Examples: query, "exact match", wildcard*, wild?ard, wild*rd
Fuzzy search: cake~ (finds cakes, bake)
Term boost: "red velvet"^4, chocolate^2
Field grouping: tags:(+work -"fun-stuff")
Escaping: Escape characters +-&|!(){}[]^"~*?:\ with \, e.g. \+
Range search: properties.timestamp:[1587729413488 TO *] (inclusive), properties.title:{A TO Z}(excluding A and Z)
Combinations: chocolate AND vanilla, chocolate OR vanilla, (chocolate OR vanilla) NOT "vanilla pudding"
Field search: properties.title:"The Title" AND text
Answered
Hello, Clearml-Server Appears To Fail Escaping Html In Stdout/Stderr Reporting (The Console View), Is This A Known Bug ? Is This Fixed On 1.13.0 Maybe ? I’M On Webapp: 1.12.0-393 • Server: 1.12.0-393 • Api: 2.26 I Print Things Like This

hello, clearml-server appears to fail escaping html in stdout/stderr reporting (the console view), is this a known bug ? is this fixed on 1.13.0 maybe ? I’m on WebApp: 1.12.0-393 • Server: 1.12.0-393 • API: 2.26
I print things like this

     np = <module 'numpy' from '/home/monk/mambaforge/envs/mathis39/lib/python3.9/site-packages/numpy/__init__.py'>
     logger = <loguru.logger handlers=[(id=1, level=10, sink=<stderr>), (id=2, level=10, sink='/shared/data/gold_standard/2023-11-22_ingestion.tmp/log.txt'), (id=3, level=10, sink='/shared/data/gold_standard/2023-11-22_ingestion.tmp/log.jsonl')]>
     DAMAGES = <Classes 1: ...>

and it completely removes the <> and the text inside in clearml console view:

     np = 
     logger = ), (id=2, level=10, sink='/shared/data/gold_standard/2023-11-22_ingestion.tmp/log.txt'), (id=3, level=10, sink='/shared/data/gold_standard/2023-11-22_ingestion.tmp/log.jsonl')]>
     DAMAGES = 

and from what I can see in the page source (of the console view), the code is not removed but injected as html, serious XSS bug !
thanks

  
  
Posted one year ago
Votes Newest

Answers 2


ok so I reproduced it with this, it happens when I have colors (I got the error first with an exception printed with stackprinter None )

Task.init(project_name="test", task_name="test", reuse_last_task_id=False)
print("this is a test <hello world> rest of the text")
print("this is a test <hello world> rest of the text", file=sys.stderr)
print(colorama.Fore.RED + "this is a test <hello world> rest of the text" + colorama.Style.RESET_ALL)

image

  
  
Posted one year ago

Hi @<1523706645840924672:profile|VirtuousFish83> , can you share a code example? Or explain where exactly you're printing this?

  
  
Posted one year ago
714 Views
2 Answers
one year ago
12 months ago
Tags