open-source/qinglong
1
0
Fork 0
mirror of https://github.com/whyour/qinglong.git synced 2025-12-13 07:25:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update documentation with subprocess protection details

Browse Source 
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot] 2025-11-17 15:17:28 +00:00
parent 38d1f67301
commit e28cce1636
2 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
IMPLEMENTATION_SUMMARY.md
View File

@ -23,6 +23,8 @@ Implemented a filesystem sandbox that intercepts file operations and blocks unau
- Wraps all fs module write methods (writeFile, appendFile, mkdir, unlink, etc.)
- Wraps fs.promises API
- Wraps fs.createWriteStream
- **Wraps child_process module** (spawn, exec, execSync, fork, etc.) to prevent subprocess bypass
- Automatically injects NODE_OPTIONS into subprocess environments
- Prevents module require bypass by wrapping Module.prototype.require
- Returns EACCES error with security message for blocked operations
@ -31,6 +33,8 @@ Implemented a filesystem sandbox that intercepts file operations and blocks unau
- Wraps os module functions (remove, mkdir, rename, chmod, etc.)
- Wraps shutil operations (rmtree, copy, move, etc.)
- Wraps pathlib.Path methods (write_text, mkdir, unlink, etc.)
- **Wraps subprocess module** (Popen, run, call, check_call, etc.) to prevent subprocess bypass
- Automatically injects PYTHONPATH into subprocess environments
- Raises PermissionError with security message for blocked operations
#### 3. Integration
@ -38,6 +42,11 @@ Implemented a filesystem sandbox that intercepts file operations and blocks unau
- Updated `shell/preload/sitecustomize.py` to load Python sandbox first
- Sandboxes are loaded before any user code executes
#### 4. Subprocess Protection
- Scripts cannot bypass the sandbox by spawning `node` or `python3` subprocesses
- All child processes automatically inherit the sandbox through environment variables
- Prevents common bypass attempts like `execSync('node malicious.js')`
### Protected Directories
Scripts CANNOT write to:
- `/back` - Backend application code

14
SECURITY.md
View File

@ -41,9 +41,17 @@ QL_DISABLE_SANDBOX=true
### How It Works
The sandbox works by intercepting filesystem operations in Node.js and Python scripts:
The sandbox works by intercepting filesystem operations and subprocess executions in Node.js and Python scripts:
- **Node.js**: The sandbox wraps the `fs` module and its methods (`writeFile`, `appendFile`, `mkdir`, `rmdir`, `unlink`, etc.)
- **Python**: The sandbox wraps `builtins.open()`, `os` module functions, `shutil` operations, and `pathlib.Path` methods
- **Node.js**:
- Wraps the `fs` module and its methods (`writeFile`, `appendFile`, `mkdir`, `rmdir`, `unlink`, etc.)
- Wraps the `child_process` module (spawn, exec, execSync, etc.) to prevent sandbox bypass via subprocesses
- Automatically injects NODE_OPTIONS into all spawned subprocesses
- **Python**:
- Wraps `builtins.open()`, `os` module functions, `shutil` operations, and `pathlib.Path` methods
- Wraps `subprocess` module functions (Popen, run, call, etc.) to prevent sandbox bypass
- Automatically injects PYTHONPATH into all spawned subprocesses
When a script attempts to write to a protected path, the operation is blocked with a `PermissionError` (Python) or `EACCES` error (Node.js).
**Subprocess Protection**: The sandbox also prevents scripts from bypassing restrictions by spawning `node` or `python3` subprocesses. All spawned subprocesses automatically inherit the sandbox, ensuring consistent protection.