Add site configs and harden portal handling

Signed-off-by: Yoshifumi Nakamura <nakamura@riken.jp>

Author: yoshifuminakamura

.github/workflows/gitlab-manual-ci.yml

@@ -44,19 +44,27 @@ jobs:
     name: Run GitLab CI manually
     runs-on: ubuntu-latest
     steps:
-      - name: Check out target ref
+      - name: Check out trusted workflow ref
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          ref: ${{ inputs.target_ref }}
+          path: trusted
 
       - name: Prepare GitLab repository settings
         id: gitlab-repo
-        uses: ./.github/actions/prepare-gitlab-repo
+        uses: ./trusted/.github/actions/prepare-gitlab-repo
         with:
           gitlab-repo: ${{ secrets.GITLAB_REPO }}
 
+      - name: Check out target ref
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.target_ref }}
+          path: target
+
       - name: Push target ref to GitLab test branch
+        working-directory: target
         env:
           GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
           GITLAB_REPO_HOST_PATH: ${{ steps.gitlab-repo.outputs.host-path }}
@@ -184,6 +192,7 @@ jobs:
 
       - name: Delete GitLab test branch
         if: always()
+        working-directory: trusted
         env:
           GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
           GITLAB_REPO_HOST_PATH: ${{ steps.gitlab-repo.outputs.host-path }}

config/queue.csv

@@ -1,4 +1,5 @@
 queue,submit_cmd,template
+SLURM_AI4SS,sbatch,"-p ${queue_group} -t ${elapse} -N ${nodes} --ntasks-per-node=${numproc_node} --cpus-per-task=${nthreads} --gpus-per-node=${numproc_node}"
 FJ,pjsub,"-L rscunit=rscunit_ft01,rscgrp=${queue_group},elapse=${elapse},node=${nodes} --mpi max-proc-per-node=${numproc_node} -x PJM_LLIO_GFSCACHE=/vol0002:/vol0003:/vol0004:/vol0005"
 PJM_GENKAI,pjsub,"-L rscgrp=${queue_group},elapse=${elapse},node=${nodes} --mpi proc=${proc}"
 SLURM_RC,sbatch,"-p ${queue_group} -t ${elapse} -N ${nodes} --ntasks-per-node=${numproc_node} --cpus-per-task=${nthreads}"
@@ -7,4 +8,8 @@ PBS_Grand_C,qsub,"-q ${queue_group} -l select=${nodes}:nsockets=${cpu_per_node},
 PBS_Grand_G,qsub,"-q ${queue_group} -l select=${nodes}:ngpus=1,walltime=${elapse} -W group_list=d30992"
 NQSV_AOBA_VE,qsub,"-Z -v http_proxy,https_proxy,HTTP_PROXY,HTTPS_PROXY -q ${queue_group} -T necmpi --venode ${proc} -l elapstim_req=${elapse}"
 NQSV_AOBA_B,qsub,"-Z -v http_proxy,https_proxy,HTTP_PROXY,HTTPS_PROXY -q ${queue_group} -T intmpi -b ${nodes} -l elapstim_req=${elapse}"
+PJM_WISTERIA_O,pjsub,"-g jh260034o -L rscgrp=${queue_group},elapse=${elapse},node=${nodes} --mpi proc=${proc} --omp thread=${nthreads}"
+PJM_WISTERIA_A,pjsub,"-g jh260034a -L rscgrp=${queue_group},elapse=${elapse},node=${nodes} --mpi proc=${proc} --omp thread=${nthreads}"
+AGE_TSUBAME4,qsub,"-l ${queue_group}=${nodes} -l h_rt=${elapse}"
+SLURM_CAMPHOR3,sbatch,"-p ${queue_group} -t ${elapse} --rsc p=${proc}:t=${nthreads}:c=${nthreads}:m=1G"
 none,none,none

config/system.csv

@@ -1,4 +1,5 @@
 system,mode,tag_build,tag_run,queue,queue_group
+AI4SS,cross,ai4ss_login,ai4ss_jacamar,SLURM_AI4SS,1n1gpu
 Fugaku,cross,fugaku_login1,fugaku_jacamar,FJ,small
 FugakuLN,native,,fugaku_login1,none,small
 FugakuCN,native,,fugaku_jacamar,FJ,small
@@ -16,4 +17,8 @@ Grand_G,cross,grand_login,grand_jacamar,PBS_Grand_G,eg
 AOBA_A,cross,aoba_ab_login,aoba_ab_jacamar,NQSV_AOBA_VE,sx
 AOBA_B,cross,aoba_ab_login,aoba_ab_jacamar,NQSV_AOBA_B,lx
 AOBA_S,cross,aoba_s_login,aoba_s_jacamar,NQSV_AOBA_VE,sxs
+Odyssey,cross,wisteria_login,wisteria-o_jacamar,PJM_WISTERIA_O,short-o
+Aquarius,cross,wisteria_login,wisteria-a_jacamar,PJM_WISTERIA_A,short-a
+TSUBAME4,cross,tsubame4_login,tsubame4_jacamar,AGE_TSUBAME4,node_f
+Camphor3,cross,camphor3_login,camphor3_jacamar,SLURM_CAMPHOR3,gr19999a
 FNCX,native,,fncx-curl-jq,none,small

config/system_info.csv

@@ -1,18 +1,23 @@
 system,name,cpu_name,cpu_per_node,cpu_cores,gpu_name,gpu_per_node,memory,display_order
-Fugaku,Fugaku,A64FX,1,48,-,-,32GB,1
-FugakuCN,FugakuCN,A64FX,1,48,-,-,32GB,2
-FugakuLN,FugakuLN,Intel(R) Xeon(R) Gold 6242 CPU @ 2.80GHz,2,16,-,-,96GB,3
-MiyabiG,MiyabiG,NVIDIA Grace CPU,1,72,NVIDIA Hopper H100 GPU,1,120GB,4
-MiyabiC,MiyabiC,Intel Xeon Max 9480,2,56,-,-,128GB,5
-RC_GH200,RC_GH200,NVIDIA Grace CPU,1,72,NVIDIA Hopper H100 GPU,1,120GB,6
-RC_DGXSP,RC_DGXSP,ARM Cortex-X925 / Cortex-A725,1,20,NVIDIA GB10,1,128GB,7
-RC_GENOA,RC_GENOA,AMD EPYC 9684X,2,96,-,-,768GB,8
-RC_FX700,RC_FX700,A64FX,1,48,-,-,32GB,9
-GenkaiA,GenkaiA,Intel Xeon Platinum 8490H (Sapphire Rapids),2,60,-,-,512GiB,10
-GenkaiB,GenkaiB,Intel Xeon Platinum 8490H (Sapphire Rapids),2,60,NVIDIA H100 (Hopper),4,1024GiB,11
-GenkaiC,GenkaiC,Intel Xeon Platinum 8480+ (Sapphire Rapids),2,56,NVIDIA H100 (Hopper),8,8TiB,12
-Grand_C,Grand_C,Intel Xeon Gold 6548Y+ (Emerald Rapids),2,32,-,-,512GiB,13
-Grand_G,Grand_G,Intel Xeon Gold 6548Y+ (Emerald Rapids),2,32,NVIDIA H100 (Hopper),4,512GiB,14
-AOBA_A,AOBA_A,SX-Aurora TSUBASA VH,1,24,NEC SX-Aurora TSUBASA Type 20B VE,8,640GB,15
-AOBA_B,AOBA_B,AMD EPYC 7702,2,64,-,-,256GB,16
-AOBA_S,AOBA_S,SX-Aurora TSUBASA VH,1,64,NEC SX-Aurora TSUBASA Type 30A VE,8,256GB + 768GB,17
+AI4SS,RIKEN AI4S Supercomputer,NVIDIA Grace CPU,2,72,NVIDIA B200,4,960GiB + 692.8GiB,1
+Fugaku,Fugaku,A64FX,1,48,-,-,32GB,2
+FugakuCN,FugakuCN,A64FX,1,48,-,-,32GB,3
+FugakuLN,FugakuLN,Intel(R) Xeon(R) Gold 6242 CPU @ 2.80GHz,2,16,-,-,96GB,4
+MiyabiG,MiyabiG,NVIDIA Grace CPU,1,72,NVIDIA Hopper H100 GPU,1,120GB,5
+MiyabiC,MiyabiC,Intel Xeon Max 9480,2,56,-,-,128GB,6
+RC_GH200,RC_GH200,NVIDIA Grace CPU,1,72,NVIDIA Hopper H100 GPU,1,120GB,7
+RC_DGXSP,RC_DGXSP,ARM Cortex-X925 / Cortex-A725,1,20,NVIDIA GB10,1,128GB,8
+RC_GENOA,RC_GENOA,AMD EPYC 9684X,2,96,-,-,768GB,9
+RC_FX700,RC_FX700,A64FX,1,48,-,-,32GB,10
+GenkaiA,GenkaiA,Intel Xeon Platinum 8490H (Sapphire Rapids),2,60,-,-,512GiB,11
+GenkaiB,GenkaiB,Intel Xeon Platinum 8490H (Sapphire Rapids),2,60,NVIDIA H100 (Hopper),4,1024GiB,12
+GenkaiC,GenkaiC,Intel Xeon Platinum 8480+ (Sapphire Rapids),2,56,NVIDIA H100 (Hopper),8,8TiB,13
+Grand_C,Grand_C,Intel Xeon Gold 6548Y+ (Emerald Rapids),2,32,-,-,512GiB,14
+Grand_G,Grand_G,Intel Xeon Gold 6548Y+ (Emerald Rapids),2,32,NVIDIA H100 (Hopper),4,512GiB,15
+AOBA_A,AOBA_A,SX-Aurora TSUBASA VH,1,24,NEC SX-Aurora TSUBASA Type 20B VE,8,640GB,16
+AOBA_B,AOBA_B,AMD EPYC 7702,2,64,-,-,256GB,17
+AOBA_S,AOBA_S,SX-Aurora TSUBASA VH,1,64,NEC SX-Aurora TSUBASA Type 30A VE,8,256GB + 768GB,18
+Odyssey,Odyssey,A64FX,1,48,-,-,32GiB,19
+Aquarius,Aquarius,Intel Xeon Platinum 8360Y,2,36,NVIDIA A100,8,512GiB,20
+TSUBAME4,TSUBAME4.0,AMD EPYC 9654,2,96,NVIDIA H100 SXM5 94GB HBM2e,4,768GiB,21
+Camphor3,Camphor3,Intel Xeon CPU Max 9480,2,56,-,-,128GiB,22

programs/qws/build.sh

@@ -36,6 +36,10 @@ case "$system" in
 	echo "Dummy build for FNCX Docker runner test"
 	echo aaaa > main
 	;;
+    AI4SS)
+	module load nvhpc-hpcx/26.3
+	make -j 8 fugaku_benchmark= omp=1 compiler=openmpi-gnu arch=skylake rdma= mpi=1 powerapi= CC=mpicc CXX=mpic++
+	;;
     RC_GH200)
 	module load system/qc-gh200 nvhpc-hpcx/25.9
 	### QWSはNeoverse版やGPU版はないので汎用版としてとりあえずarch=skylakeを指定している
@@ -75,6 +79,20 @@ case "$system" in
     AOBA_B)
 	make -j 8 fugaku_benchmark= omp=1 compiler=openmpi-gnu arch=skylake rdma= mpi=1 powerapi= CC=mpicc CXX=mpic++
 	;;
+    Odyssey)
+	module load odyssey
+	make -j 8 fugaku_benchmark= omp=1 compiler=fujitsu_cross rdma= mpi=1 powerapi= SYSLIBS=
+	;;
+    Aquarius)
+	module load nvidia/25.9 nvmpi/25.9
+	make -j 8 fugaku_benchmark= omp=1 compiler=openmpi-gnu arch=skylake rdma= mpi=1 powerapi= CC=mpicc CXX=mpic++
+	;;
+    TSUBAME4)
+	make -j 8 fugaku_benchmark= omp=1 compiler=openmpi-gnu arch=skylake rdma= mpi=1 powerapi= CC=mpicc CXX=mpic++
+	;;
+    Camphor3)
+	make -j 8 fugaku_benchmark= omp=1 compiler=intel arch=skylake rdma= mpi=1 powerapi=
+	;;
     *)
 	echo "Unknown system: $system"
 	exit 1

programs/qws/list.csv

@@ -1,4 +1,5 @@
 system,enable,nodes,numproc_node,nthreads,elapse
+AI4SS,yes,1,1,72,0:10:00
 Fugaku,yes,1,4,12,0:10:00
 FugakuLN,yes,1,1,1,0:10:00
 FugakuCN,no,1,4,12,0:10:00
@@ -17,4 +18,8 @@ Grand_G,yes,1,1,64,0:10:00
 AOBA_A,yes,1,1,8,0:10:00
 AOBA_S,yes,1,1,8,0:10:00
 AOBA_B,yes,1,1,128,0:10:00
+Odyssey,yes,1,1,48,0:10:00
+Aquarius,yes,1,1,72,0:10:00
+TSUBAME4,yes,1,1,192,0:10:00
+Camphor3,yes,1,1,112,0:10:00
 FNCX,yes,1,1,1,0:10:00

programs/qws/run.sh

@@ -84,6 +84,12 @@ case "$system" in
         echo 'dummy call for FNCX Docker runner test'
         bk_emit_result --fom 99.99 --fom-version dummy --exp FNCXTest --nodes "$nodes" --numproc-node "$numproc_node" --nthreads "$nthreads" >> ../results/result
         ;;
+    AI4SS)
+        qws_numproc=$((nodes * numproc_node))
+        module load nvhpc-hpcx/26.3
+        mpirun -n ${qws_numproc} --bind-to core --map-by ppr:1:node:PE=72 ./main 32 6 4 3 1 1 1 1 -1 -1 6 50 > CASE0
+        print_results CASE0 CASE0 ${numproc_node} >> ../results/result
+        ;;
     RC_GH200)
         module load system/qc-gh200 nvhpc-hpcx/25.9
         mpirun -n 1 --bind-to core --map-by ppr:1:node:PE=72 ./main 32 6 4 3 1 1 1 1 -1 -1 6 50 > CASE0
@@ -141,6 +147,22 @@ case "$system" in
         mpirun -np ${qws_numproc} ./main 32 6 4 3 1 1 1 1 -1 -1 6 50 > CASE0
         print_results CASE0 CASE0 ${numproc_node} >> ../results/result
         ;;
+    Odyssey)
+        module load odyssey fj fjmpi
+        mpiexec -n 1 ./main 32 6 4 3 1 1 1 1 -1 -1 6 50 > CASE0
+        print_results output.${PJM_JOBID}/0/1/stdout.1.0 CASE0 1 >> ../results/result
+        ;;
+    Aquarius)
+        qws_numproc=$((nodes * numproc_node))
+        module load nvidia/25.9 nvmpi/25.9
+        mpirun -n ${qws_numproc} ./main 32 6 4 3 1 1 1 1 -1 -1 6 50 > CASE0
+        print_results CASE0 CASE0 ${numproc_node} >> ../results/result
+        ;;
+    TSUBAME4|Camphor3)
+        qws_numproc=$((nodes * numproc_node))
+        mpirun -n ${qws_numproc} ./main 32 6 4 3 1 1 1 1 -1 -1 6 50 > CASE0
+        print_results CASE0 CASE0 ${numproc_node} >> ../results/result
+        ;;
     *)
         echo "Unknown Running system: $system"
         exit 1

result_server/routes/api.py

@@ -7,8 +7,8 @@
 import uuid
 import shutil
 import io
-import sys
 import tarfile
+import tempfile
 from datetime import datetime
 
 from utils.auth import verify_ingest_key
@@ -145,25 +145,61 @@ def _find_result_file_by_uuid(received_dir, uuid_value):
 
 
 def _safe_extract_tar_bytes(file_storage, target_dir):
-    """Extract uploaded tar bytes with path and member-type checks.
-
-    The explicit path normalization catches traversal attempts before writing
-    anything, and Python 3.12's data filter rejects non-regular archive entries
-    such as unsafe links or device files.
-    """
-    if sys.version_info < (3, 12):
-        raise RuntimeError("Python 3.12 or later is required for safe tar extraction.")
-
+    """Extract uploaded tar bytes with path and member-type checks."""
     os.makedirs(target_dir, exist_ok=True)
     with tarfile.open(fileobj=file_storage.stream, mode="r:*") as tar:
         for member in tar.getmembers():
             normalized = os.path.normpath(member.name)
-            if os.path.isabs(normalized) or normalized.startswith(".."):
+            drive, _ = os.path.splitdrive(normalized)
+            if (
+                drive
+                or os.path.isabs(normalized)
+                or normalized == ".."
+                or normalized.startswith(f"..{os.sep}")
+                or normalized.startswith("../")
+                or normalized.startswith("..\\")
+            ):
                 abort(400, description="Unsafe archive entry")
-        try:
-            tar.extractall(target_dir, filter="data")
-        except tarfile.FilterError:
-            abort(400, description="Unsafe archive entry")
+            if member.issym() or member.islnk() or member.isdev():
+                abort(400, description="Unsafe archive entry")
+            if not (member.isfile() or member.isdir()):
+                abort(400, description="Unsafe archive entry")
+
+            destination = os.path.abspath(os.path.join(target_dir, normalized))
+            abs_target_dir = os.path.abspath(target_dir)
+            try:
+                if os.path.commonpath([abs_target_dir, destination]) != abs_target_dir:
+                    abort(400, description="Unsafe archive entry")
+            except ValueError:
+                abort(400, description="Unsafe archive entry")
+
+            if member.isdir():
+                os.makedirs(destination, exist_ok=True)
+                continue
+
+            os.makedirs(os.path.dirname(destination), exist_ok=True)
+            source = tar.extractfile(member)
+            if source is None:
+                abort(400, description="Unsafe archive entry")
+            with source, open(destination, "wb") as output:
+                shutil.copyfileobj(source, output)
+
+
+def _replace_directory_after_success(source_dir, target_dir):
+    """Replace target_dir only after source_dir is fully prepared."""
+    if not os.path.isdir(target_dir):
+        os.rename(source_dir, target_dir)
+        return False
+
+    backup_dir = f"{target_dir}.bak.{uuid.uuid4().hex}"
+    os.rename(target_dir, backup_dir)
+    try:
+        os.rename(source_dir, target_dir)
+    except Exception:
+        os.rename(backup_dir, target_dir)
+        raise
+    shutil.rmtree(backup_dir)
+    return True
 
 
 # ==========================================
@@ -264,13 +300,16 @@ def ingest_estimation_inputs():
 
     result_stem = os.path.splitext(result_filename)[0]
     inputs_root = current_app.config["RECEIVED_ESTIMATION_INPUTS_DIR"]
+    os.makedirs(inputs_root, exist_ok=True)
     target_dir = os.path.join(inputs_root, result_stem)
-    replaced = os.path.isdir(target_dir)
-    if replaced:
-        shutil.rmtree(target_dir)
-    os.makedirs(target_dir, exist_ok=True)
-
-    _safe_extract_tar_bytes(uploaded_file, target_dir)
+    temp_dir = tempfile.mkdtemp(prefix=f".{result_stem}.", dir=inputs_root)
+    try:
+        _safe_extract_tar_bytes(uploaded_file, temp_dir)
+        replaced = _replace_directory_after_success(temp_dir, target_dir)
+    except Exception:
+        if os.path.isdir(temp_dir):
+            shutil.rmtree(temp_dir)
+        raise
 
     print(f"Saved estimation inputs: {target_dir}", flush=True)
     return {

result_server/tests/test_api_routes.py

@@ -412,6 +412,34 @@ def test_ingest_estimation_inputs_rejects_parent_path_entry(self, client, tmp_di
         )
         assert resp.status_code == 400
 
+    def test_ingest_estimation_inputs_keeps_existing_data_on_bad_archive(self, client, tmp_dirs):
+        received = tmp_dirs[0]
+        estimation_inputs_dir = tmp_dirs[2]
+        uuid_value = "12345678-1234-1234-1234-123456789abc"
+        result_stem = self._seed_result(received, uuid_value)
+        target_dir = os.path.join(estimation_inputs_dir, result_stem)
+        os.makedirs(target_dir, exist_ok=True)
+        existing_path = os.path.join(target_dir, "existing.json")
+        with open(existing_path, "w", encoding="utf-8") as f:
+            json.dump({"keep": True}, f)
+
+        archive_bytes = io.BytesIO()
+        with tarfile.open(fileobj=archive_bytes, mode="w:gz") as tar:
+            payload = b"bad"
+            info = tarfile.TarInfo(name="../outside.txt")
+            info.size = len(payload)
+            tar.addfile(info, io.BytesIO(payload))
+        archive_bytes.seek(0)
+
+        resp = client.post(
+            "/api/ingest/estimation-inputs",
+            data={"id": uuid_value, "file": (archive_bytes, "estimation_inputs.tgz")},
+            headers={"X-API-Key": API_KEY},
+            content_type="multipart/form-data",
+        )
+        assert resp.status_code == 400
+        assert os.path.exists(existing_path)
+
     def test_ingest_estimation_inputs_rejects_absolute_path_entry(self, client, tmp_dirs):
         received = tmp_dirs[0]
         uuid_value = "12345678-1234-1234-1234-123456789abc"
@@ -497,4 +525,3 @@ def test_query_estimation_inputs_returns_archive(self, client, tmp_dirs):
             names = tar.getnames()
         assert "compute_solver_papi.tgz" in names
 
-

result_server/tests/test_pagination.py

@@ -458,6 +458,16 @@ def test_compare_route_still_works(self, flask_app, tmp_dir):
             resp = client.get(f"/results/compare?files={f1},{f2}")
             assert resp.status_code == 200
 
+    def test_compare_route_rejects_unsafe_filename(self, flask_app, tmp_dir):
+        """Compare should not accept path-like filenames from query parameters."""
+        uid = str(uuid.uuid4())
+        f1 = f"result_20250101_000000_{uid}.json"
+        _write_json(tmp_dir, f1, {"code": "a", "system": "s", "FOM": 1.0})
+
+        with flask_app.test_client() as client:
+            resp = client.get(f"/results/compare?files={f1},../outside.json")
+            assert resp.status_code == 404
+
     def test_no_filter_reads_only_page_files(self, flask_app, tmp_dir):
         """Test case."""
         _make_result_files(tmp_dir, 150)