In the new design of Broadway, we are pre-uploading the grading run configs. The issue is that we are not giving courses the flexibility of adding the environment variables on a per run basis by pre-uploading the config. They can only change the student pipeline environment variables on a per-run basis (using the student env vars), not the pre/post-processing pipelines. So it would be best to redefine how we set environment variables as follows:

• Global env vars - should be global. set in config
• Stage-specific env vars - should be stage-specific. set in config
• Run-specific env vars - before we had student specific env vars which were only exposed to the student pipeline on a per run basis. Now we change that to this and expose these to all pipelines. These change from run to run and are meant for vars like net_id and due dates.

We post the Run-specific env vars along with the correct auth to kick off an AG run

Is it possible for a student to start a run for another student by requesting a run with their run parameters? For example, if I know my friend's student ID, could I maliciously start a run for them just by requesting a run with their student ID instead of mine?

It is only possible to do that if their request is authenticated. To authenticate a request, they need the appropriate token for that course. Courses are not supposed to give out their tokens. Hence, given that the token is not compromised, it should not be possible.

Broadway is not meant to directly interact with the students. Hence, this vulnerability should not be an issue.