jbclements / admiral-edu-server Goto Github PK

View Code? Open in Web Editor NEW

1.0 1.0 1.0 2.12 MB

Racket 93.39% HTML 6.59% Shell 0.02%

admiral-edu-server's People

Contributors

Stargazers

Watchers

Forkers

alexknauth

admiral-edu-server's Issues

&sort; appearing in browse header

In reviewing existing submissions, &next; appears in the header. bad.

the browse page for viewing your submission appears broken

Here's the URL:

https://www.captain-teach.org/calpoly-cpe123/su/[email protected]/next/a1-ct/

.. only the problem is in the iframe

also it has a &step in the header.

add a version number to the web pages

A github repo would probably be ideal... automating it could be nasty, though.

red dots don't appear consistently

sigh... codemirror is totally messed up here. could it be the new version (hope hope)?

test all URLs with /su/<username>/

be explicit about legal paths

state somewhere what the legal URL patterns are, and check them up front rather than allowing 'last' to fail somewhere deep within a sub-function.

get rid of success and failure everywhere

endpoint to allow viewing of error log

It would be nice, and seems like not too much of a security risk, to allow the head instructor
to take a look at the current log.

make sure there are no 'cond's without elses.

codemirror only uses half of box?

When browsing a file, it appears that only half of the given box is used by the codemirror editor.

This problem is somewhat visible on any page load because the left-hand gutter (IIUC) is only
half present. Load a file with many lines to see the problem more clearly. I'm nearly certain
this is a regression.

looks like some 404s may not be caught

... and wind up as 500s instead, viz. /foo

logging should escape the container

logs should go somewhere visible outside the container

explicitly compare html of old and new versions

Use the scraped html from the regression tests to actually compare old and new.

split out logs

The access log should not be mushed in with the error log, I think. The code for this is mostly already in place using loggers, I just need to not dump all of the loggers' output into stdout.

use type for paths

paths could be protected using TR

check for existence of table has hard-coded database name

The "is there already a database" check uses a hard-coded "captain_teach" name, meaning that if your database is named something else, CT will blow it away on startup. Bad.

when performing review, "close form" button does nothing?

It appears that the "close form" button next to an annotation line does nothing when reviewing
a text.

This is probably a regression.

description of states users can be in

trailing slash required on base url

the 404 error has a URL without a trailing slash which won't be properly redirected by the outer apache server.

signal an error on config / db mismatch

currently, if captain teach is started and there's already an existing database, but the name of the head instructor in the database is different from the one specified in the config file, I believe the config file is ignored. In fact, it might be even more broken than that.

The easy fix would be to check for this, and refuse to start up.

More generally, there should be a way to completely re-initialize the database. Since port 8080 is the only way in, though, this would have to be an externally-visible endpoint, which seems like a really bad idea. Alternatively, you could just create a shell script that does this...

eliminate uses of non-raw-bindings

These are probably all linked to scripting vulnerabilities....

three-condition testing not appearing in raco test?

chance for free test coverage bump here...

use templates for all responses

XSS possible in review feedback

itemize other bugs discovered by zap

yep, downloading broked too

to repeat: student submits text file then tries to view it.

https://www.captain-teach.org/calpoly-cpe123/su/[email protected]/next/a1-ct/

YAML parsing produces terrible error messages and contract failures

captain teach should not run as root even inside a docker container

It's absurd that captain teach runs as root inside of the docker container.

unarchiving should check for legal filenames

students could submit archive files containing illegal names, most alarmingly ".." and ".".

did we lose the logging

where's the logging in the new version? did I accidentally disable it, or is it just off for testing?

eliminate all uses of strings flowing directly into responses

These are obvious places for XSS attacks, and are completely unnecessary.

paths must be url-encoded

Related to #13 : paths must be url-encoded, because the receiving end is going to perform decoding.

sql injection bugs identified by zap

eliminate 'temporary-hacks.rkt"

doesn't have a nice sound to it, does it?

no auth is required to access /submit or /feedback paths

I can see how this arose as a refactoring bug. Yikes.

check for < in output

occurrences of < in output are probably evidence of xexpr-mangling, and should probably be considered bugs in regression-testing and zap-script-testing

result of adding users page has &result;

to repeat: upload a file containing a few users.

test case coverage!

test case coverage is awful. we need some regression tests, at least. I'm terrified that I'm breaking things.

error signaled after adding assignment, but assignment still added

In the 'author' page creating a new assignment, I created a new one with the following description

name: Flags
id: flags
description: Supplemental homework 1.
steps:
  - id: final-submission
    instructions: Submit your final code here.

After clicking "Validate and Submit", I was given an alert box indicating there was an error. However, when clicking the button again, I was given a different alert box saying the assignment already exists.

After navigating to the main page, the assignment did indeed exist and was correct.