Hacker News new | ask | show | jobs
by teach 4407 days ago
This is only if you subsequently give them a link to what they uploaded, correct?

I have a site that allows uploads (students turning in Java files) but the files are just stored in a folder on the server that isn't in the web-served path. They can't see the file again once uploaded. I assume (and I think rightly) that there's no security risk in my case.
2 comments
meowface 4407 days ago
It depends on the kind of application, but for the most part you are right. If a file is saved to a path that is not part of the "web root", then it is unlikely that any vulnerabilities will be introduced.

Just make sure it is a hardcoded path, and not one that users can manipulate in any way (a filename of "../../../../file.java" for example). And if there is some other interface that reads files from that directory and outputs them to a page, that will also need to be secured against XSS.

link
rurounijones 4407 days ago
As long as you read the files before you execute them.

Otherwise some bad actor could write a virus / local exploit into their submission which will execute when you compile and run the file.

link
teach 4407 days ago
I never execute them. I just grade them by reading the code. Running them takes FAR longer than reading.
link
rurounijones 4407 days ago
Are these exceedingly simple programs 10 line programs? Otherwise:

How do you know they compile?

How do you know they work?

How do you know they handle all the edge cases you can throw at them.

If you have a 100% accurate parser and compiler in your head, I am impressed.

Our teachers (and this was 15 years ago) had test-runners which would compile and run our programs to make sure they met the requirements of the homework THEN they looked at the code and marked it for style etc.

Sometimes they provided these test runners to us so we could check them ourselves, sometimes they didn't (this was, naturally, harder).

link
goblin89 4407 days ago
Obviously such workflow, while being fairer, requires a reliable sandbox of some kind—even though one might argue that in a university such things may be of less importance and that allowing for some degree of hacking is educational and perhaps should even be tacitly encouraged, still you'd want to make sure that when students break your system they can't go Bobby Tables on it or dump everyone's private data on black market.
link