From bf8bd3c48d5d9420f6fde3331467c8dd41a26c6b Mon Sep 17 00:00:00 2001
From: nsfisis <nsfisis@gmail.com>
Date: Sat, 21 Mar 2026 17:08:17 +0900
Subject: feat(worker): block eval() in PHP code submissions

Add validation to reject PHP code containing eval() before execution.
Update the problem description to inform participants about this restriction.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 worker/php/lib.mjs | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'worker/php/lib.mjs')

diff --git a/worker/php/lib.mjs b/worker/php/lib.mjs
index d877856..a5f10ab 100644
--- a/worker/php/lib.mjs
+++ b/worker/php/lib.mjs
@@ -9,6 +9,17 @@ const PRELUDE = `
 
 const BUFFER_MAX = 10 * 1024;
 
+const FORBIDDEN_CONSTRUCTS = [/\beval\b/i];
+
+export function validateCode(code) {
+  for (const pattern of FORBIDDEN_CONSTRUCTS) {
+    if (pattern.test(code)) {
+      return `Forbidden: eval() is not allowed`;
+    }
+  }
+  return null;
+}
+
 export function preprocessCode(originalCode) {
   if (originalCode.startsWith("<?php")) {
     return PRELUDE + originalCode.slice(5);
-- 
cgit v1.3.1