search

xtfc / pyboard

A simple submission system that I use for my class
1 stars 0 forks source link

Improve submission verification code #12

Closed scizzorz closed 11 years ago

scizzorz commented 11 years ago

Right now, a student can claim and "verify" they've submitted an assignment like this:

>>> import sha
>>> sha.new('jweacho1_assignment01').hexdigest()
'272ccf1002207d9f9f25ef444c7e0c353bbeb569'

I think the hash should be probably be based on the files they've submitted as well as their username and assignment. That way, if the system explodes, they should be able to submit the same file again and you can verify it with the code they received.

philipdexter commented 11 years ago

I'm aware of this risk and I know the system has to be better.

Sometimes however, students just delete the .tar.gz or .zip file they submit, causing them to have to recreate it. Sometimes they'll accidentally include some .class file the first time and not do it the second time. Or they'll put their name at the top of the file where last time it wasn't there. Lots of things can happen that would cause the sha to be different between submissions. One way to get around this would be to only hash *.java files. However some risks still exist here (adding javadocs for example). I can't think of a totally fool proof way to do this.

scizzorz commented 11 years ago

After more thought, even hashing the username, assignment, and submission would be easily reproducible as well... This is a tough one because any student can come here and view the source (which I'm quite a fan of), see how the hash is calculated, and generate it on their own, and then say they submitted the assignment.

philipdexter commented 11 years ago

Yeah, it's tough. Issue #1 outlines a way of using unique ids. This wouldn't prevent students from submitting a completely reworked solution, it would just prevent people from saying 'no I totally submitted, your system failed'. However, if the system failed then the id creation might have failed too. If a student gets a confirmation email though, it should be implied that the system received the submission and at least got up to a point of creating a unique id. Something to consider.

scizzorz commented 11 years ago

I can't believe I didn't think of this sooner, but we could just salt the hash but store the salt in a config variable or as part of the assignments file (a second column or something). That way, even though students know how to compute their hash, they won't be able to actually do it unless they have our salt(s).

# serverconfig.py
verification_salt = 'top_secret_code'
# main.py
verification_code = sha.new(serverconfig.verification_salt + name + assignment)
philipdexter commented 11 years ago

Ah yeah, that's good. Nice one