graphite-web icon indicating copy to clipboard operation
graphite-web copied to clipboard
verified publisher icon graphite-project

[BUG] Single quotes in graphite dashboard are automatically replaced with double quotes, escaping doesn't work. Affects applyByNode() function.

Open dimonoid opened this issue 8 months ago • 1 comments

Unable to use function applyByNode(metric*,1,"function('here')") , in 3rd argument between double quotes sometimes needs to be single quote as double quotes inside double quotes cause an error. Works in main UI, but fails in dashboard (single quotes are automatically replaced with double quotes).

From /var/log/graphite/exception.log

Traceback (most recent call last): File "/opt/graphite/lib/python3.9/site-packages/django/core/handlers/base.py", line 113, in _get_response response = wrapped_callback(request, *callback_args, **callback_kwargs) File "/opt/graphite/webapp/graphite/errors.py", line 101, in new_f return f(*args, **kwargs) File "/opt/graphite/webapp/graphite/render/views.py", line 130, in renderView data.extend(evaluateTarget(requestContext, targets)) File "/opt/graphite/webapp/graphite/render/evaluator.py", line 34, in evaluateTarget result = evaluateTokens(requestContext, target) File "/opt/graphite/webapp/graphite/render/evaluator.py", line 67, in evaluateTokens return evaluateTokens(requestContext, tokens.expression, replacements) File "/opt/graphite/webapp/graphite/render/evaluator.py", line 120, in evaluateTokens return func(requestContext, *args, **kwargs) File "/opt/graphite/webapp/graphite/render/functions.py", line 5109, in applyByNode for resultSeries in evaluateTarget(newContext, templateFunction.replace('%', prefix)): File "/opt/graphite/webapp/graphite/render/evaluator.py", line 18, in evaluateTarget pathExpressions = extractPathExpressions(requestContext, targets) File "/opt/graphite/webapp/graphite/render/evaluator.py", line 200, in extractPathExpressions target = grammar.parseString(target) File "/opt/graphite/webapp/graphite/render/grammar.py", line 12, in parseString return _grammar.parseString(instring) File "/opt/graphite/lib/python3.9/site-packages/pyparsing/util.py", line 256, in _inner return fn(self, *args, **kwargs) File "/opt/graphite/lib/python3.9/site-packages/pyparsing/core.py", line 1190, in parse_string raise exc.with_traceback(None) pyparsing.exceptions.ParseException: , found "'" (at char 0), (line:1, col:1)

Environment: Standard Docker container, Linux, Firefox

dimonoid avatar May 21 '25 14:05 dimonoid

Confirming that, looks like bug in some earlier XSS security fixes in dashboard.

deniszh avatar May 21 '25 14:05 deniszh