mirror of
https://github.com/1Panel-dev/MaxKB.git
synced 2025-12-26 01:33:05 +00:00
feat: add MAXKB_SANDBOX_PYTHON_BANNED_HOSTS env to ban host for sandbox in tools code.
This commit is contained in:
liqiang-fit2cloud
parent
d7a6de1515
commit
f0be269cdc
|
|
@ -28,6 +28,7 @@ class ToolExecutor:
|
|||
if self.sandbox:
|
||||
os.system(f"chown -R {self.user}:root {self.sandbox_path}")
|
||||
self.banned_keywords = CONFIG.get("SANDBOX_PYTHON_BANNED_KEYWORDS", 'nothing_is_banned').split(',');
|
||||
self.banned_hosts = CONFIG.get("SANDBOX_PYTHON_BANNED_HOSTS", 'no_host_is_banned');
|
||||
|
||||
def _createdir(self):
|
||||
old_mask = os.umask(0o077)
|
||||
|
|
@ -53,6 +54,8 @@ try:
|
|||
path_to_exclude = ['/opt/py3/lib/python3.11/site-packages', '/opt/maxkb-app/apps']
|
||||
sys.path = [p for p in sys.path if p not in path_to_exclude]
|
||||
sys.path += {python_paths}
|
||||
os.environ['LD_PRELOAD'] = '/opt/maxkb-app/sandbox/sandbox.so'
|
||||
os.environ['SANDBOX_BANNED_HOSTS'] = {self.banned_hosts}
|
||||
locals_v={'{}'}
|
||||
keywords={keywords}
|
||||
globals_v=globals()
|
||||
|
|
@ -159,6 +162,8 @@ logging.getLogger("mcp.server").setLevel(logging.ERROR)
|
|||
path_to_exclude = ['/opt/py3/lib/python3.11/site-packages', '/opt/maxkb-app/apps']
|
||||
sys.path = [p for p in sys.path if p not in path_to_exclude]
|
||||
sys.path += {python_paths}
|
||||
os.environ['LD_PRELOAD'] = '/opt/maxkb-app/sandbox/sandbox.so'
|
||||
os.environ['SANDBOX_BANNED_HOSTS'] = {self.banned_hosts}
|
||||
exec({dedent(code)!a})
|
||||
"""
|
||||
|
||||
|
|
@ -197,7 +202,7 @@ exec({dedent(code)!a})
|
|||
file.write(_code)
|
||||
os.system(f"chown {self.user}:root {exec_python_file}")
|
||||
kwargs = {'cwd': BASE_DIR}
|
||||
kwargs['env'] = {'LD_PRELOAD': '/opt/maxkb-app/apps/sandbox.so'}
|
||||
kwargs['env'] = {}
|
||||
subprocess_result = subprocess.run(
|
||||
['su', '-s', python_directory, '-c', "exec(open('" + exec_python_file + "').read())", self.user],
|
||||
text=True,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ RUN apt-get update && \
|
|||
apt-get clean all && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
WORKDIR /opt/maxkb-app
|
||||
RUN gcc -shared -fPIC -o /opt/maxkb-app/apps/sandbox.so /opt/maxkb-app/installer/sandbox.c -ldl && \
|
||||
RUN gcc -shared -fPIC -o /opt/maxkb-app/sandbox/sandbox.so /opt/maxkb-app/installer/sandbox.c -ldl && \
|
||||
rm -rf /opt/maxkb-app/ui && \
|
||||
pip install uv --break-system-packages && \
|
||||
python -m uv pip install -r pyproject.toml && \
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
#include <regex.h>
|
||||
#include <unistd.h>
|
||||
|
||||
static const char *ENV_NAME = "MAXKB_SANDBOX_PYTHON_BANNED_HOSTS";
|
||||
static const char *ENV_NAME = "SANDBOX_BANNED_HOSTS";
|
||||
|
||||
static int match_env_patterns(const char *target, const char *env_val) {
|
||||
if (!target || !env_val || !*env_val) return 0;
|
||||
|
|
|
|||
Loading…
Reference in New Issue