adai/MemoryBear
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(sandbox): add Node.js code execution support to sandbox

Browse Source
This commit is contained in:
Eternity
2026-01-30 12:08:34 +08:00
parent ee50b25d06
commit 36e0ed15b6
35 changed files with 820 additions and 314 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
sandbox/app/core/runners/python/__init__.py
View File

@@ -1,4 +1,3 @@
# -*- coding: UTF-8 -*-
# Author: Eternity
# @Email: 1533512157@qq.com
# @Time : 2026/1/23 11:27
from app.core.runners.python.env import release_lib_binary
release_lib_binary(True)

70
sandbox/app/core/runners/python/env.py
View File

@@ -1,14 +1,80 @@
import asyncio
import tempfile
import ctypes
import os
import stat
import tempfile
from pathlib import Path
from app.config import get_config
from app.core.runners.python.settings import LIB_PATH
from app.logger import get_logger
logger = get_logger()
RELEASE_LIB_PATH = "./lib/seccomp_redbear/target/release/libpython.so"
LIB_PATH = "/var/sandbox/sandbox-python"
LIB_NAME = "libpython.so"
lib = ctypes.CDLL(RELEASE_LIB_PATH)
lib.get_lib_version_static.restype = ctypes.c_char_p
lib.get_lib_feature_static.restype = ctypes.c_char_p
logger.info(f"Seccomp Env: python3, "
f"Seccomp Feature: {lib.get_lib_feature_static().decode('utf-8')}, "
f"Seccomp Version: {lib.get_lib_version_static().decode('utf-8')}")
try:
with open(RELEASE_LIB_PATH, "rb") as f:
_PYTHON_LIB = f.read()
except:
logger.critical("failed to load python lib")
raise
def check_lib_avaiable():
return os.path.exists(os.path.join(LIB_PATH, LIB_NAME))
def release_lib_binary(force_remove: bool):
logger.info("init runtime enviroment")
lib_file = os.path.join(LIB_PATH, LIB_NAME)
if os.path.exists(lib_file):
if force_remove:
try:
os.remove(lib_file)
except OSError:
logger.critical(f"failed to remove {os.path.join(LIB_PATH, LIB_NAME)}")
raise
try:
os.makedirs(LIB_PATH, mode=0o755, exist_ok=True)
except OSError:
logger.critical(f"failed to create {LIB_PATH}")
raise
try:
with open(lib_file, "wb") as f:
f.write(_PYTHON_LIB)
os.chmod(lib_file, 0o755)
except OSError:
logger.critical(f"failed to write {lib_file}")
raise
else:
try:
os.makedirs(LIB_PATH, mode=0o755, exist_ok=True)
except OSError:
logger.critical(f"failed to create {LIB_PATH}")
raise
try:
with open(lib_file, "wb") as f:
f.write(_PYTHON_LIB)
os.chmod(lib_file, 0o755)
except OSError:
logger.critical(f"failed to write {lib_file}")
raise
logger.info("python runner environment initialized")
async def prepare_python_dependencies_env():
config = get_config()

7
sandbox/app/core/runners/python/prescript.py
View File

@@ -17,7 +17,7 @@ sys.excepthook = excepthook
# Load security library if available
lib = ctypes.CDLL("./libpython.so")
lib.init_seccomp.argtypes = [ctypes.c_uint32, ctypes.c_uint32, ctypes.c_bool]
lib.init_seccomp.restype = None # TODO: raise error info
lib.init_seccomp.restype = ctypes.c_int
# Get running path
running_path = sys.argv[1]
@@ -37,7 +37,10 @@ os.chdir(running_path)
{{preload}}
# Apply security if library is available
lib.init_seccomp({{uid}}, {{gid}}, {{enable_network}})
init_status = lib.init_seccomp({{uid}}, {{gid}}, {{enable_network}})
if init_status != 0:
raise Exception(f"code executor err - {str(init_status)}")
del lib
# Decrypt and execute code
code = b64decode("{{code}}")

8
sandbox/app/core/runners/python/python_runner.py
View File

@@ -5,10 +5,10 @@ import os
import uuid
from typing import Optional
from app.config import SANDBOX_USER_ID, SANDBOX_GROUP_ID, get_config
from app.config import get_config
from app.core.encryption import generate_key, encrypt_code
from app.core.executor import CodeExecutor, ExecutionResult
from app.core.runners.python.settings import check_lib_avaiable, release_lib_binary, LIB_PATH
from app.core.runners.python.env import check_lib_avaiable, release_lib_binary, LIB_PATH
from app.logger import get_logger
from app.models import RunnerOptions
@@ -32,8 +32,8 @@ class PythonRunner(CodeExecutor):
config = get_config()
code_file_name = uuid.uuid4().hex.replace("-", "_")
script = PYTHON_PRESCRIPT.replace("{{uid}}", str(SANDBOX_USER_ID), 1)
script = script.replace("{{gid}}", str(SANDBOX_GROUP_ID), 1)
script = PYTHON_PRESCRIPT.replace("{{uid}}", str(config.sandbox_uid), 1)
script = script.replace("{{gid}}", str(config.sandbox_gid), 1)
script = script.replace(
"{{enable_network}}",
str(int(options.enable_network and config.enable_network)

62
sandbox/app/core/runners/python/settings.py
View File

@@ -1,62 +0,0 @@
import os
from app.logger import get_logger
logger = get_logger()
RELEASE_LIB_PATH = "./lib/seccomp_python/target/release/libpython.so"
LIB_PATH = "/var/sandbox/sandbox-python"
LIB_NAME = "libpython.so"
try:
with open(RELEASE_LIB_PATH, "rb") as f:
_PYTHON_LIB = f.read()
except:
logger.critical("failed to load python lib")
raise
def check_lib_avaiable():
return os.path.exists(os.path.join(LIB_PATH, LIB_NAME))
def release_lib_binary(force_remove: bool):
logger.info("init runtime enviroment")
lib_file = os.path.join(LIB_PATH, LIB_NAME)
if os.path.exists(lib_file):
if force_remove:
try:
os.remove(lib_file)
except OSError:
logger.critical(f"failed to remove {os.path.join(LIB_PATH, LIB_NAME)}")
raise
try:
os.makedirs(LIB_PATH, mode=0o755, exist_ok=True)
except OSError:
logger.critical(f"failed to create {LIB_PATH}")
raise
try:
with open(lib_file, "wb") as f:
f.write(_PYTHON_LIB)
os.chmod(lib_file, 0o755)
except OSError:
logger.critical(f"failed to write {lib_file}")
raise
else:
try:
os.makedirs(LIB_PATH, mode=0o755, exist_ok=True)
except OSError:
logger.critical(f"failed to create {LIB_PATH}")
raise
try:
with open(lib_file, "wb") as f:
f.write(_PYTHON_LIB)
os.chmod(lib_file, 0o755)
except OSError:
logger.critical(f"failed to write {lib_file}")
raise
logger.info("python runner environment initialized")