refactor: remove MAXKB_SANDBOX_PYTHON_BANNED_KEYWORDS.

2025-12-25 17:22:55 +00:00 · 2025-11-24 18:42:06 +08:00 · 2025-11-24 18:42:06 +08:00 · eb30b88d10
parent 057e0420cf
commit eb30b88d10
3 changed files with 1 additions and 13 deletions
--- a/apps/common/utils/tool_code.py
+++ b/apps/common/utils/tool_code.py
@ -27,7 +27,6 @@ class ToolExecutor:
        else:
            self.sandbox_path = os.path.join(PROJECT_DIR, 'data', 'sandbox')
            self.user = None
-        self.banned_keywords = CONFIG.get("SANDBOX_PYTHON_BANNED_KEYWORDS", 'nothing_is_banned').split(',');
        self.sandbox_so_path = f'{self.sandbox_path}/sandbox.so'
        try:
            self._init_dir()
@ -74,10 +73,10 @@ class ToolExecutor:
            f.write(f"SANDBOX_PYTHON_BANNED_HOSTS={banned_hosts}")
            f.write("\n")
            f.write(f"SANDBOX_PYTHON_ALLOW_SUBPROCESS={allow_subprocess}")
+            f.write("\n")
        os.chmod(sandbox_conf_file_path, 0o440)

    def exec_code(self, code_str, keywords):
-        self.validate_banned_keywords(code_str)
        _id = str(uuid.uuid7())
        success = '{"code":200,"msg":"成功","data":exec_result}'
        err = '{"code":500,"msg":str(e),"data":None}'
@ -116,8 +115,6 @@ except Exception as e:
        raise Exception(result.get('msg'))

    def _generate_mcp_server_code(self, _code, params):
-        self.validate_banned_keywords(_code)
-
        # 解析代码，提取导入语句和函数定义
        try:
            tree = ast.parse(_code)
@ -239,11 +236,6 @@ exec({dedent(code)!a})
            capture_output=True, **kwargs)
        return subprocess_result

-    def validate_banned_keywords(self, code_str):
-        matched = next((bad for bad in self.banned_keywords if bad in code_str), None)
-        if matched:
-            raise Exception(f"keyword '{matched}' is banned in the tool.")
-
    def validate_mcp_transport(self, code_str):
        servers = json.loads(code_str)
        for server, config in servers.items():
--- a/apps/tools/serializers/tool.py
+++ b/apps/tools/serializers/tool.py
@ -354,7 +354,6 @@ class ToolSerializer(serializers.Serializer):
                self.is_valid(raise_exception=True)
                ToolCreateRequest(data=instance).is_valid(raise_exception=True)
                # 校验代码是否包括禁止的关键字
-                ToolExecutor().validate_banned_keywords(instance.get('code', ''))
                if instance.get('tool_type') == ToolType.MCP:
                    ToolExecutor().validate_mcp_transport(instance.get('code', ''))

@ -391,7 +390,6 @@ class ToolSerializer(serializers.Serializer):
        def test_connection(self):
            self.is_valid(raise_exception=True)
            # 校验代码是否包括禁止的关键字
-            ToolExecutor().validate_banned_keywords(self.data.get('code', ''))
            ToolExecutor().validate_mcp_transport(self.data.get('code', ''))

            # 校验mcp json
@ -486,7 +484,6 @@ class ToolSerializer(serializers.Serializer):
                self.is_valid(raise_exception=True)
                ToolEditRequest(data=instance).is_valid(raise_exception=True)
                # 校验代码是否包括禁止的关键字
-                ToolExecutor().validate_banned_keywords(instance.get('code', ''))
                if instance.get('tool_type') == ToolType.MCP:
                    ToolExecutor().validate_mcp_transport(instance.get('code', ''))

--- a/installer/Dockerfile-base
+++ b/installer/Dockerfile-base
@ -48,7 +48,6 @@ ENV PATH=/opt/py3/bin:$PATH \
    MAXKB_SANDBOX=1 \
    MAXKB_SANDBOX_HOME=/opt/maxkb-app/sandbox \
    MAXKB_SANDBOX_PYTHON_PACKAGE_PATHS="/opt/py3/lib/python3.11/site-packages,/opt/maxkb-app/sandbox/python-packages,/opt/maxkb/python-packages" \
-    MAXKB_SANDBOX_PYTHON_BANNED_KEYWORDS="subprocess.,system(,exec(,execve(,pty.,eval(,compile(,shutil.,input(,__import__" \
    MAXKB_SANDBOX_PYTHON_BANNED_HOSTS="127.0.0.1,localhost,host.docker.internal,maxkb,pgsql,redis" \
    MAXKB_ADMIN_PATH=/admin