From 23208ba905f8c8f635a83c97148747e899fc867b Mon Sep 17 00:00:00 2001
From: Arpit Jain <3242828+arpitjain099@users.noreply.github.com>
Date: Thu, 8 Aug 2024 16:08:01 +0900
Subject: [PATCH] Fix log injection error

---
 .../multistep_web_tasks/docker/flask-playwright/app.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/evals/elsuite/multistep_web_tasks/docker/flask-playwright/app.py b/evals/elsuite/multistep_web_tasks/docker/flask-playwright/app.py
index 65386c6c9b..28e18ce802 100644
--- a/evals/elsuite/multistep_web_tasks/docker/flask-playwright/app.py
+++ b/evals/elsuite/multistep_web_tasks/docker/flask-playwright/app.py
@@ -180,18 +180,20 @@ def _execute_command(json_data: dict):
     if command is None:
         raise ValueError("No command", jsonify({"status": "error", "message": "no command"}))
 
+    # Sanitize the command to prevent log injection
+    sanitized_command = command.replace('\r\n', '').replace('\n', '')
+    
     try:
         result = eval(command)
         return result
     except Exception as e:
-        logger.info(f"Error executing command: {command}")
+        logger.info(f"Error executing command: {sanitized_command}")
         logger.error(e)
         raise ValueError(
-            f"Error executing command {command}",
-            jsonify({"status": "error", "message": f"error executing command {command}: {e}"}),
+            f"Error executing command {sanitized_command}",
+            jsonify({"status": "error", "message": f"error executing command {sanitized_command}: {e}"})
         )
 
-
 def _execute_commands(json_data: dict):
     results = {}
     for command in json_data["commands"]: