Fix CodeTailor security vulnerabilities#1231
Merged
Merged
Conversation
aspadiyath
commented
Jun 9, 2026
aspadiyath
commented
Contributor
- Add authentication (Depends(auth_manager)) to parsons_scaffolding endpoint
- Remove exec()-based Python test runner; replace with JOBE sandbox via evaluate_fixed_code.py
- Fetch test code from DB (question_json.suffix_code) instead of accepting it from request body
- Add clean_python_testcase() to transform Runestone unittest.gui format for JOBE compatibility
- Add authentication (Depends(auth_manager)) to parsons_scaffolding endpoint - Remove exec()-based Python test runner; replace with JOBE sandbox via evaluate_fixed_code.py - Fetch test code from DB (question_json.suffix_code) instead of accepting it from request body - Add clean_python_testcase() to transform Runestone unittest.gui format for JOBE compatibility Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses CodeTailor security hardening by restricting access to the Parsons scaffolding endpoint and removing server-side exec()-based Python test execution in favor of running tests inside a JOBE sandbox. It also stops accepting test code from the request body and instead loads instructor-authored test code (suffix_code) from the database, with a small normalization step for Runestone’s unittest.gui format.
Changes:
- Add authentication dependency (
Depends(auth_manager)) to the/coach/parsons_scaffoldingendpoint. - Replace Python
exec()test execution with JOBE-based execution inevaluate_fixed_code.py. - Fetch
suffix_codefromQuestion.question_json(DB) and normalize Python tests viaclean_python_testcase().
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| bases/rsptx/book_server_api/routers/personalized_parsons/evaluate_fixed_code.py | Switch Python test evaluation to JOBE and return a minimal wasSuccessful()-compatible result. |
| bases/rsptx/book_server_api/routers/coach.py | Require auth for parsons_scaffolding, fetch test code from DB, and normalize Runestone Python test format for JOBE. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Member
|
Have you tested this locally so you know it works? |
- Suppress __name__ == "__main__" guards in student code sent to JOBE - Check last stdout line for PASS/FAIL to tolerate student debug prints - Remove redundant HEAD/PUT file-store calls (sourcecode already sent inline) - Pass basecourse to fetch_question to prevent wrong result from duplicate names Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
Author
|
Yup, I've tested locally and it works! |
Member
|
Great, I'll look at it a little more and get it merged. Thanks for addressing this so quickly. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.