core: fix OI mode contest bug seeing the judging result when shouldn't

[langningchen]

Contest attendees should not see the submission results in OI contest mode, but the results are leaked in the raw data.

The tsdoc object, which includes the submission results, should not be returned to the client if canViewRecord is false. The issue could make the OI mode contest unfair and become an IOI contest.

---

View in the webpage UI:

View in the raw JSON:

A sample hacker (copied from an decompiled extend userscript):

async function PredictScore() {
      if (BasicMain.pageName() !== "record_detail") return;
      await new Promise(resolve => BasicMain.on("record_detail.prepare", () => resolve()));
      if (!UiContext.tdoc || UiContext.tdoc.rule !== "oi" || UiContext.rdoc.status) return;
      let ContestID = UiContext.tdoc._id,
          ProblemID = UiContext.pdoc.docId;
      if (!UiContext.tdoc.pids.includes(ProblemID)) return;
      let ProblemList = await WebRequestClass.get(`/d/${BasicMain.getDomainId()}/contest/${ContestID}/problems`).query({ _: Date.now() }),
          Record = Object.fromEntries(ProblemList.body.tsdoc.journal.map(Problem => [Problem.rid, Problem]))[UiContext.rdoc._id];
      if (typeof Record?.score == "number") {
          $(".section.side > .section__body").append(`
              <dl class="large horizontal" id="summary">
                  <dt>预估分数 <a href="javascript:;" class="exhloj-expect-score"><span class="icon icon-help"></span></a></dt>
                  <dd>${Record.status === 0 ? "努力预测中" : Record.score}</dd>
              </div>
          `);
          $(document).on("click", ".exhloj-expect-score", () => new Hydro.components.InfoDialog({
              $body: "预估分数是 Extend HLOJ 插件的 @exhloj/contest-helper 模块提供的 AI 智能分数预测功能。"
          }).open())
      }
  }

[hydro-dev-bot]

Thank you for your submission, we really appreciate it.
Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

Comment I have read the CLA Document and I hereby sign the CLA below to sign it.

[langningchen]

I have read the CLA Document and I hereby sign the CLA

[langningchen]

• CVSS scoring: High 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
• Affecting version: <=4.14.0
• CWE: CWE-200

[pandadtdyy]

So can you give us a copy with @exhloj/contest-helper to help us find more bug about it? You can send it to [email protected]

[langningchen]

So can you give us a copy with @exhloj/contest-helper to help us find more bug about it? You can send it to [email protected]

Hi! I found that the email could not be delivered because the attachments I added (which are two JavaScript files) violate your Secure Attachment Policy. Maybe you can contact me by WeChat or other social medias.

[pandadtdyy]

So can you give us a copy with @exhloj/contest-helper to help us find more bug about it? You can send it to [email protected]

Hi! I found that the email could not be delivered because the attachments I added (which are two JavaScript files) violate your Secure Attachment Policy. May be you can contact me by WeChat or other social medias.

try with [email protected]?

[langningchen]

So can you give us a copy with @exhloj/contest-helper to help us find more bug about it? You can send it to [email protected]

Hi! I found that the email could not be delivered because the attachments I added (which are two JavaScript files) violate your Secure Attachment Policy. May be you can contact me by WeChat or other social medias.

try with [email protected]?

It seems that the sending was successful.