From aed98a59061c0791a8b4f5e53f1be3ee3a7ce600 Mon Sep 17 00:00:00 2001
From: liqiang-fit2cloud <liqiang@fit2cloud.com>
Date: Wed, 5 Nov 2025 18:44:57 +0800
Subject: [PATCH] feat: add MAXKB_SANDBOX_PYTHON_BANNED_HOSTS env to ban host
 for sandbox in tools code.

---
 apps/common/utils/tool_code.py | 7 ++++++-
 installer/Dockerfile           | 2 +-
 installer/sandbox.c            | 2 +-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/apps/common/utils/tool_code.py b/apps/common/utils/tool_code.py
index a33f6becb..1c922e27b 100644
--- a/apps/common/utils/tool_code.py
+++ b/apps/common/utils/tool_code.py
@@ -28,6 +28,7 @@ class ToolExecutor:
         if self.sandbox:
             os.system(f"chown -R {self.user}:root {self.sandbox_path}")
         self.banned_keywords = CONFIG.get("SANDBOX_PYTHON_BANNED_KEYWORDS", 'nothing_is_banned').split(',');
+        self.banned_hosts = CONFIG.get("SANDBOX_PYTHON_BANNED_HOSTS", 'no_host_is_banned');
 
     def _createdir(self):
         old_mask = os.umask(0o077)
@@ -53,6 +54,8 @@ try:
     path_to_exclude = ['/opt/py3/lib/python3.11/site-packages', '/opt/maxkb-app/apps']
     sys.path = [p for p in sys.path if p not in path_to_exclude]
     sys.path += {python_paths}
+    os.environ['LD_PRELOAD'] = '/opt/maxkb-app/sandbox/sandbox.so'
+    os.environ['SANDBOX_BANNED_HOSTS'] = {self.banned_hosts}
     locals_v={'{}'}
     keywords={keywords}
     globals_v=globals()
@@ -159,6 +162,8 @@ logging.getLogger("mcp.server").setLevel(logging.ERROR)
 path_to_exclude = ['/opt/py3/lib/python3.11/site-packages', '/opt/maxkb-app/apps']
 sys.path = [p for p in sys.path if p not in path_to_exclude]
 sys.path += {python_paths}
+os.environ['LD_PRELOAD'] = '/opt/maxkb-app/sandbox/sandbox.so'
+os.environ['SANDBOX_BANNED_HOSTS'] = {self.banned_hosts}
 exec({dedent(code)!a})
 """
 
@@ -197,7 +202,7 @@ exec({dedent(code)!a})
             file.write(_code)
             os.system(f"chown {self.user}:root {exec_python_file}")
         kwargs = {'cwd': BASE_DIR}
-        kwargs['env'] = {'LD_PRELOAD': '/opt/maxkb-app/apps/sandbox.so'}
+        kwargs['env'] = {}
         subprocess_result = subprocess.run(
             ['su', '-s', python_directory, '-c', "exec(open('" + exec_python_file + "').read())", self.user],
             text=True,
diff --git a/installer/Dockerfile b/installer/Dockerfile
index 33c35ac10..6caa63669 100644
--- a/installer/Dockerfile
+++ b/installer/Dockerfile
@@ -13,7 +13,7 @@ RUN apt-get update && \
     apt-get clean all  && \
     rm -rf /var/lib/apt/lists/*
 WORKDIR /opt/maxkb-app
-RUN gcc -shared -fPIC -o /opt/maxkb-app/apps/sandbox.so /opt/maxkb-app/installer/sandbox.c -ldl && \
+RUN gcc -shared -fPIC -o /opt/maxkb-app/sandbox/sandbox.so /opt/maxkb-app/installer/sandbox.c -ldl && \
     rm -rf /opt/maxkb-app/ui && \
     pip install uv --break-system-packages && \
     python -m uv pip install -r pyproject.toml && \
diff --git a/installer/sandbox.c b/installer/sandbox.c
index 13bd4632e..1ba4e6b3c 100644
--- a/installer/sandbox.c
+++ b/installer/sandbox.c
@@ -8,7 +8,7 @@
 #include <regex.h>
 #include <unistd.h>
 
-static const char *ENV_NAME = "MAXKB_SANDBOX_PYTHON_BANNED_HOSTS";
+static const char *ENV_NAME = "SANDBOX_BANNED_HOSTS";
 
 static int match_env_patterns(const char *target, const char *env_val) {
     if (!target || !env_val || !*env_val) return 0;