cptbox: don't allow paths that don't exist

dmoj/cptbox/filesystem_policies.py

@@ -24,25 +24,52 @@ class File:
     pass
 
 
-class ExactFile:
+class BaseFilesystemAccessRule:
     def __init__(self, path: str):
+        path = os.path.expanduser(path)
+        assert os.path.abspath(path) == path, 'FilesystemAccessRule must specify a normalized, absolute path to rule'
         self.path = path
+        self._assert_rule_type()
 
+    def _assert_rule_type(self) -> None:
+        if self.exists():
+            self._assert_dir_type(os.path.isdir(self.path))
 
-class ExactDir:
-    access_mode = AccessMode.EXACT
+    def _assert_dir_type(self, is_dir: bool) -> None:
+        raise NotImplementedError
 
-    def __init__(self, path: str):
-        self.path = path
+    def exists(self):
+        return os.path.exists(self.path)
 
+    def realpath(self):
+        return os.path.realpath(self.path)
 
-class RecursiveDir:
-    access_mode = AccessMode.RECURSIVE
+    def is_realpath(self) -> bool:
+        return self.path.startswith('/proc/self') or self.realpath() == self.path  # proc/self should not be resolved
+
+    def __repr__(self) -> str:
+        return f'<{self.__class__.__name__} {self.path}>'
+
+
+class ExactFile(BaseFilesystemAccessRule):
+    def _assert_dir_type(self, is_dir: bool) -> None:
+        assert not is_dir, f"Can't apply file rule to directory {self.path}"
 
-    def __init__(self, path: str):
-        self.path = path
 
+class DirFilesystemAccessRule(BaseFilesystemAccessRule):
+    def _assert_dir_type(self, is_dir: bool) -> None:
+        assert is_dir, f"Can't apply directory rule to non-directory {self.path}"
 
+
+class ExactDir(DirFilesystemAccessRule):
+    access_mode = AccessMode.EXACT
+
+
+class RecursiveDir(DirFilesystemAccessRule):
+    access_mode = AccessMode.RECURSIVE
+
+
+# Mainly for MyPy: only ExactFile, ExactDir and RecursiveDir are to be considered rules
 FilesystemAccessRule = Union[ExactFile, ExactDir, RecursiveDir]
 
 
@@ -53,13 +80,13 @@ def __init__(self, rules: Sequence[FilesystemAccessRule]):
             self._add_rule(rule)
 
     def _add_rule(self, rule: FilesystemAccessRule) -> None:
-        self._assert_rule_type(rule)
+        if not rule.exists():
+            return
+
         if rule.path == '/':
             return self._finalize_root_rule(rule)
 
-        path = os.path.expanduser(rule.path)
-        assert os.path.abspath(path) == path, 'FilesystemAccessRule must specify a normalized, absolute path to rule'
-        *directory_path, final_component = path.split('/')[1:]
+        *directory_path, final_component = rule.path.split('/')[1:]
 
         node = self.root
         for component in directory_path:
@@ -70,17 +97,8 @@ def _add_rule(self, rule: FilesystemAccessRule) -> None:
         self._finalize_rule(node, final_component, rule)
 
         # Add symlink targets too
-        real_path = os.path.realpath(path)
-        if real_path != path:
-            self._add_rule(type(rule)(real_path))
-
-    def _assert_rule_type(self, rule: FilesystemAccessRule) -> None:
-        if os.path.exists(rule.path):
-            is_dir = os.path.isdir(rule.path)
-            if isinstance(rule, ExactFile):
-                assert not is_dir, f"Can't apply file rule to directory {rule.path}"
-            else:
-                assert is_dir, f"Can't apply directory rule to non-directory {rule.path}"
+        if not rule.is_realpath():
+            self._add_rule(type(rule)(rule.realpath()))
 
     def _finalize_root_rule(self, rule: FilesystemAccessRule) -> None:
         assert not isinstance(rule, ExactFile), 'Root is not a file'

dmoj/executors/SWIFT.py

@@ -9,6 +9,7 @@ class Executor(CompiledExecutor):
         RecursiveDir('~/.cache'),
     ]
     compiler_write_fs = compiler_read_fs
+    compiler_required_dirs = ['~/.cache']
     test_program = 'print(readLine()!)'
 
     def get_compile_args(self):

dmoj/executors/ZIG.py

@@ -10,6 +10,7 @@ class Executor(CompiledExecutor):
         RecursiveDir('~/.cache'),
     ]
     compiler_write_fs = compiler_read_fs
+    compiler_required_dirs = ['~/.cache']
     test_program = """
 const std = @import("std");
 

dmoj/executors/compiled_executor.py

@@ -81,6 +81,9 @@ class CompiledExecutor(BaseExecutor, metaclass=_CompiledExecutorMeta):
     compiler_read_fs: Sequence[FilesystemAccessRule] = []
     compiler_write_fs: Sequence[FilesystemAccessRule] = []
 
+    # List of directories required by the compiler to be present, typically for writing to
+    compiler_required_dirs: List[str] = []
+
     def __init__(self, problem_id: str, source_code: bytes, *args, **kwargs) -> None:
         super().__init__(problem_id, source_code, **kwargs)
         self.warning = None
@@ -95,6 +98,13 @@ def create_files(self, problem_id: str, source_code: bytes, *args, **kwargs) ->
         with open(self._code, 'wb') as fo:
             fo.write(utf8bytes(source_code))
 
+        for path in self.compiler_required_dirs:
+            path = os.path.expanduser(path)
+            try:
+                os.mkdir(path, mode=0o775)
+            except FileExistsError:
+                pass
+
     def get_compile_args(self) -> List[str]:
         raise NotImplementedError()
 

dmoj/tests/test_filesystem_policy.py

@@ -43,14 +43,14 @@ def test_path_checks(self):
         self.assertRaises(AssertionError, self.check, '/usr/lib/not/./a/../normalized/path')
 
     def test_rule_type_check(self):
-        self.assertRaises(AssertionError, FilesystemPolicy, [ExactFile('/usr/lib')])
-        self.assertRaises(AssertionError, FilesystemPolicy, [ExactDir('/etc/passwd')])
-        self.assertRaises(AssertionError, FilesystemPolicy, [RecursiveDir('/etc/passwd')])
-
-    def test_build_checks(self):
-        self.assertRaises(AssertionError, FilesystemPolicy, [ExactFile('not/an/absolute/path')])
-        self.assertRaises(AssertionError, FilesystemPolicy, [ExactDir('/nota/./normalized/path')])
-        self.assertRaises(AssertionError, FilesystemPolicy, [RecursiveDir('')])
+        self.assertRaises(AssertionError, ExactFile, '/usr/lib')
+        self.assertRaises(AssertionError, ExactDir, '/etc/passwd')
+        self.assertRaises(AssertionError, RecursiveDir, '/etc/passwd')
+
+    def test_bad_path_check(self):
+        self.assertRaises(AssertionError, ExactFile, 'not/an/absolute/path')
+        self.assertRaises(AssertionError, ExactDir, '/nota/./normalized/path')
+        self.assertRaises(AssertionError, RecursiveDir, '')
 
     def check(self, path):
         self.fs.check(path)