feat: add MAXKB_SANDBOX_PYTHON_BANNED_KEYWORDS env to ban keywords in tool content.

2025-12-26 01:33:05 +00:00 · 2025-07-16 16:24:41 +08:00 · 2025-07-16 16:24:41 +08:00 · e982bb0ca1
parent 2b89fc05d1
commit e982bb0ca1
2 changed files with 9 additions and 1 deletions
--- a/apps/common/utils/tool_code.py
+++ b/apps/common/utils/tool_code.py
@ -26,6 +26,7 @@ class ToolExecutor:
        self._createdir()
        if self.sandbox:
            os.system(f"chown -R {self.user}:root {self.sandbox_path}")
+        self.banned_keywords = CONFIG.get("SANDBOX_PYTHON_BANNED_KEYWORDS", 'nothing_is_banned').split(',');

    def _createdir(self):
        old_mask = os.umask(0o077)
@ -37,6 +38,7 @@ class ToolExecutor:
            os.umask(old_mask)

    def exec_code(self, code_str, keywords):
+        self.validateBannedKeywords(code_str)
        _id = str(uuid.uuid7())
        success = '{"code":200,"msg":"成功","data":exec_result}'
        err = '{"code":500,"msg":str(e),"data":None}'
@ -94,6 +96,11 @@ except Exception as e:
        os.remove(exec_python_file)
        return subprocess_result

+    def validateBannedKeywords(self, code_str):
+        matched = next((bad for bad in self.banned_keywords if bad in code_str), None)
+        if matched:
+            raise Exception(f"keyword '{matched}' is banned in the tool.")
+
    @staticmethod
    def _exec(_code):
        return subprocess.run([python_directory, '-c', _code], text=True, capture_output=True)
--- a/installer/Dockerfile-base
+++ b/installer/Dockerfile-base
@ -39,7 +39,8 @@ ENV PGDATA=/opt/maxkb/data/postgresql/pgdata \
    REDIS_PASSWORD=Password123@redis \
    LANG=en_US.UTF-8 \
    MAXKB_LOG_LEVEL=INFO \
-    MAXKB_SANDBOX_PYTHON_PACKAGE_PATHS=/opt/py3/lib/python3.11/site-packages,/opt/maxkb-app/sandbox/python-packages,/opt/maxkb/python-packages \
+    MAXKB_SANDBOX_PYTHON_PACKAGE_PATHS="/opt/py3/lib/python3.11/site-packages,/opt/maxkb-app/sandbox/python-packages,/opt/maxkb/python-packages" \
+    MAXKB_SANDBOX_PYTHON_BANNED_KEYWORDS="subprocess.,system(,exec(,pty.,eval(,compile(,shutil.,input(" \
    MAXKB_ADMIN_PATH=/admin

 EXPOSE 6379