vimgolf icon indicating copy to clipboard operation
vimgolf copied to clipboard

Published 20 hours ago verified publisher icon igrigorik

Add server-side filter for bogus solutions

Open sagesan opened this issue 7 years ago • 7 comments

On the back-end, it should reject every 'cheat' solution, look out for occurrences of:

  • <C-X><C-F> - http://vimgolf.com/challenges/5a33022f2de3f1021300000d
  • :e - http://vimgolf.com/challenges/5a218cccc0ed6d04af000004
  • :r

and add additional hacks down the road. I tried the solutions to see if they are accepted or not, as I do not think the back-end should accept anything that utilizes outside steps that are unaccounted for.

sagesan avatar Dec 18 '17 10:12 sagesan

Once that's implemented, you should also go over existing solutions and eliminate bogus ones.

eli-b avatar Apr 22 '18 11:04 eli-b

Here's another one: http://www.vimgolf.com/challenges/55b18bbea9c2c30d04000001

The top solution has a score of 2, which (unless some laws of the universe have been overturned) is impossible.

YodaEmbedding avatar Jun 10 '18 02:06 YodaEmbedding

@SicariusNoctis see #230

mjohnsonengr avatar Jul 25 '18 01:07 mjohnsonengr

@urticadioica @timvisher could you sanity check these? Does the proposed behavior make sense?

igrigorik avatar Jul 28 '18 17:07 igrigorik

Simply checking the solution for e.g. the string :e isn't going to work because that might be text entered in insert mode.

I have no experience with security, so maybe this isn't feasible, but you're recording the keystrokes with -W, so couldn't you check the solutions server-side with -s? Is there any way to prevent that from being a massive security hole? (-Z, running it as a user with extremely limited file-system rights, etc).

I guess there's also potential complications with needing to test in the same version of Vim that was used to create the solution, but seems like that might be easier to sort out than attempting to parse the solutions to look for suspect commands.

sedm0784 avatar Sep 13 '18 14:09 sedm0784

@sedm0784 I think what you propose is possible. In another issue I suggested 'docker' since somebody on internet have already do this : fixing vim version and current gem version.

But currently, this website run on an heroku instance. And i think we are not allowed to run a separate process (eg vim) So it needs a new server with more control. And so good background of admin system. And then a fun project like this one became a nightmarre to maintain.

Just my two cents

Hettomei avatar Sep 13 '18 15:09 Hettomei

You could compile vim to WebAssembly and run it server-side in a sandbox, or have people use a WebAssembly vim on the website to play. The former would allow verifying solutions, and the latter would at least make it much harder to cheat (especially if you gave solutions a "show this solution" mode).

That would also allow regularizing solutions so that (for instance) careful window sizing and M doesn't get you to exactly where you need to move.

joshtriplett avatar Sep 18 '18 16:09 joshtriplett