moodle-qtype_coderunner icon indicating copy to clipboard operation
moodle-qtype_coderunner copied to clipboard
verified publisher icon trampgeek

Remove all unnecessary features/files

Open MartinGauk opened this issue 6 years ago • 1 comments

Hi there,

Coderunner has a lot of additional features (autotag, delete categories, download attempts, ...) that actually should not belong to a question type. This makes it harder to review the code and leads to a larger attack surface.

Please remove all these features and files that are not vital for the question type. If you need some of the features, please create another Moodle plugin (e.g. as a quiz report) or try to get the features into Moodle core.

After a very short review I have found some problems:

  1. These additional scripts do not check the sesskey (CSRF vulnerability).
  2. deletecategorytree.php: It checks the contextid but it does not check whether the category belongs to this context. A user who is allowed to manage at least one category is able to delete any category.
  3. prototypeusageindex.php: It displays all courses in the system to everyone, even hidden courses.

Thanks.

MartinGauk avatar Mar 22 '19 15:03 MartinGauk

Thank you for reporting the issues you found. We will fix them.

I disagree with your claim that these should be removed. They exist because they are useful, and it is convenient (to the people to who make CodeRunner, and then offer it for free to you) to have them all in one place. If you really don't want them, you can delete them in your install. Of course, they do need to be secure, and as I say, we will fix them.

timhunt avatar Mar 23 '19 06:03 timhunt

Closing as further action is unlikely.

trampgeek avatar Dec 20 '23 01:12 trampgeek