fix(security): prevent Python import blacklist bypass in Code node#2701
Open
manusjs wants to merge 1 commit into
Open
fix(security): prevent Python import blacklist bypass in Code node#2701manusjs wants to merge 1 commit into
manusjs wants to merge 1 commit into
Conversation
The validatePythonImports() function only parses 'import' and 'from X import' statements via regex, which is trivially bypassed using __import__(), eval(), exec(), open(), globals()['__builtins__'], and other dynamic code loading techniques. This patch adds three layers of defense: 1. Runtime builtins restriction (primary fix): The Python execution template now injects a security preamble that patches __import__ with a hook enforcing the module blacklist at runtime, and replaces dangerous builtins (open, eval, exec, compile) with functions that raise PermissionError. 2. Expanded module blacklist: Added os, subprocess, sys, shutil, ctypes, importlib, signal, ssl, ftplib, smtplib, http, xmlrpc, socketserver, select, and selectors to pythonBuiltinBlacklist. These were previously missing, allowing 'import os' to pass validation without error. 3. Static bypass pattern detection (defense-in-depth): Added regex checks for __import__(), importlib.import_module(), globals()[], __subclasses__(), and __builtins__[] patterns to reject code early before execution. Note: The proper long-term remediation is to require the sandbox runner (CodeRunnerType_Sandbox) for all deployments, as Python's introspection capabilities make static analysis fundamentally insufficient as a sole security boundary. Fixes: GHSA-pfc8-gmgc-5pwq
manusjs
requested review from
N3kox,
fanlv,
hi-pender,
junwen-lee,
liuyunchao-1998,
lvxinyu-1117,
mrh997 and
shentongmartin
as code owners
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes GHSA-pfc8-gmgc-5pwq — Code Execution via Python Import Blacklist Bypass in Code Node.
The
validatePythonImports()function only parsesimportandfrom X importstatements via regex. This is trivially bypassed using:__import__('os')eval()/exec()with encoded payloadsopen()builtin (no import needed)globals()['__builtins__'].__import__('os')().__class__.__bases__[0].__subclasses__()gadget chainsChanges
1. Runtime builtins restriction (primary fix)
File:
backend/infra/coderunner/impl/direct/runner.goThe Python execution template now injects a security preamble that:
__import__with a runtime hook enforcing the module blacklist (catches all dynamic import techniques)open(),eval(),exec(),compile(),breakpoint()with functions that raisePermissionError2. Expanded module blacklist
File:
backend/domain/workflow/internal/nodes/code/code.goAdded to
pythonBuiltinBlacklist:os,subprocess,sys,shutil,ctypes,importlib,signal,ssl,ftplib,smtplib,http,xmlrpc,socketserver,select,selectorsThese were previously missing —
import ospassed validation without any error.3. Static bypass pattern detection (defense-in-depth)
Added regex detection for common bypass patterns (
__import__(,importlib.import_module(,globals()[,__subclasses__(),__builtins__[) to reject code early with a clear error message.Recommendation
This patch hardens the direct runner significantly, but the proper long-term fix is to require the sandbox runner (
CodeRunnerType_Sandbox) for all deployments. Python's introspection capabilities make static analysis fundamentally insufficient as a sole security boundary. The sandbox runner already provides OS-level isolation.Testing
Verified that all bypass techniques from the advisory (__import__, open(), eval+base64, globals()) are now blocked both at the static validation layer and at runtime.