feat(worker): block eval() in PHP code submissionsHEAD main

Add validation to reject PHP code containing eval() before execution. Update the problem description to inform participants about this restriction. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
author: nsfisis <nsfisis@gmail.com> 2026-03-21 17:08:17 +0900
committer: nsfisis <nsfisis@gmail.com> 2026-03-21 17:17:22 +0900
commit: bf8bd3c48d5d9420f6fde3331467c8dd41a26c6b (patch)
tree: 4f505d4011b5ca2a6b49e2f9054f6513adb90730 /worker/php/lib.mjs
parent: a4037c3bf5d66f1303ffa629f77ab7cdfd5f0eb6 (diff)
download: phperkaigi-2026-albatross-bf8bd3c48d5d9420f6fde3331467c8dd41a26c6b.tar.gz
phperkaigi-2026-albatross-bf8bd3c48d5d9420f6fde3331467c8dd41a26c6b.tar.zst
phperkaigi-2026-albatross-bf8bd3c48d5d9420f6fde3331467c8dd41a26c6b.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/worker/php/lib.mjs b/worker/php/lib.mjs
index d877856..a5f10ab 100644
--- a/worker/php/lib.mjs
+++ b/worker/php/lib.mjs
@@ -9,6 +9,17 @@ const PRELUDE = `
 
 const BUFFER_MAX = 10 * 1024;
 
+const FORBIDDEN_CONSTRUCTS = [/\beval\b/i];
+
+export function validateCode(code) {
+  for (const pattern of FORBIDDEN_CONSTRUCTS) {
+    if (pattern.test(code)) {
+      return `Forbidden: eval() is not allowed`;
+    }
+  }
+  return null;
+}
+
 export function preprocessCode(originalCode) {
   if (originalCode.startsWith("<?php")) {
     return PRELUDE + originalCode.slice(5);
author	nsfisis <nsfisis@gmail.com>	2026-03-21 17:08:17 +0900
committer	nsfisis <nsfisis@gmail.com>	2026-03-21 17:17:22 +0900
commit	bf8bd3c48d5d9420f6fde3331467c8dd41a26c6b (patch)
tree	4f505d4011b5ca2a6b49e2f9054f6513adb90730 /worker/php/lib.mjs
parent	a4037c3bf5d66f1303ffa629f77ab7cdfd5f0eb6 (diff)
download	phperkaigi-2026-albatross-bf8bd3c48d5d9420f6fde3331467c8dd41a26c6b.tar.gz phperkaigi-2026-albatross-bf8bd3c48d5d9420f6fde3331467c8dd41a26c6b.tar.zst phperkaigi-2026-albatross-bf8bd3c48d5d9420f6fde3331467c8dd41a26c6b.zip