Skip to content

feat: add audit-cleanroom command to detect leaked files #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
yurekami wants to merge 1 commit into
base: main
Choose a base branch
from
+53 −1
Open

feat: add audit-cleanroom command to detect leaked files #32

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 53 additions & 1 deletion src/programbench/cli/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
import typer

from programbench.cli.blob import app as blob_app
from programbench.constants import DOCKER_CPUS
from programbench.constants import DOCKER_CPUS, DOCKER_EXECUTABLE

app = typer.Typer(
name="programbench",
Expand Down Expand Up @@ -140,3 +140,55 @@ def info(

console = Console()
console.print(BatchEvalSummary(summaries=summaries).summary())


@app.command()
def audit_cleanroom(
instance_ids: list[str] = typer.Argument(
default=None,
help="Instance IDs to audit (omit for all).",
),
image_tag: str = typer.Option("task_cleanroom", "--image-tag", help="Image tag to inspect"),
) -> None:
"""Check cleanroom images for leaked files that agents could exploit.

Detects executables or other unexpected files left in /tmp or /var/tmp
by the image build pipeline (see issue #14).

\b
Examples:
programbench audit-cleanroom
programbench audit-cleanroom bellard__quickjs.d7ae12a
"""
import subprocess

from rich.console import Console

from programbench.constants import DOCKER_RUN_TIMEOUT, image_name_from_instance_id
from programbench.utils.load_data import load_all_instances

if instance_ids:
ids = instance_ids
else:
ids = [i["instance_id"] for i in load_all_instances(include_tests=False)]

console = Console()
found = 0
for iid in sorted(ids):
image = f"{image_name_from_instance_id(iid)}:{image_tag}"
try:
r = subprocess.run(
[DOCKER_EXECUTABLE, "run", "--rm", image, "find", "/tmp", "/var/tmp", "-type", "f"],
capture_output=True, text=True, timeout=DOCKER_RUN_TIMEOUT,
)
except (subprocess.TimeoutExpired, FileNotFoundError) as e:
console.print(f"[yellow]{iid}[/]: {e}")
continue
files = r.stdout.strip()
if files:
found += 1
console.print(f"[red]{iid}[/]: leaked files in cleanroom:\n{files}")
else:
console.print(f"[green]{iid}[/]: clean")
if found:
raise typer.Exit(1)