Replaces eval with json.loads for safer dict parsing

Switches from eval to json.loads when parsing string representations
of dictionaries to  prevent arbitrary code
execution.

test/bdd/utils/checks.py

@@ -58,7 +58,7 @@ COMPARISON_FUNCS = {
     None: lambda val, exp: str(val) == exp,
     'i': lambda val, exp: str(val).lower() == exp.lower(),
     'fm': lambda val, exp: re.fullmatch(exp, val) is not None,
-    'dict': lambda val, exp: val is None if exp == '-' else (val == eval('{' + exp + '}')),
+    'dict': lambda val, exp: val is None if exp == '-' else (val == json.loads('{' + exp + '}')),
     'in_box': within_box
 }
 

test/bdd/utils/place_inserter.py

@@ -7,6 +7,7 @@
 """
 Helper classes for filling the place table.
 """
+import json
 import random
 import string
 
@@ -51,7 +52,7 @@ class PlaceColumn:
         elif key.startswith('addr+'):
             self._add_hstore('address', key[5:], value)
         elif key in ('name', 'address', 'extratags'):
-            self.columns[key] = eval('{' + value + '}')
+            self.columns[key] = json.loads('{' + value + '}')
         else:
             assert key in ('class', 'type'), "Unknown column '{}'.".format(key)
             self.columns[key] = None if value == '' else value