Fix subprocess bypass by wrapping child_process and subprocess modules

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
2025-12-13 07:25:05 +08:00 · 2025-11-17 15:16:27 +00:00 · 2025-11-17 15:16:27 +00:00 · 38d1f67301
commit 38d1f67301
parent 68d06acf6c
2 changed files with 191 additions and 1 deletions
--- a/shell/preload/sandbox.js
+++ b/shell/preload/sandbox.js
@ -212,7 +212,112 @@ if (sandboxEnabled) {
  }
 }

-// Prevent requiring the original fs module to bypass sandbox
+// Wrap child_process to prevent sandbox bypass via subprocesses
+let childProcessWrapped = false;
+if (sandboxEnabled) {
+  // We need to get child_process before wrapping Module.prototype.require
+  const childProcess = require('child_process');
+  const originalSpawn = childProcess.spawn;
+  const originalExec = childProcess.exec;
+  const originalExecSync = childProcess.execSync;
+  const originalExecFile = childProcess.execFile;
+  const originalExecFileSync = childProcess.execFileSync;
+  const originalFork = childProcess.fork;
+
+  // Helper to ensure NODE_OPTIONS and PYTHONPATH are set for subprocesses
+  function ensureSandboxEnv(options = {}) {
+    const env = { ...process.env, ...options.env };
+    
+    // Ensure NODE_OPTIONS includes the sandbox
+    const sandboxPreload = path.join(__dirname, 'sandbox.js');
+    if (!env.NODE_OPTIONS) {
+      env.NODE_OPTIONS = '';
+    }
+    if (!env.NODE_OPTIONS.includes(sandboxPreload)) {
+      env.NODE_OPTIONS = `-r ${sandboxPreload} ${env.NODE_OPTIONS}`.trim();
+    }
+    
+    // Ensure PYTHONPATH includes the sandbox directory
+    if (!env.PYTHONPATH) {
+      env.PYTHONPATH = '';
+    }
+    if (!env.PYTHONPATH.includes(__dirname)) {
+      env.PYTHONPATH = `${__dirname}:${env.PYTHONPATH}`;
+    }
+    
+    return { ...options, env };
+  }
+
+  // Wrap spawn
+  childProcess.spawn = function(...args) {
+    if (args[2]) {
+      args[2] = ensureSandboxEnv(args[2]);
+    } else if (args.length >= 3) {
+      args[2] = ensureSandboxEnv({});
+    }
+    return originalSpawn.apply(childProcess, args);
+  };
+
+  // Wrap exec
+  childProcess.exec = function(...args) {
+    const callback = typeof args[args.length - 1] === 'function' ? args[args.length - 1] : undefined;
+    const optionsIndex = callback ? args.length - 2 : args.length - 1;
+    
+    if (args[optionsIndex] && typeof args[optionsIndex] === 'object') {
+      args[optionsIndex] = ensureSandboxEnv(args[optionsIndex]);
+    } else if (optionsIndex > 0) {
+      args.splice(optionsIndex, 0, ensureSandboxEnv({}));
+    }
+    return originalExec.apply(childProcess, args);
+  };
+
+  // Wrap execSync
+  childProcess.execSync = function(...args) {
+    if (args[1]) {
+      args[1] = ensureSandboxEnv(args[1]);
+    } else {
+      args[1] = ensureSandboxEnv({});
+    }
+    return originalExecSync.apply(childProcess, args);
+  };
+
+  // Wrap execFile
+  childProcess.execFile = function(...args) {
+    const callback = typeof args[args.length - 1] === 'function' ? args[args.length - 1] : undefined;
+    const optionsIndex = callback ? args.length - 2 : args.length - 1;
+    
+    if (args[optionsIndex] && typeof args[optionsIndex] === 'object') {
+      args[optionsIndex] = ensureSandboxEnv(args[optionsIndex]);
+    } else if (optionsIndex > 1) {
+      args.splice(optionsIndex, 0, ensureSandboxEnv({}));
+    }
+    return originalExecFile.apply(childProcess, args);
+  };
+
+  // Wrap execFileSync
+  childProcess.execFileSync = function(...args) {
+    if (args[2]) {
+      args[2] = ensureSandboxEnv(args[2]);
+    } else if (args.length >= 3) {
+      args[2] = ensureSandboxEnv({});
+    }
+    return originalExecFileSync.apply(childProcess, args);
+  };
+
+  // Wrap fork
+  childProcess.fork = function(...args) {
+    if (args[2]) {
+      args[2] = ensureSandboxEnv(args[2]);
+    } else if (args.length >= 3) {
+      args[2] = ensureSandboxEnv({});
+    }
+    return originalFork.apply(childProcess, args);
+  };
+  
+  childProcessWrapped = true;
+}
+
+// Prevent requiring the original fs or child_process modules to bypass sandbox
 const originalRequire = Module.prototype.require;
 Module.prototype.require = function(id) {
  const module = originalRequire.apply(this, arguments);
@ -222,6 +327,9 @@ Module.prototype.require = function(id) {
    return fs;
  }
  
+  // For child_process, we already wrapped it above, so just return it
+  // (no need to re-require as that would cause recursion)
+  
  return module;
 };

--- a/shell/preload/sandbox.py
+++ b/shell/preload/sandbox.py
@ -324,3 +324,85 @@ if sandbox_enabled:
        Path.chmod = sandboxed_path_chmod
    except:
        pass
+
+    # Wrap subprocess to prevent sandbox bypass via subprocesses
+    try:
+        import subprocess
+        
+        # Helper to ensure PYTHONPATH is set for subprocesses
+        def ensure_sandbox_env(env=None):
+            if env is None:
+                env = os.environ.copy()
+            else:
+                env = env.copy()
+            
+            # Ensure PYTHONPATH includes the sandbox directory
+            sandbox_dir = os.path.dirname(__file__)
+            if 'PYTHONPATH' not in env:
+                env['PYTHONPATH'] = ''
+            if sandbox_dir not in env['PYTHONPATH']:
+                env['PYTHONPATH'] = f"{sandbox_dir}:{env['PYTHONPATH']}"
+            
+            return env
+        
+        # Store original functions
+        original_popen = subprocess.Popen
+        original_run = subprocess.run
+        original_call = subprocess.call
+        original_check_call = subprocess.check_call
+        original_check_output = subprocess.check_output
+        
+        # Wrap Popen
+        class SandboxedPopen(subprocess.Popen):
+            def __init__(self, *args, **kwargs):
+                if 'env' in kwargs:
+                    kwargs['env'] = ensure_sandbox_env(kwargs['env'])
+                else:
+                    kwargs['env'] = ensure_sandbox_env()
+                original_popen.__init__(self, *args, **kwargs)
+        
+        subprocess.Popen = SandboxedPopen
+        
+        # Wrap run
+        def sandboxed_run(*args, **kwargs):
+            if 'env' in kwargs:
+                kwargs['env'] = ensure_sandbox_env(kwargs['env'])
+            else:
+                kwargs['env'] = ensure_sandbox_env()
+            return original_run(*args, **kwargs)
+        
+        subprocess.run = sandboxed_run
+        
+        # Wrap call
+        def sandboxed_call(*args, **kwargs):
+            if 'env' in kwargs:
+                kwargs['env'] = ensure_sandbox_env(kwargs['env'])
+            else:
+                kwargs['env'] = ensure_sandbox_env()
+            return original_call(*args, **kwargs)
+        
+        subprocess.call = sandboxed_call
+        
+        # Wrap check_call
+        def sandboxed_check_call(*args, **kwargs):
+            if 'env' in kwargs:
+                kwargs['env'] = ensure_sandbox_env(kwargs['env'])
+            else:
+                kwargs['env'] = ensure_sandbox_env()
+            return original_check_call(*args, **kwargs)
+        
+        subprocess.check_call = sandboxed_check_call
+        
+        # Wrap check_output
+        def sandboxed_check_output(*args, **kwargs):
+            if 'env' in kwargs:
+                kwargs['env'] = ensure_sandbox_env(kwargs['env'])
+            else:
+                kwargs['env'] = ensure_sandbox_env()
+            return original_check_output(*args, **kwargs)
+        
+        subprocess.check_output = sandboxed_check_output
+        
+    except ImportError:
+        pass
+