

The idea is that the user can specify the list of admissible ID characters using a Python expression in the configuration file:

drs-filer/drs_filer/config.yaml

Line 69 in bf420d0

id_charset: 'string.ascii_letters + string.digits + ".-_~"'

This is unsafe since it allows executing arbitrary code (try specifying id_charset: 'import os; os.system("rm -rf /")' in the config file), and also somewhat unnecessary in my opinion. I would recommend just specifying the list of admissible characters directly:

id_charset: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_~'

[uniqueg]

Good point. Did you try and see what happens if you do id_charset: 'import os; os.system("rm -rf /")'? 🙃

My reasoning was that this config is only accessible to admins who are setting up apps. But you are right, why even create a possible attach vector if it's unnecessary. I guess we could use ast.literal_eval(), but I think your suggestion is actually more user-friendly (nobody knows/remembers the string sets in Python).

In any case, please note that the function is now part of FOCA and could/should be imported from there. I will fix it in FOCA - and then we can just import it here.