diff options
| author | nsfisis <nsfisis@gmail.com> | 2026-03-21 17:08:17 +0900 |
|---|---|---|
| committer | nsfisis <nsfisis@gmail.com> | 2026-03-21 17:17:22 +0900 |
| commit | bf8bd3c48d5d9420f6fde3331467c8dd41a26c6b (patch) | |
| tree | 4f505d4011b5ca2a6b49e2f9054f6513adb90730 /worker/php | |
| parent | a4037c3bf5d66f1303ffa629f77ab7cdfd5f0eb6 (diff) | |
| download | phperkaigi-2026-albatross-bf8bd3c48d5d9420f6fde3331467c8dd41a26c6b.tar.gz phperkaigi-2026-albatross-bf8bd3c48d5d9420f6fde3331467c8dd41a26c6b.tar.zst phperkaigi-2026-albatross-bf8bd3c48d5d9420f6fde3331467c8dd41a26c6b.zip | |
Add validation to reject PHP code containing eval() before execution.
Update the problem description to inform participants about this restriction.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Diffstat (limited to 'worker/php')
| -rw-r--r-- | worker/php/exec.mjs | 17 | ||||
| -rw-r--r-- | worker/php/lib.mjs | 11 |
2 files changed, 27 insertions, 1 deletions
diff --git a/worker/php/exec.mjs b/worker/php/exec.mjs index f1cb361..650d4df 100644 --- a/worker/php/exec.mjs +++ b/worker/php/exec.mjs @@ -1,7 +1,22 @@ -import { buildResult, createIOCallbacks, preprocessCode } from "./lib.mjs"; +import { + buildResult, + createIOCallbacks, + preprocessCode, + validateCode, +} from "./lib.mjs"; import PHPWasm from "./php-wasm.js"; process.once("message", async ({ code: originalCode, input }) => { + const validationError = validateCode(originalCode); + if (validationError) { + process.send({ + status: "runtime_error", + stdout: "", + stderr: validationError, + }); + return; + } + const code = preprocessCode(originalCode); const io = createIOCallbacks(input); diff --git a/worker/php/lib.mjs b/worker/php/lib.mjs index d877856..a5f10ab 100644 --- a/worker/php/lib.mjs +++ b/worker/php/lib.mjs @@ -9,6 +9,17 @@ const PRELUDE = ` const BUFFER_MAX = 10 * 1024; +const FORBIDDEN_CONSTRUCTS = [/\beval\b/i]; + +export function validateCode(code) { + for (const pattern of FORBIDDEN_CONSTRUCTS) { + if (pattern.test(code)) { + return `Forbidden: eval() is not allowed`; + } + } + return null; +} + export function preprocessCode(originalCode) { if (originalCode.startsWith("<?php")) { return PRELUDE + originalCode.slice(5); |