JOJ/JOJ3
25
6
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

Need: Reduce students' right in action runner #93

New Issue
Closed
opened 2025-10-25 11:57:23 +08:00 by 梁诗睿524370910152 · 4 comments
梁诗睿524370910152 commented 2025-10-25 11:57:23 +08:00
Member
Copy Link

Thanks to Cai Yuxiang's idea, I have found that its very simple for student to bypass JOJ and do whatever they want in the runner without alarming TAs.
Basically, students only need to delete JOJ command in the yaml files and put whatever commands they want. Since the Health-check is triggered by JOJ, no Health-check will be run without JOJ command so the action ends with green tick.
Then, e.g., since joj repo is mounted under /home/tt/, students could easily use ls -Ra and cat to find the hidden cases.
Also, students has sudo permission in the runner, it's possible for students to ddos the server.

Thanks to Cai Yuxiang's idea, I have found that its very simple for student to bypass JOJ and do whatever they want in the runner without alarming TAs. Basically, students only need to delete JOJ command in the `yaml` files and put whatever commands they want. Since the `Health-check` is triggered by JOJ, no `Health-check` will be run without JOJ command so the action ends with green tick. Then, e.g., since `joj` repo is mounted under `/home/tt/`, students could easily use `ls -Ra` and `cat` to find the hidden cases. Also, students has `sudo` permission in the runner, it's possible for students to ddos the server.
梁诗睿524370910152 added the
bug
 label 2025-10-25 11:57:23 +08:00
manuel was assigned by 梁诗睿524370910152 2025-10-25 11:57:23 +08:00
张泊明518370910136 was assigned by 梁诗睿524370910152 2025-10-25 11:57:23 +08:00
张泊明518370910136 commented 2025-10-25 12:04:18 +08:00
Owner
Copy Link

You can try this and see if it works.

You can try this and see if it works.
梁诗睿524370910152 commented 2025-10-25 17:27:40 +08:00
Author
Member
Copy Link

Yes I have tried and it worked. Here is the procedures:
I modify push.yaml and run ls /home/tt/.config/joj/xxx and this action provides the output. Then I use git restore source=xxxx -- .gitea/workflows/push.yaml and push again, the action is triggered normally. TAs won't find out unless they check the details of every action.

Yes I have tried and it worked. Here is the procedures: I modify push.yaml and run `ls /home/tt/.config/joj/xxx` and [this action](https://focs.ji.sjtu.edu.cn/git/engr151/test-repo/actions/runs/613) provides the output. Then I use `git restore source=xxxx -- .gitea/workflows/push.yaml` and push again, [the action](https://focs.ji.sjtu.edu.cn/git/engr151/test-repo/actions/runs/614) is triggered normally. TAs won't find out unless they check the details of every action.
张泊明518370910136 commented 2025-10-25 23:16:18 +08:00
Owner
Copy Link

OK. Wrong setup will grant unnecessary permission to that user. Now it is enforced when push in course-joj repo is triggered.

OK. Wrong setup will grant unnecessary permission to that user. Now it is enforced when push in course-joj repo is triggered.
张泊明518370910136 commented 2025-10-26 00:54:35 +08:00
Owner
Copy Link

Now enforced in runner-images.

Now enforced in runner-images.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
bug

Something is not working

  
component
executor
executors in different stages

  
component
framework
software architecture

  
component
parser
parsers in different stages

  
component
UI
drone, gitea, and config interfaces

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
priority
p0

  
priority
p1

  
priority
p2

  
priority
p3

  
question

More information is needed

  
wontfix

This won't be fixed

No Label
bug
component
executor
component
framework
component
parser
component
UI
duplicate
enhancement
help wanted
invalid
priority
p0
priority
p1
priority
p2
priority
p3
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
manuel
张泊明518370910136
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: JOJ/JOJ3#93
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?