From 8efec4c1cd674dd2dd6166dcfa4a027903b2855a Mon Sep 17 00:00:00 2001 From: Jakub Kaszycki Date: Mon, 24 Apr 2023 00:34:51 +0000 Subject: [PATCH] Fix security issue in sio.executors.encdec_common --- sio/executors/encdec_common.py | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/sio/executors/encdec_common.py b/sio/executors/encdec_common.py index c4251e0..67f9872 100644 --- a/sio/executors/encdec_common.py +++ b/sio/executors/encdec_common.py @@ -1,20 +1,16 @@ from __future__ import absolute_import import os import logging -from shutil import rmtree +from shutil import copy2, rmtree import tempfile from zipfile import ZipFile, is_zipfile from sio.executors.checker import _limit_length from sio.executors.common import _run_core from sio.workers import ft from sio.workers.executors import ExecError, PRootExecutor, UnprotectedExecutor -from sio.workers.util import decode_fields, replace_invalid_UTF, tempcwd +from sio.workers.util import decode_fields, replace_invalid_UTF, tempcwd, TemporaryCwd from sio.workers.file_runners import get_file_runner -# TODO XXX FIXME -# Hide the files like enc_in or hint from the contestants -# Would not be nice if someone just sideloaded enc_in in decoder - import six logger = logging.getLogger(__name__) @@ -214,6 +210,23 @@ def _run_checker(environ, use_sandboxes=False): return False +def _run_decoder_hide_files(environ, file_executor, exe_filename, use_sandboxes, orig_dir): + # We now have quite a lot of interes + # be nice if some decoder read them. + with TemporaryCwd() as new_dir: + # Copy the executable and input + for f in 'dec_in', exe_filename: + copy2(os.path.join(orig_dir, f), tempcwd(f)) + + renv = _run_decoder(environ, file_executor, exe_filename, use_sandboxes) + + # Copy the output + for f in 'dec_out',: + copy2(tempcwd(f), os.path.join(orig_dir, f)) + + return renv + + def run(environ, executor, use_sandboxes=True): """ Common code for executors. @@ -244,7 +257,7 @@ def run(environ, executor, use_sandboxes=True): if not _run_channel(environ, use_sandboxes): return environ - renv = _run_decoder(environ, file_executor, exe_filename, use_sandboxes) + renv = _run_decoder_hide_files(environ, file_executor, exe_filename, use_sandboxes, tempcwd()) _populate_environ(renv, environ, "decoder_") if renv["result_code"] != "OK":