search

thoriqadillah / moodle-qtype_essaysimilarity

Is a moodle question type plugin that compares the similarity between student's answer and teacher's answer key using machine learning (natural language processing), and uses the similarity to auto grade the answer. The automatic grade can be manually overridden by the teacher
https://thoriqadillah.github.io/cat-n-code/projects/essay-similarity/#demo
GNU General Public License v3.0
2 stars 3 forks source link

questionlanguage setting potentially provides option for directory traversal attack #9

Closed danmarsden closed 1 year ago

danmarsden commented 1 year ago

the questionlanguage setting is PARAM_TEXT and is passed into the tokenizer class: https://github.com/thoriqadillah/essaysimilarity/blob/639230baaaad7c98bebcfb74c777ae574c330ac1/question.php#L118

which is then used in a require_once call within the tokenizer class: https://github.com/thoriqadillah/essaysimilarity/blob/639230baaaad7c98bebcfb74c777ae574c330ac1/nlp/tokenizer.php#L26

I do see that the lang setting appears to only allow 4 chars in your database table, but this isn't really enough protection.

I think the param_text field should probably be a PARAM_ALPHA instead - you might also want to do a param_clean call right before passing the variable into the tokenizer class to make it clear in the code that it's safe and only contains ALPHA chars.

thoriqadillah commented 1 year ago

kindly check the linked PR if the solution is enough to prevent the potential attack you mentioned earlier