mirror of
https://gitee.com/wanwujie/deer-flow
synced 2026-04-27 07:44:48 +08:00
feac03ecbc
* fix(harness): allow agent read access to /mnt/skills in local sandbox Skill files under /mnt/skills/ were blocked by the path validator, preventing agents from reading skill definitions. This change: - Refactors `resolve_local_tool_path` into `validate_local_tool_path`, a pure security gate that no longer resolves paths (left to the sandbox) - Permits read-only access to the skills container path (/mnt/skills by default, configurable via config.skills.container_path) - Blocks write access to skills paths (PermissionError) - Allows /mnt/skills in bash command path validation - Adds `LocalSandbox.update_path_mappings` and injects per-thread user-data mappings into the sandbox so all virtual-path resolution is handled uniformly by the sandbox layer - Covers all new behaviour with tests Fixes #1177 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * refactor(sandbox): unify all virtual path resolution in tools.py Move skills path resolution from LocalSandbox into tools.py so that all virtual-to-host path translation (user-data and skills) lives in one layer. LocalSandbox becomes a pure execution layer that receives only real host paths — no more path_mappings, _resolve_path, or reverse resolve logic. This addresses architecture feedback that path resolution was split across two layers (tools.py for user-data, LocalSandbox for skills), making the flow hard to follow. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(sandbox): address Copilot review — cache-on-success and error path masking - Replace @lru_cache with manual cache-on-success for _get_skills_container_path and _get_skills_host_path so transient failures at startup don't permanently disable skills access. - Add _sanitize_error() helper that masks host filesystem paths in error messages via mask_local_paths_in_output before returning them to the agent. - Apply _sanitize_error() to all catch-all (Exception/OSError) handlers in sandbox tool functions to prevent host path leakage in error output. - Remove unused lru_cache import. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
73 lines
2.3 KiB
Python
73 lines
2.3 KiB
Python
import os
|
|
import shutil
|
|
import subprocess
|
|
|
|
from deerflow.sandbox.local.list_dir import list_dir
|
|
from deerflow.sandbox.sandbox import Sandbox
|
|
|
|
|
|
class LocalSandbox(Sandbox):
|
|
def __init__(self, id: str):
|
|
"""
|
|
Initialize local sandbox.
|
|
|
|
Args:
|
|
id: Sandbox identifier
|
|
"""
|
|
super().__init__(id)
|
|
|
|
@staticmethod
|
|
def _get_shell() -> str:
|
|
"""Detect available shell executable with fallback.
|
|
|
|
Returns the first available shell in order of preference:
|
|
/bin/zsh → /bin/bash → /bin/sh → first `sh` found on PATH.
|
|
Raises a RuntimeError if no suitable shell is found.
|
|
"""
|
|
for shell in ("/bin/zsh", "/bin/bash", "/bin/sh"):
|
|
if os.path.isfile(shell) and os.access(shell, os.X_OK):
|
|
return shell
|
|
shell_from_path = shutil.which("sh")
|
|
if shell_from_path is not None:
|
|
return shell_from_path
|
|
raise RuntimeError("No suitable shell executable found. Tried /bin/zsh, /bin/bash, /bin/sh, and `sh` on PATH.")
|
|
|
|
def execute_command(self, command: str) -> str:
|
|
result = subprocess.run(
|
|
command,
|
|
executable=self._get_shell(),
|
|
shell=True,
|
|
capture_output=True,
|
|
text=True,
|
|
timeout=600,
|
|
)
|
|
output = result.stdout
|
|
if result.stderr:
|
|
output += f"\nStd Error:\n{result.stderr}" if output else result.stderr
|
|
if result.returncode != 0:
|
|
output += f"\nExit Code: {result.returncode}"
|
|
|
|
return output if output else "(no output)"
|
|
|
|
def list_dir(self, path: str, max_depth=2) -> list[str]:
|
|
return list_dir(path, max_depth)
|
|
|
|
def read_file(self, path: str) -> str:
|
|
with open(path, encoding="utf-8") as f:
|
|
return f.read()
|
|
|
|
def write_file(self, path: str, content: str, append: bool = False) -> None:
|
|
dir_path = os.path.dirname(path)
|
|
if dir_path:
|
|
os.makedirs(dir_path, exist_ok=True)
|
|
mode = "a" if append else "w"
|
|
with open(path, mode, encoding="utf-8") as f:
|
|
f.write(content)
|
|
|
|
def update_file(self, path: str, content: bytes) -> None:
|
|
dir_path = os.path.dirname(path)
|
|
if dir_path:
|
|
os.makedirs(dir_path, exist_ok=True)
|
|
with open(path, "wb") as f:
|
|
f.write(content)
|