panyy
/
UnisKB
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_ALLOW_HOST_REGEXES

v3.2
liqiang-fit2cloud 2025-11-06 11:23:09 +08:00
parent 6ac10785c9
commit 6e39df454c
3 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apps/common/utils/tool_code.py
View File

@ -28,7 +28,7 @@ class ToolExecutor:
if self.sandbox: if self.sandbox:
os.system(f"chown -R {self.user}:root {self.sandbox_path}") os.system(f"chown -R {self.user}:root {self.sandbox_path}")
self.banned_keywords = CONFIG.get("SANDBOX_PYTHON_BANNED_KEYWORDS", 'nothing_is_banned').split(','); self.banned_keywords = CONFIG.get("SANDBOX_PYTHON_BANNED_KEYWORDS", 'nothing_is_banned').split(',');
self.allow_hosts_regexes = CONFIG.get("SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES", ''); self.allow_host_regexes = CONFIG.get("SANDBOX_PYTHON_ALLOW_HOST_REGEXES", '');
def _createdir(self): def _createdir(self):
old_mask = os.umask(0o077) old_mask = os.umask(0o077)
@ -183,7 +183,7 @@ exec({dedent(code)!a})
'cwd': self.sandbox_path, 'cwd': self.sandbox_path,
'env': { 'env': {
'LD_PRELOAD': '/opt/maxkb-app/sandbox/sandbox.so', 'LD_PRELOAD': '/opt/maxkb-app/sandbox/sandbox.so',
'SANDBOX_ALLOW_HOSTS_REGEXES': self.allow_hosts_regexes, 'SANDBOX_ALLOW_HOST_REGEXES': self.allow_host_regexes,
}, },
'transport': 'stdio', 'transport': 'stdio',
} }
@ -203,7 +203,7 @@ exec({dedent(code)!a})
kwargs = {'cwd': BASE_DIR} kwargs = {'cwd': BASE_DIR}
kwargs['env'] = { kwargs['env'] = {
'LD_PRELOAD': '/opt/maxkb-app/sandbox/sandbox.so', 'LD_PRELOAD': '/opt/maxkb-app/sandbox/sandbox.so',
'SANDBOX_ALLOW_HOSTS_REGEXES': self.allow_hosts_regexes, 'SANDBOX_ALLOW_HOST_REGEXES': self.allow_host_regexes,
} }
subprocess_result = subprocess.run( subprocess_result = subprocess.run(
['su', '-s', python_directory, '-c', "exec(open('" + exec_python_file + "').read())", self.user], ['su', '-s', python_directory, '-c', "exec(open('" + exec_python_file + "').read())", self.user],

2
installer/Dockerfile-base
View File

@ -47,7 +47,7 @@ ENV PATH=/opt/py3/bin:$PATH \
MAXKB_SANDBOX=1 \ MAXKB_SANDBOX=1 \
MAXKB_SANDBOX_PYTHON_PACKAGE_PATHS="/opt/py3/lib/python3.11/site-packages,/opt/maxkb-app/sandbox/python-packages,/opt/maxkb/python-packages" \ MAXKB_SANDBOX_PYTHON_PACKAGE_PATHS="/opt/py3/lib/python3.11/site-packages,/opt/maxkb-app/sandbox/python-packages,/opt/maxkb/python-packages" \
MAXKB_SANDBOX_PYTHON_BANNED_KEYWORDS="subprocess.,system(,exec(,execve(,pty.,eval(,compile(,shutil.,input(,__import__" \ MAXKB_SANDBOX_PYTHON_BANNED_KEYWORDS="subprocess.,system(,exec(,execve(,pty.,eval(,compile(,shutil.,input(,__import__" \
MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES=".*,!=127\.0\.0\.1,!=localhost,!=maxkb,!=pgsql,!=redis" \ MAXKB_SANDBOX_PYTHON_ALLOW_HOST_REGEXES=".*,!=127\.0\.0\.1,!=localhost,!=maxkb,!=pgsql,!=redis" \
MAXKB_ADMIN_PATH=/admin MAXKB_ADMIN_PATH=/admin
EXPOSE 6379 EXPOSE 6379

2
installer/sandbox.c
View File

@ -65,7 +65,7 @@ static int is_allowed_by_env(const char *target, const char *env_val) {
/** 检查逻辑封装 */ /** 检查逻辑封装 */
static int check_host(const char *host) { static int check_host(const char *host) {
const char *env = getenv("SANDBOX_ALLOW_HOSTS_REGEXES"); const char *env = getenv("SANDBOX_ALLOW_HOST_REGEXES");
return is_allowed_by_env(host, env); return is_allowed_by_env(host, env);
} }