首页 探索 帮助
注册 登录
shenzhen
/
dify-sandbox
关注 2
点赞 0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

refactor: Fix sandbox escape by disabling the preload parameter. (#96)

* refactor: Fix sandbox escape by disabling the preload parameter.

* Update python.go

* Update nodejs.go

* Update config.go

* refactor: Fix sandbox escape by disabling the preload parameter.

* Update config.go

* update

* update
HRP 11 月之前
父节点
3e39e127ca
当前提交
3a738590e7
共有 5 个文件被更改,包括 17 次插入1 次删除
分列视图 显示文件统计
  1. 1 0
      conf/config.yaml
  2. 5 0
      internal/service/nodejs.go
  3. 4 0
      internal/service/python.go
  4. 5 0
      internal/static/config.go
  5. 2 1
      internal/types/config.go

+ 1 - 0
conf/config.yaml
查看文件 

@@ -7,6 +7,7 @@ max_requests: 50
 
 worker_timeout: 5
 
 python_path: /usr/local/bin/python3
 
 enable_network: True # please make sure there is no network risk in your environment
 
+enable_preload: False # please keep it as False for security purposes
 
 allowed_syscalls: # please leave it empty if you have no idea how seccomp works
 
 proxy:
 
   socks5: ''

+ 5 - 0
internal/service/nodejs.go
查看文件 

@@ -14,6 +14,11 @@ func RunNodeJsCode(code string, preload string, options *runner_types.RunnerOpti
 
 		return types.ErrorResponse(-400, err.Error())
 
 	}
 
 
+	
+	if !static.GetDifySandboxGlobalConfigurations().EnablePreload {
 
+	    preload = ""
 
+	}
 
+	
 	timeout := time.Duration(
 
 		static.GetDifySandboxGlobalConfigurations().WorkerTimeout * int(time.Second),
 
 	)

+ 4 - 0
internal/service/python.go
查看文件 

@@ -19,6 +19,10 @@ func RunPython3Code(code string, preload string, options *runner_types.RunnerOpt
 
 		return types.ErrorResponse(-400, err.Error())
 
 	}
 
 
+	if !static.GetDifySandboxGlobalConfigurations().EnablePreload {
 
+	    preload = ""
 
+	}
 
+	
 	timeout := time.Duration(
 
 		static.GetDifySandboxGlobalConfigurations().WorkerTimeout * int(time.Second),
 
 	)

+ 5 - 0
internal/static/config.go
查看文件 

@@ -107,6 +107,11 @@ func InitConfig(path string) error {
 
 		difySandboxGlobalConfigurations.EnableNetwork, _ = strconv.ParseBool(enable_network)
 
 	}
 
 
+	enable_preload := os.Getenv("ENABLE_PRELOAD")
 
+	if enable_preload != "" {
 
+		difySandboxGlobalConfigurations.EnablePreload, _ = strconv.ParseBool(enable_preload)
 
+	}
 
+
 
 	allowed_syscalls := os.Getenv("ALLOWED_SYSCALLS")
 
 	if allowed_syscalls != "" {
 
 		strs := strings.Split(allowed_syscalls, ",")

+ 2 - 1
internal/types/config.go
查看文件 

@@ -15,10 +15,11 @@ type DifySandboxGlobalConfigurations struct {
 
 	PythonDepsUpdateInterval string   `yaml:"python_deps_update_interval"`
 
 	NodejsPath               string   `yaml:"nodejs_path"`
 
 	EnableNetwork            bool     `yaml:"enable_network"`
 
+	EnablePreload            bool     `yaml:"enable_preload"`
 
 	AllowedSyscalls          []int    `yaml:"allowed_syscalls"`
 
 	Proxy                    struct {
 
 		Socks5 string `yaml:"socks5"`
 
 		Https  string `yaml:"https"`
 
 		Http   string `yaml:"http"`
 
 	} `yaml:"proxy"`
 
-}
 
+}