AskaEth/Cyrene
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
d1b8f8e3b2702eaf0cd1b03dfad4bcd998d62597
Cyrene/backend/ai-core/internal/host/sandbox.go
T
AskaEth 38b36fc5ad feat: Phase 6.2 宿主机安全操控 — 沙箱执行 + 文件系统隔离 + 进程管理 
- host.Sandbox: 命令白名单 + 目录限制 + 超时控制 + 环境变量过滤
- host.Manager: 文件读写列表 + 系统信息查询 + 路径验证
- 3个新工具: host_exec (沙箱命令执行), host_file (文件操作), host_system (系统信息)
- 后台思考器自主工具策略已更新,允许安全使用主机工具
- host_exec 标记为高风险工具,受频率限制

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-23 22:23:45 +08:00

220 lines
5.2 KiB
Go
Raw Blame History

package host
import (
"bytes"
"context"
"fmt"
"os"
"os/exec"
"path/filepath"
"strings"
"time"
)
// SandboxConfig configures the sandbox execution environment.
type SandboxConfig struct {
AllowedCommands []string
AllowedDirs []string
MaxOutputBytes int
DefaultTimeout time.Duration
MaxTimeout time.Duration
}
// DefaultSandboxConfig returns a safe default configuration.
func DefaultSandboxConfig() SandboxConfig {
return SandboxConfig{
AllowedCommands: []string{
"echo", "cat", "ls", "dir", "pwd", "date", "time",
"wc", "head", "tail", "sort", "uniq", "grep", "find",
"python", "python3", "node", "go", "rustc", "cargo",
"git", "curl", "wget", "ping", "nslookup", "tracert",
"dotnet", "java", "javac", "gcc", "g++", "make", "cmake",
"npm", "npx", "yarn", "pnpm", "pip", "pip3",
"docker", "kubectl", "helm",
"ffmpeg", "ffprobe", "imagemagick", "convert",
"systeminfo", "tasklist", "taskkill", "netstat",
},
MaxOutputBytes: 512 * 1024,
DefaultTimeout: 30 * time.Second,
MaxTimeout: 300 * time.Second,
}
}
// Sandbox provides a safe execution environment for host commands.
type Sandbox struct {
cfg SandboxConfig
}
// NewSandbox creates a new sandbox.
func NewSandbox(cfg SandboxConfig) *Sandbox {
return &Sandbox{cfg: cfg}
}
// ExecResult holds the result of a sandboxed command execution.
type ExecResult struct {
Stdout string `json:"stdout"`
Stderr string `json:"stderr"`
ExitCode int `json:"exit_code"`
Duration string `json:"duration"`
TimedOut bool `json:"timed_out"`
}
// Exec runs a command inside the sandbox. The command string is parsed into
// the executable name and arguments. Returns the combined output.
func (s *Sandbox) Exec(ctx context.Context, command string, workDir string, timeout time.Duration) (*ExecResult, error) {
if command == "" {
return nil, fmt.Errorf("empty command")
}
parts := strings.Fields(command)
if len(parts) == 0 {
return nil, fmt.Errorf("empty command")
}
cmdName := parts[0]
var args []string
if len(parts) > 1 {
args = parts[1:]
}
if !s.isCommandAllowed(cmdName) {
return nil, fmt.Errorf("command not allowed: %s", cmdName)
}
if workDir == "" {
workDir = s.defaultWorkDir()
}
if err := s.validateWorkDir(workDir); err != nil {
return nil, err
}
if timeout <= 0 {
timeout = s.cfg.DefaultTimeout
}
if timeout > s.cfg.MaxTimeout {
timeout = s.cfg.MaxTimeout
}
execCtx, cancel := context.WithTimeout(ctx, timeout)
defer cancel()
cmd := exec.CommandContext(execCtx, cmdName, args...)
cmd.Dir = workDir
cmd.Env = s.filteredEnv()
var stdout, stderr bytes.Buffer
cmd.Stdout = &stdout
cmd.Stderr = &stderr
start := time.Now()
err := cmd.Run()
elapsed := time.Since(start)
result := &ExecResult{
Duration: elapsed.Round(time.Millisecond).String(),
}
if stdout.Len() > s.cfg.MaxOutputBytes {
result.Stdout = stdout.String()[:s.cfg.MaxOutputBytes] + "\n... [output truncated]"
} else {
result.Stdout = stdout.String()
}
if stderr.Len() > s.cfg.MaxOutputBytes {
result.Stderr = stderr.String()[:s.cfg.MaxOutputBytes] + "\n... [output truncated]"
} else {
result.Stderr = stderr.String()
}
if execCtx.Err() == context.DeadlineExceeded {
result.TimedOut = true
result.ExitCode = -1
return result, fmt.Errorf("command timed out after %s", timeout)
}
if err != nil {
if exitErr, ok := err.(*exec.ExitError); ok {
result.ExitCode = exitErr.ExitCode()
} else {
result.ExitCode = -1
}
} else {
result.ExitCode = 0
}
return result, err
}
func (s *Sandbox) isCommandAllowed(cmd string) bool {
if len(s.cfg.AllowedCommands) == 0 {
return true
}
base := filepath.Base(cmd)
base = strings.TrimSuffix(base, ".exe")
for _, allowed := range s.cfg.AllowedCommands {
if strings.EqualFold(base, allowed) {
return true
}
}
return false
}
func (s *Sandbox) validateWorkDir(dir string) error {
info, err := os.Stat(dir)
if err != nil {
return fmt.Errorf("work directory not accessible: %s: %w", dir, err)
}
if !info.IsDir() {
return fmt.Errorf("not a directory: %s", dir)
}
if len(s.cfg.AllowedDirs) == 0 {
return nil
}
absDir, err := filepath.Abs(dir)
if err != nil {
return fmt.Errorf("cannot resolve path: %w", err)
}
for _, allowed := range s.cfg.AllowedDirs {
absAllowed, err := filepath.Abs(allowed)
if err != nil {
continue
}
if strings.HasPrefix(absDir, absAllowed) {
return nil
}
}
return fmt.Errorf("directory not in allowed list: %s", dir)
}
func (s *Sandbox) defaultWorkDir() string {
if len(s.cfg.AllowedDirs) > 0 {
return s.cfg.AllowedDirs[0]
}
wd, _ := os.Getwd()
return wd
}
func (s *Sandbox) filteredEnv() []string {
allowed := map[string]bool{
"PATH": true, "HOME": true, "USER": true, "USERNAME": true,
"TMP": true, "TEMP": true, "TMPDIR": true,
"LANG": true, "LC_ALL": true, "SHELL": true,
"SYSTEMROOT": true, "WINDIR": true, "ProgramFiles": true,
"GOPATH": true, "GOROOT": true, "GOPROXY": true,
"NODE_PATH": true, "PYTHONPATH": true,
"JAVA_HOME": true, "DOTNET_ROOT": true,
"CARGO_HOME": true, "RUSTUP_HOME": true,
}
var filtered []string
for _, e := range os.Environ() {
kv := strings.SplitN(e, "=", 2)
if len(kv) == 2 && allowed[kv[0]] {
filtered = append(filtered, e)
}
}
filtered = append(filtered, "CYRENE_SANDBOX=1")
return filtered
}
Reference in New Issue View Git Blame Copy Permalink