Open liviust opened 3 weeks ago
Interestingly enough, the error goes away if you first upload a submission via the Resources menu and then create a competition. Therefore, the above error happens when you compile the two branches from scratch and upload a competition as the first command.
After you upload a submission, the error goes away, and you can upload a competition bundle. However, when uploading a submission to the newly created competition, you'll get:
Rriot+compiler.min.js:2 Cannot read properties of undefined (reading 'length')
riot+compiler.min.js:2 <comp-tabs> {competition.files.length != 0}
And then:
Object
competition:
admin: true
admin_privilege: true
allow_robot_submissions: false
auto_run_submissions: true
can_participants_make_submissions_public: true
collaborators: []
competition_type: "competition"
contact_email: ""
created_by: "admin"
created_when: "2024-06-09T07:15:12.906106Z"
description: "The well known Iris dataset from Fisher's classic paper (Fisher, 1936)."
docker_image: "codalab/codalab-legacy:py37"
enable_detailed_results: true
fact_sheet: null
files: Array(8)
0: {key: '2a39495b-8859-470a-bc03-24c20fbd00fb', name: "ingestion_program @ '06-09-2024 07:15'", file_size: '28.86', phase: 'Development', task: 'Development Task', …}
1: {key: '348a386e-e4c0-43e6-bf0f-d3f60e93395c', name: "scoring_program @ '06-09-2024 07:15'", file_size: '19.68', phase: 'Development', task: 'Development Task', …}
2: {key: '29e28217-f907-4a38-9427-e0e62c03b415', name: "input_data @ '06-09-2024 07:15'", file_size: '1.84', phase: 'Development', task: 'Development Task', …}
3: {key: '254f93b1-475f-4728-bc7e-e76013eaf806', name: "reference_data @ '06-09-2024 07:15'", file_size: '0.16', phase: 'Development', task: 'Development Task', …}
4: {key: '7275821a-cd96-475b-b03b-0c9fd8ac60d3', name: "ingestion_program @ '06-09-2024 07:15'", file_size: '28.86', phase: 'Final', task: 'Final Task', …}
5: {key: '77f1ba0b-5075-482f-801c-c29bbba1a3d5', name: "scoring_program @ '06-09-2024 07:15'", file_size: '19.68', phase: 'Final', task: 'Final Task', …}
6: {key: 'd9458b50-3261-4c3c-bdaa-806e1690c6e8', name: "input_data @ '06-09-2024 07:15'", file_size: '1.84', phase: 'Final', task: 'Final Task', …}
7: {key: 'b40e7890-71bb-41a6-9c0e-30bc02a33845', name: "reference_data @ '06-09-2024 07:15'", file_size: '0.17', phase: 'Final', task: 'Final Task', …}
length: 8
[[Prototype]]: Array(0)
...
Also, the secret_key
and few other properties should not be accessible to unauthorized users. I was surprised to be able to extract it using the browser console, as it is printed there. You can do this for any competition, even if you are not logged in. If an organizer decides to unpublish a competition, the users can still access it via the secret key which cancels the logic to be able to unpublish it.
Another concerning info that is leaked is the whitelist_emails.
Maybe related to:
Another concerning info that is leaked is the whitelist_emails
Indeed:
There seems to be an error with the datasets 'file_size' Key, both in develop and master branches. It triggers when uploading a bundle competition.