mirror of
https://github.com/infiniflow/ragflow.git
synced 2026-01-28 14:16:34 +08:00
fd11aca8e5
## Summary Implement a flexible sandbox provider system supporting both self-managed (Docker) and SaaS (Aliyun Code Interpreter) backends for secure code execution in agent workflows. **Key Changes:** - ✅ Aliyun Code Interpreter provider using official `agentrun-sdk>=0.0.16` - ✅ Self-managed provider with gVisor (runsc) security - ✅ Arguments parameter support for dynamic code execution - ✅ Database-only configuration (removed fallback logic) - ✅ Configuration scripts for quick setup Issue #12479 ## Features ### 🔌 Provider Abstraction Layer **1. Self-Managed Provider** (`agent/sandbox/providers/self_managed.py`) - Wraps existing executor_manager HTTP API - gVisor (runsc) for secure container isolation - Configurable pool size, timeout, retry logic - Languages: Python, Node.js, JavaScript - ⚠️ **Requires**: gVisor installation, Docker, base images **2. Aliyun Code Interpreter** (`agent/sandbox/providers/aliyun_codeinterpreter.py`) - SaaS integration using official agentrun-sdk - Serverless microVM execution with auto-authentication - Hard timeout: 30 seconds max - Credentials: `AGENTRUN_ACCESS_KEY_ID`, `AGENTRUN_ACCESS_KEY_SECRET`, `AGENTRUN_ACCOUNT_ID`, `AGENTRUN_REGION` - Automatically wraps code to call `main()` function **3. E2B Provider** (`agent/sandbox/providers/e2b.py`) - Placeholder for future integration ### ⚙️ Configuration System - `conf/system_settings.json`: Default provider = `aliyun_codeinterpreter` - `agent/sandbox/client.py`: Enforces database-only configuration - Admin UI: `/admin/sandbox-settings` - Configuration validation via `validate_config()` method - Health checks for all providers ### 🎯 Key Capabilities **Arguments Parameter Support:** All providers support passing arguments to `main()` function: ```python # User code def main(name: str, count: int) -> dict: return {"message": f"Hello {name}!" * count} # Executed with: arguments={"name": "World", "count": 3} # Result: {"message": "Hello World!Hello World!Hello World!"} ``` **Self-Describing Providers:** Each provider implements `get_config_schema()` returning form configuration for Admin UI **Error Handling:** Structured `ExecutionResult` with stdout, stderr, exit_code, execution_time ## Configuration Scripts Two scripts for quick Aliyun sandbox setup: **Shell Script (requires jq):** ```bash source scripts/configure_aliyun_sandbox.sh ``` **Python Script (interactive):** ```bash python3 scripts/configure_aliyun_sandbox.py ``` ## Testing ```bash # Unit tests uv run pytest agent/sandbox/tests/test_providers.py -v # Aliyun provider tests uv run pytest agent/sandbox/tests/test_aliyun_codeinterpreter.py -v # Integration tests (requires credentials) uv run pytest agent/sandbox/tests/test_aliyun_codeinterpreter_integration.py -v # Quick SDK validation python3 agent/sandbox/tests/verify_sdk.py ``` **Test Coverage:** - 30 unit tests for provider abstraction - Provider-specific tests for Aliyun - Integration tests with real API - Security tests for executor_manager ## Documentation - `docs/develop/sandbox_spec.md` - Complete architecture specification - `agent/sandbox/tests/MIGRATION_GUIDE.md` - Migration from legacy sandbox - `agent/sandbox/tests/QUICKSTART.md` - Quick start guide - `agent/sandbox/tests/README.md` - Testing documentation ## Breaking Changes ⚠️ **Migration Required:** 1. **Directory Move**: `sandbox/` → `agent/sandbox/` - Update imports: `from sandbox.` → `from agent.sandbox.` 2. **Mandatory Configuration**: - SystemSettings must have `sandbox.provider_type` configured - Removed fallback default values - Configuration must exist in database (from `conf/system_settings.json`) 3. **Aliyun Credentials**: - Requires `AGENTRUN_*` environment variables (not `ALIYUN_*`) - `AGENTRUN_ACCOUNT_ID` is now required (Aliyun primary account ID) 4. **Self-Managed Provider**: - gVisor (runsc) must be installed for security - Install: `go install gvisor.dev/gvisor/runsc@latest` ## Database Schema Changes ```python # SystemSettings.value: CharField → TextField api/db/db_models.py: Changed for unlimited config length # SystemSettingsService.get_by_name(): Fixed query precision api/db/services/system_settings_service.py: startswith → exact match ``` ## Files Changed ### Backend (Python) - `agent/sandbox/providers/base.py` - SandboxProvider ABC interface - `agent/sandbox/providers/manager.py` - ProviderManager - `agent/sandbox/providers/self_managed.py` - Self-managed provider - `agent/sandbox/providers/aliyun_codeinterpreter.py` - Aliyun provider - `agent/sandbox/providers/e2b.py` - E2B provider (placeholder) - `agent/sandbox/client.py` - Unified client (enforces DB-only config) - `agent/tools/code_exec.py` - Updated to use provider system - `admin/server/services.py` - SandboxMgr with registry & validation - `admin/server/routes.py` - 5 sandbox API endpoints - `conf/system_settings.json` - Default: aliyun_codeinterpreter - `api/db/db_models.py` - TextField for SystemSettings.value - `api/db/services/system_settings_service.py` - Exact match query ### Frontend (TypeScript/React) - `web/src/pages/admin/sandbox-settings.tsx` - Settings UI - `web/src/services/admin-service.ts` - Sandbox service functions - `web/src/services/admin.service.d.ts` - Type definitions - `web/src/utils/api.ts` - Sandbox API endpoints ### Documentation - `docs/develop/sandbox_spec.md` - Architecture spec - `agent/sandbox/tests/MIGRATION_GUIDE.md` - Migration guide - `agent/sandbox/tests/QUICKSTART.md` - Quick start - `agent/sandbox/tests/README.md` - Testing guide ### Configuration Scripts - `scripts/configure_aliyun_sandbox.sh` - Shell script (jq) - `scripts/configure_aliyun_sandbox.py` - Python script ### Tests - `agent/sandbox/tests/test_providers.py` - 30 unit tests - `agent/sandbox/tests/test_aliyun_codeinterpreter.py` - Provider tests - `agent/sandbox/tests/test_aliyun_codeinterpreter_integration.py` - Integration tests - `agent/sandbox/tests/verify_sdk.py` - SDK validation ## Architecture ``` Admin UI → Admin API → SandboxMgr → ProviderManager → [SelfManaged|Aliyun|E2B] ↓ SystemSettings ``` ## Usage ### 1. Configure Provider **Via Admin UI:** 1. Navigate to `/admin/sandbox-settings` 2. Select provider (Aliyun Code Interpreter / Self-Managed) 3. Fill in configuration 4. Click "Test Connection" to verify 5. Click "Save" to apply **Via Configuration Scripts:** ```bash # Aliyun provider export AGENTRUN_ACCESS_KEY_ID="xxx" export AGENTRUN_ACCESS_KEY_SECRET="yyy" export AGENTRUN_ACCOUNT_ID="zzz" export AGENTRUN_REGION="cn-shanghai" source scripts/configure_aliyun_sandbox.sh ``` ### 2. Restart Service ```bash cd docker docker compose restart ragflow-server ``` ### 3. Execute Code in Agent ```python from agent.sandbox.client import execute_code result = execute_code( code='def main(name: str) -> dict: return {"message": f"Hello {name}!"}', language="python", timeout=30, arguments={"name": "World"} ) print(result.stdout) # {"message": "Hello World!"} ``` ## Troubleshooting ### "Container pool is busy" (Self-Managed) - **Cause**: Pool exhausted (default: 1 container in `.env`) - **Fix**: Increase `SANDBOX_EXECUTOR_MANAGER_POOL_SIZE` to 5+ ### "Sandbox provider type not configured" - **Cause**: Database missing configuration - **Fix**: Run config script or set via Admin UI ### "gVisor not found" - **Cause**: runsc not installed - **Fix**: `go install gvisor.dev/gvisor/runsc@latest && sudo cp ~/go/bin/runsc /usr/local/bin/` ### Aliyun authentication errors - **Cause**: Wrong environment variable names - **Fix**: Use `AGENTRUN_*` prefix (not `ALIYUN_*`) ## Checklist - [x] All tests passing (30 unit tests + integration tests) - [x] Documentation updated (spec, migration guide, quickstart) - [x] Type definitions added (TypeScript) - [x] Admin UI implemented - [x] Configuration validation - [x] Health checks implemented - [x] Error handling with structured results - [x] Breaking changes documented - [x] Configuration scripts created - [x] gVisor requirements documented Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
174 lines
7.6 KiB
Python
174 lines
7.6 KiB
Python
#
|
|
# Copyright 2025 The InfiniFlow Authors. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
import ast
|
|
from typing import List, Tuple
|
|
|
|
from core.logger import logger
|
|
from models.enums import SupportLanguage
|
|
|
|
|
|
class SecurePythonAnalyzer(ast.NodeVisitor):
|
|
"""
|
|
An AST-based analyzer for detecting unsafe Python code patterns.
|
|
"""
|
|
|
|
DANGEROUS_IMPORTS = {"os", "subprocess", "sys", "shutil", "socket", "ctypes", "pickle", "threading", "multiprocessing", "asyncio", "http.client", "ftplib", "telnetlib"}
|
|
|
|
DANGEROUS_CALLS = {
|
|
"eval",
|
|
"exec",
|
|
"open",
|
|
"__import__",
|
|
"compile",
|
|
"input",
|
|
"system",
|
|
"popen",
|
|
"remove",
|
|
"rename",
|
|
"rmdir",
|
|
"chdir",
|
|
"chmod",
|
|
"chown",
|
|
"getattr",
|
|
"setattr",
|
|
"globals",
|
|
"locals",
|
|
"shutil.rmtree",
|
|
"subprocess.call",
|
|
"subprocess.Popen",
|
|
"ctypes",
|
|
"pickle.load",
|
|
"pickle.loads",
|
|
"pickle.dump",
|
|
"pickle.dumps",
|
|
}
|
|
|
|
def __init__(self):
|
|
self.unsafe_items: List[Tuple[str, int]] = []
|
|
|
|
def visit_Import(self, node: ast.Import):
|
|
"""Check for dangerous imports."""
|
|
for alias in node.names:
|
|
if alias.name.split(".")[0] in self.DANGEROUS_IMPORTS:
|
|
self.unsafe_items.append((f"Import: {alias.name}", node.lineno))
|
|
self.generic_visit(node)
|
|
|
|
def visit_ImportFrom(self, node: ast.ImportFrom):
|
|
"""Check for dangerous imports from specific modules."""
|
|
if node.module and node.module.split(".")[0] in self.DANGEROUS_IMPORTS:
|
|
self.unsafe_items.append((f"From Import: {node.module}", node.lineno))
|
|
self.generic_visit(node)
|
|
|
|
def visit_Call(self, node: ast.Call):
|
|
"""Check for dangerous function calls."""
|
|
if isinstance(node.func, ast.Name) and node.func.id in self.DANGEROUS_CALLS:
|
|
self.unsafe_items.append((f"Call: {node.func.id}", node.lineno))
|
|
self.generic_visit(node)
|
|
|
|
def visit_Attribute(self, node: ast.Attribute):
|
|
"""Check for dangerous attribute access."""
|
|
if isinstance(node.value, ast.Name) and node.value.id in self.DANGEROUS_IMPORTS:
|
|
self.unsafe_items.append((f"Attribute Access: {node.value.id}.{node.attr}", node.lineno))
|
|
self.generic_visit(node)
|
|
|
|
def visit_BinOp(self, node: ast.BinOp):
|
|
"""Check for possible unsafe operations like concatenating strings with commands."""
|
|
# This could be useful to detect `eval("os." + "system")`
|
|
if isinstance(node.left, ast.Constant) and isinstance(node.right, ast.Constant):
|
|
self.unsafe_items.append(("Possible unsafe string concatenation", node.lineno))
|
|
self.generic_visit(node)
|
|
|
|
def visit_FunctionDef(self, node: ast.FunctionDef):
|
|
"""Check for dangerous function definitions (e.g., user-defined eval)."""
|
|
if node.name in self.DANGEROUS_CALLS:
|
|
self.unsafe_items.append((f"Function Definition: {node.name}", node.lineno))
|
|
self.generic_visit(node)
|
|
|
|
def visit_Assign(self, node: ast.Assign):
|
|
"""Check for assignments to variables that might lead to dangerous operations."""
|
|
for target in node.targets:
|
|
if isinstance(target, ast.Name) and target.id in self.DANGEROUS_CALLS:
|
|
self.unsafe_items.append((f"Assignment to dangerous variable: {target.id}", node.lineno))
|
|
self.generic_visit(node)
|
|
|
|
def visit_Lambda(self, node: ast.Lambda):
|
|
"""Check for lambda functions with dangerous operations."""
|
|
if isinstance(node.body, ast.Call) and isinstance(node.body.func, ast.Name) and node.body.func.id in self.DANGEROUS_CALLS:
|
|
self.unsafe_items.append(("Lambda with dangerous function call", node.lineno))
|
|
self.generic_visit(node)
|
|
|
|
def visit_ListComp(self, node: ast.ListComp):
|
|
"""Check for list comprehensions with dangerous operations."""
|
|
# First, visit the generators to check for any issues there
|
|
for elem in node.generators:
|
|
if isinstance(elem, ast.comprehension):
|
|
self.generic_visit(elem)
|
|
|
|
if isinstance(node.elt, ast.Call) and isinstance(node.elt.func, ast.Name) and node.elt.func.id in self.DANGEROUS_CALLS:
|
|
self.unsafe_items.append(("List comprehension with dangerous function call", node.lineno))
|
|
self.generic_visit(node)
|
|
|
|
def visit_DictComp(self, node: ast.DictComp):
|
|
"""Check for dictionary comprehensions with dangerous operations."""
|
|
# Check for dangerous calls in both the key and value expressions of the dictionary comprehension
|
|
if isinstance(node.key, ast.Call) and isinstance(node.key.func, ast.Name) and node.key.func.id in self.DANGEROUS_CALLS:
|
|
self.unsafe_items.append(("Dict comprehension with dangerous function call in key", node.lineno))
|
|
|
|
if isinstance(node.value, ast.Call) and isinstance(node.value.func, ast.Name) and node.value.func.id in self.DANGEROUS_CALLS:
|
|
self.unsafe_items.append(("Dict comprehension with dangerous function call in value", node.lineno))
|
|
|
|
# Visit other sub-nodes (e.g., the generators in the comprehension)
|
|
self.generic_visit(node)
|
|
|
|
def visit_SetComp(self, node: ast.SetComp):
|
|
"""Check for set comprehensions with dangerous operations."""
|
|
for elt in node.generators:
|
|
if isinstance(elt, ast.comprehension):
|
|
self.generic_visit(elt)
|
|
|
|
if isinstance(node.elt, ast.Call) and isinstance(node.elt.func, ast.Name) and node.elt.func.id in self.DANGEROUS_CALLS:
|
|
self.unsafe_items.append(("Set comprehension with dangerous function call", node.lineno))
|
|
|
|
self.generic_visit(node)
|
|
|
|
def visit_Yield(self, node: ast.Yield):
|
|
"""Check for yield statements that could be used to produce unsafe values."""
|
|
if isinstance(node.value, ast.Call) and isinstance(node.value.func, ast.Name) and node.value.func.id in self.DANGEROUS_CALLS:
|
|
self.unsafe_items.append(("Yield with dangerous function call", node.lineno))
|
|
self.generic_visit(node)
|
|
|
|
|
|
def analyze_code_security(code: str, language: SupportLanguage) -> Tuple[bool, List[Tuple[str, int]]]:
|
|
"""
|
|
Analyze the provided code string and return whether it's safe and why.
|
|
|
|
:param code: The source code to analyze.
|
|
:param language: The programming language of the code.
|
|
:return: (is_safe: bool, issues: List of (description, line number))
|
|
"""
|
|
if language == SupportLanguage.PYTHON:
|
|
try:
|
|
tree = ast.parse(code)
|
|
analyzer = SecurePythonAnalyzer()
|
|
analyzer.visit(tree)
|
|
return len(analyzer.unsafe_items) == 0, analyzer.unsafe_items
|
|
except Exception as e:
|
|
logger.error(f"[SafeCheck] Python parsing failed: {str(e)}")
|
|
return False, [(f"Parsing Error: {str(e)}", -1)]
|
|
else:
|
|
logger.warning(f"[SafeCheck] Unsupported language for security analysis: {language} — defaulting to SAFE (manual review recommended)")
|
|
return True, [(f"Unsupported language for security analysis: {language} — defaulted to SAFE, manual review recommended", -1)]
|