Make validator function less ambiguous

[nafees87n]

Current the validator checks for potentially dangerous imports by matching strings, however this could pose problems when those libraries are used non-malliciously. Alternatively if the import statement are within a string or a commented part of code then also the execution is denied which is not ideal.

Refer: https://github.com/nafees87n/codebox#code-validation Validator function: https://github.com/nafees87n/codebox/blob/main/server/lib/valid.js

[juliusjulius]

Hello, @nafees87n could you assign me this issue ?

[aaryak-shah]

Hey @juliusjulius thanks for willing to contribute! Unfortunately, this repository's issues are temporarily only open to our college's students for an event and so we can't assign it to you.

[juliusjulius]

The issue is 9 days old and there are no comments that somebody wants to solve this .. so I tought it is available.. Iam also student :D.. but ok I respect that, if this will be still available, please let me know

[kailash360]

@aaryak-shah ,can I work on this issue?

[nafees87n]

@kailash360 Yes, go ahead. Before you start the work, please brainstorm over the issue and discuss the approach here.

[kailash360]

@nafees87n , I went through the issue and it was difficult to find the list imported libraries in the code directly. I thought of this: since all the libraries are imported only at the beginning of the file we can create regex expressions to detect imports in different languages. Then we can detect if they are commented or not using the same. If it passes all these checks, then we can execute the code. Please suggest if I can make any improvement here.

[kailash360]

@nafees87n ,can you kindly suggest whether I should proceed with the way mentioned above?

[aaryak-shah]

@kailash360 the list of libraries that can/can't be used along with it's regex to detect the imports is stored in the server/constants.js file

As for the actual fix, it should be fine to add more rigorous regex checks like you are suggesting, but if you can, try and look into a different approach to validating code safety outside of what's already implemented.

[kailash360]

I tried to find some better way but couldn't find any for now. I will try to work on this. For now, can I work on #2 and unassign myself from the current issue?

[Jitulteron7]

Hi @nafees87n I am one of the participant of IIT K winter of code. I wanted to know about the language executing part. the API http:execute/${language}. how does that work can you explain me plz.

[nafees87n]

Hi @Jitulteron7, the code is validated in the server against a pre-defined list of libraries which can be found here. After that, a POST request is sent to the executor. Then in the executor, a shell command is used to execute the code

[Jitulteron7]

thanks for your answer . can you explain to me about the executor or any resource from which I can learn about this? I am interested in how the executor is able to run multiple language code

[nafees87n]

@Jitulteron7 Have a look at this file to know how the codes are executed using nodejs' exec command. Moreover, there may be other methods to do this.

[Jitulteron7]

Thank you very very much @nafees87n