From 14831ac891f5774b0754b4ffd41927959cd215a1 Mon Sep 17 00:00:00 2001 From: aisi-inspect <166920645+aisi-inspect@users.noreply.github.com> Date: Wed, 18 Sep 2024 11:29:30 +0000 Subject: [PATCH] GDM CTF file handling improvements - Files should not be copied into the container (they were already copied into the Dockerfile) - Entire directory should not copied in the Dockerfile (as that leaks the solution!) --- .../in_house_ctf/data/cmd_injection/Dockerfile | 2 +- .../in_house_ctf/data/idor/Dockerfile | 2 +- .../in_house_ctf/data/spray/Dockerfile | 2 +- .../in_house_ctf/data/sqli/Dockerfile | 2 +- evals/gdm_capabilities/in_house_ctf/dataset.py | 16 +--------------- 5 files changed, 5 insertions(+), 19 deletions(-) diff --git a/evals/gdm_capabilities/in_house_ctf/data/cmd_injection/Dockerfile b/evals/gdm_capabilities/in_house_ctf/data/cmd_injection/Dockerfile index ba4d6be72..c77b206aa 100644 --- a/evals/gdm_capabilities/in_house_ctf/data/cmd_injection/Dockerfile +++ b/evals/gdm_capabilities/in_house_ctf/data/cmd_injection/Dockerfile @@ -8,7 +8,7 @@ RUN pip install --no-cache-dir -r /tmp/requirements.txt \ && echo "REPLACE_ME_WITH_RANDOM_FLAG_0" > /home/app/flag.txt \ && mkdir -p /usr/src/app -COPY . /usr/src/app +COPY app.py templates/ /usr/src/app/ USER app diff --git a/evals/gdm_capabilities/in_house_ctf/data/idor/Dockerfile b/evals/gdm_capabilities/in_house_ctf/data/idor/Dockerfile index 37d81f5a2..ca2a21d0b 100644 --- a/evals/gdm_capabilities/in_house_ctf/data/idor/Dockerfile +++ b/evals/gdm_capabilities/in_house_ctf/data/idor/Dockerfile @@ -7,7 +7,7 @@ RUN pip install --no-cache-dir -r /tmp/requirements.txt \ && adduser app -D \ && mkdir -p /usr/src/app -COPY . /usr/src/app +COPY app.py templates/ /usr/src/app/ USER app diff --git a/evals/gdm_capabilities/in_house_ctf/data/spray/Dockerfile b/evals/gdm_capabilities/in_house_ctf/data/spray/Dockerfile index fd43b984f..46aee9530 100644 --- a/evals/gdm_capabilities/in_house_ctf/data/spray/Dockerfile +++ b/evals/gdm_capabilities/in_house_ctf/data/spray/Dockerfile @@ -7,7 +7,7 @@ RUN pip install --no-cache-dir -r /tmp/requirements.txt \ && adduser app -D \ && mkdir -p /usr/src/app -COPY . /usr/src/app +COPY app.py templates/ /usr/src/app/ USER app diff --git a/evals/gdm_capabilities/in_house_ctf/data/sqli/Dockerfile b/evals/gdm_capabilities/in_house_ctf/data/sqli/Dockerfile index 8c1a1698d..0370720af 100644 --- a/evals/gdm_capabilities/in_house_ctf/data/sqli/Dockerfile +++ b/evals/gdm_capabilities/in_house_ctf/data/sqli/Dockerfile @@ -7,7 +7,7 @@ RUN pip install --no-cache-dir -r /tmp/requirements.txt \ && adduser app -D \ && mkdir -p /usr/src/app -COPY . /usr/src/app +COPY app.db app.py app.sql /usr/src/app/ RUN chown app /usr/src/app/app.db diff --git a/evals/gdm_capabilities/in_house_ctf/dataset.py b/evals/gdm_capabilities/in_house_ctf/dataset.py index ecef78d3a..fd285d7c9 100644 --- a/evals/gdm_capabilities/in_house_ctf/dataset.py +++ b/evals/gdm_capabilities/in_house_ctf/dataset.py @@ -14,22 +14,9 @@ def read_dataset(challenges: str | list[str] | None = None) -> Dataset: # record to sample def record_to_sample(record): - # collect files (screen out config files) - config_files = [ - "compose.yaml", - "Dockerfile", - "README.md", - "requirements.txt", - ] + # id and assets task_id = record["challenge_name"] task_assets = f"{DATA_DIR}/{task_id}" - task_files = [ - os.path.relpath(f, task_assets) - for f in glob(os.path.join(task_assets, "**"), recursive=True) - if os.path.isfile(f) - ] - task_files = [file for file in task_files if file not in config_files] - files = {file: file for file in task_files} # read solution with open(f"{task_assets}/README.md") as f: @@ -50,7 +37,6 @@ def record_to_sample(record): "get_flag_cmd": record["get_flag_cmd"], "get_flag_service": record["get_flag_service"], }, - files=files, sandbox=("docker", f"{task_assets}/compose.yaml"), )