Files
ragflow/agent/sandbox/tests/test_security.py

106 lines
3.8 KiB
Python

#
# Copyright 2026 The InfiniFlow Authors. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
import sys
from pathlib import Path
EXECUTOR_MANAGER_ROOT = Path(__file__).resolve().parents[1] / "executor_manager"
if str(EXECUTOR_MANAGER_ROOT) not in sys.path:
sys.path.insert(0, str(EXECUTOR_MANAGER_ROOT))
from models.enums import SupportLanguage # noqa: E402
from services.security import analyze_code_security # noqa: E402
def test_javascript_child_process_is_rejected():
is_safe, issues = analyze_code_security(
"const cp = require('child_process'); async function main() { return 'ok'; }",
SupportLanguage.NODEJS,
)
assert is_safe is False
assert any("child_process" in issue for issue, _ in issues)
def test_javascript_eval_is_rejected():
is_safe, issues = analyze_code_security(
"async function main() { return eval('1+1'); }",
SupportLanguage.NODEJS,
)
assert is_safe is False
assert any("eval" in issue.lower() for issue, _ in issues)
def test_javascript_child_process_template_literal_is_rejected():
"""Template literal backticks bypass single/double-quote regex patterns."""
is_safe, issues = analyze_code_security(
"const cp = require(`child_process`); async function main() { return 'ok'; }",
SupportLanguage.NODEJS,
)
assert is_safe is False
assert any("child_process" in issue for issue, _ in issues)
def test_javascript_fs_template_literal_is_rejected():
is_safe, issues = analyze_code_security(
"const fs = require(`fs`); async function main() { return fs.readFileSync('/etc/passwd', 'utf8'); }",
SupportLanguage.NODEJS,
)
assert is_safe is False
assert any("fs" in issue for issue, _ in issues)
def test_python_builtins_import_is_rejected():
"""builtins module gives access to eval/exec and must be blocked."""
is_safe, issues = analyze_code_security(
"import builtins\ndef main():\n builtins.eval('1+1')",
SupportLanguage.PYTHON,
)
assert is_safe is False
# Pin the specific reason: rejection must come from the new ``builtins``
# entry in ``DANGEROUS_IMPORTS``, not from some unrelated parse error.
assert any("builtins" in issue for issue, _ in issues), f"expected an issue mentioning 'builtins', got {issues!r}"
def test_python_attribute_eval_call_is_rejected():
"""Attribute-style dangerous calls (builtins.eval) must be caught."""
is_safe, issues = analyze_code_security(
"import builtins\ndef main():\n builtins.exec('import os')",
SupportLanguage.PYTHON,
)
assert is_safe is False
# Pin the specific reason: rejection must come from the new
# ``ast.Attribute`` branch in ``visit_Call`` flagging the ``exec`` call,
# not from the ``import builtins`` line above. We assert ``exec`` is in at
# least one finding so the test fails if visit_Call's attribute branch is
# ever reverted.
assert any("exec" in issue for issue, _ in issues), f"expected an issue mentioning 'exec', got {issues!r}"
def test_javascript_safe_code_still_passes():
is_safe, issues = analyze_code_security(
"async function main(args) { return { answer: args.value ?? null }; }",
SupportLanguage.NODEJS,
)
assert is_safe is True
assert issues == []