diff options
| author | nsfisis <nsfisis@gmail.com> | 2026-03-21 17:08:17 +0900 |
|---|---|---|
| committer | nsfisis <nsfisis@gmail.com> | 2026-03-21 17:17:22 +0900 |
| commit | bf8bd3c48d5d9420f6fde3331467c8dd41a26c6b (patch) | |
| tree | 4f505d4011b5ca2a6b49e2f9054f6513adb90730 | |
| parent | a4037c3bf5d66f1303ffa629f77ab7cdfd5f0eb6 (diff) | |
| download | phperkaigi-2026-albatross-main.tar.gz phperkaigi-2026-albatross-main.tar.zst phperkaigi-2026-albatross-main.zip | |
Add validation to reject PHP code containing eval() before execution.
Update the problem description to inform participants about this restriction.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
| -rw-r--r-- | frontend/app/components/Gaming/ProblemColumnContent.tsx | 8 | ||||
| -rw-r--r-- | worker/php/exec.mjs | 17 | ||||
| -rw-r--r-- | worker/php/lib.mjs | 11 |
3 files changed, 35 insertions, 1 deletions
diff --git a/frontend/app/components/Gaming/ProblemColumnContent.tsx b/frontend/app/components/Gaming/ProblemColumnContent.tsx index bc6b43a..60d02ee 100644 --- a/frontend/app/components/Gaming/ProblemColumnContent.tsx +++ b/frontend/app/components/Gaming/ProblemColumnContent.tsx @@ -34,6 +34,14 @@ function PhpNotice() { <InlineCode code="E_ALL & ~E_WARNING & ~E_NOTICE & ~E_DEPRECATED" />{" "} に設定されています。 </p> + <p> + 2026-03-21 追記: + <InlineCode code="eval()" /> は (多分) 使えなくなりました。 + この判定には偽陽性があり、 + <InlineCode code="eval()" /> のないコードも{" "} + <InlineCode code="eval()" /> ありと判定される場合がありますが、 + 意図的に狙わない限り誤判定することはないと思います。 + </p> </div> </FoldableBorderedContainerWithCaption> ); diff --git a/worker/php/exec.mjs b/worker/php/exec.mjs index f1cb361..650d4df 100644 --- a/worker/php/exec.mjs +++ b/worker/php/exec.mjs @@ -1,7 +1,22 @@ -import { buildResult, createIOCallbacks, preprocessCode } from "./lib.mjs"; +import { + buildResult, + createIOCallbacks, + preprocessCode, + validateCode, +} from "./lib.mjs"; import PHPWasm from "./php-wasm.js"; process.once("message", async ({ code: originalCode, input }) => { + const validationError = validateCode(originalCode); + if (validationError) { + process.send({ + status: "runtime_error", + stdout: "", + stderr: validationError, + }); + return; + } + const code = preprocessCode(originalCode); const io = createIOCallbacks(input); diff --git a/worker/php/lib.mjs b/worker/php/lib.mjs index d877856..a5f10ab 100644 --- a/worker/php/lib.mjs +++ b/worker/php/lib.mjs @@ -9,6 +9,17 @@ const PRELUDE = ` const BUFFER_MAX = 10 * 1024; +const FORBIDDEN_CONSTRUCTS = [/\beval\b/i]; + +export function validateCode(code) { + for (const pattern of FORBIDDEN_CONSTRUCTS) { + if (pattern.test(code)) { + return `Forbidden: eval() is not allowed`; + } + } + return null; +} + export function preprocessCode(originalCode) { if (originalCode.startsWith("<?php")) { return PRELUDE + originalCode.slice(5); |