Title: Un-sanitized eval may have security impact Status in OpenStack Telemetry (Ceilometer): In Progress Status in OpenStack Security Advisories: Won't Fix Bug description: On this line: eval is used for some transformation. The comments near by suggest that it is used for a 'multiplicative factor or else a string to be eval'd'. If an attacker is able to provide an input like "__import__('os').system('rm -rf /etc')" the process will delete the etc directory with the privileges of the user that is running Ceilometer. Eval input should always be sanitized. I was unable to find any places that this is actually used, but this should definitely be hardened.