Add security checking for the service function execute_shell_command (

#420)
modelscope · Aug 22, 2024 · a265d3f · a265d3f
1 parent 67e734d
commit a265d3f
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/src/agentscope/service/execute_code/exec_shell.py b/src/agentscope/service/execute_code/exec_shell.py
@@ -1,6 +1,9 @@
 # -*- coding: utf-8 -*-
 """Service to execute shell commands."""
 import subprocess
+
+from loguru import logger
+
 from agentscope.service.service_status import ServiceExecStatus
 from agentscope.service.service_response import ServiceResponse
 
@@ -26,6 +29,19 @@ def execute_shell_command(command: str) -> ServiceResponse:
         change/edit the files current directory (e.g. rm, sed).
     ...
     """
+
+    if any(_ in command for _ in execute_shell_command.insecure_commands):
+        logger.warning(
+            f"The command {command} is blocked for security reasons. "
+            f"If you want to enable the command, try to reset the "
+            f"insecure command list by executing "
+            f'`execute_shell_command.insecure_commands = ["xxx", "xxx"]`',
+        )
+        return ServiceResponse(
+            status=ServiceExecStatus.ERROR,
+            content=f"The command {command} is blocked for security reasons.",
+        )
+
     try:
         result = subprocess.run(
             command,
@@ -55,3 +71,19 @@ def execute_shell_command(command: str) -> ServiceResponse:
             status=ServiceExecStatus.ERROR,
             content=str(e),
         )
+
+
+# Security check: Block insecure commands
+execute_shell_command.insecure_commands = [
+    # System management
+    "shutdown",
+    "kill",
+    "reboot",
+    "pkill",
+    # User management
+    "useradd",
+    "userdel",
+    "usermod",
+    # File management
+    "rm -rf",
+]