From e28cce1636ee2829a0dfa0a40f1b558e82ff0add Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 17 Nov 2025 15:17:28 +0000 Subject: [PATCH] Update documentation with subprocess protection details Co-authored-by: whyour <22700758+whyour@users.noreply.github.com> --- IMPLEMENTATION_SUMMARY.md | 9 +++++++++ SECURITY.md | 14 +++++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/IMPLEMENTATION_SUMMARY.md b/IMPLEMENTATION_SUMMARY.md index b9962d5b..de88f2fe 100644 --- a/IMPLEMENTATION_SUMMARY.md +++ b/IMPLEMENTATION_SUMMARY.md @@ -23,6 +23,8 @@ Implemented a filesystem sandbox that intercepts file operations and blocks unau - Wraps all fs module write methods (writeFile, appendFile, mkdir, unlink, etc.) - Wraps fs.promises API - Wraps fs.createWriteStream +- **Wraps child_process module** (spawn, exec, execSync, fork, etc.) to prevent subprocess bypass +- Automatically injects NODE_OPTIONS into subprocess environments - Prevents module require bypass by wrapping Module.prototype.require - Returns EACCES error with security message for blocked operations @@ -31,6 +33,8 @@ Implemented a filesystem sandbox that intercepts file operations and blocks unau - Wraps os module functions (remove, mkdir, rename, chmod, etc.) - Wraps shutil operations (rmtree, copy, move, etc.) - Wraps pathlib.Path methods (write_text, mkdir, unlink, etc.) +- **Wraps subprocess module** (Popen, run, call, check_call, etc.) to prevent subprocess bypass +- Automatically injects PYTHONPATH into subprocess environments - Raises PermissionError with security message for blocked operations #### 3. Integration @@ -38,6 +42,11 @@ Implemented a filesystem sandbox that intercepts file operations and blocks unau - Updated `shell/preload/sitecustomize.py` to load Python sandbox first - Sandboxes are loaded before any user code executes +#### 4. Subprocess Protection +- Scripts cannot bypass the sandbox by spawning `node` or `python3` subprocesses +- All child processes automatically inherit the sandbox through environment variables +- Prevents common bypass attempts like `execSync('node malicious.js')` + ### Protected Directories Scripts CANNOT write to: - `/back` - Backend application code diff --git a/SECURITY.md b/SECURITY.md index 72409330..e3e6c62d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -41,9 +41,17 @@ QL_DISABLE_SANDBOX=true ### How It Works -The sandbox works by intercepting filesystem operations in Node.js and Python scripts: +The sandbox works by intercepting filesystem operations and subprocess executions in Node.js and Python scripts: -- **Node.js**: The sandbox wraps the `fs` module and its methods (`writeFile`, `appendFile`, `mkdir`, `rmdir`, `unlink`, etc.) -- **Python**: The sandbox wraps `builtins.open()`, `os` module functions, `shutil` operations, and `pathlib.Path` methods +- **Node.js**: + - Wraps the `fs` module and its methods (`writeFile`, `appendFile`, `mkdir`, `rmdir`, `unlink`, etc.) + - Wraps the `child_process` module (spawn, exec, execSync, etc.) to prevent sandbox bypass via subprocesses + - Automatically injects NODE_OPTIONS into all spawned subprocesses +- **Python**: + - Wraps `builtins.open()`, `os` module functions, `shutil` operations, and `pathlib.Path` methods + - Wraps `subprocess` module functions (Popen, run, call, etc.) to prevent sandbox bypass + - Automatically injects PYTHONPATH into all spawned subprocesses When a script attempts to write to a protected path, the operation is blocked with a `PermissionError` (Python) or `EACCES` error (Node.js). + +**Subprocess Protection**: The sandbox also prevents scripts from bypassing restrictions by spawning `node` or `python3` subprocesses. All spawned subprocesses automatically inherit the sandbox, ensuring consistent protection.