1111

pkg/plugin/script/js.go

@@ -20,6 +20,7 @@ type JSPlugin struct {
 	vm       *goja.Runtime
 	metadata plugin.Metadata
 	config   map[string]string
+	sandbox  *Sandbox
 	running  bool
 	mu       sync.Mutex
 }
@@ -27,9 +28,10 @@ type JSPlugin struct {
 // NewJSPlugin 从 JS 源码创建插件
 func NewJSPlugin(name, source string) (*JSPlugin, error) {
 	p := &JSPlugin{
-		name:   name,
-		source: source,
-		vm:     goja.New(),
+		name:    name,
+		source:  source,
+		vm:      goja.New(),
+		sandbox: DefaultSandbox(),
 	}
 
 	if err := p.init(); err != nil {
@@ -39,6 +41,11 @@ func NewJSPlugin(name, source string) (*JSPlugin, error) {
 	return p, nil
 }
 
+// SetSandbox 设置沙箱配置
+func (p *JSPlugin) SetSandbox(sandbox *Sandbox) {
+	p.sandbox = sandbox
+}
+
 // init 初始化 JS 运行时
 func (p *JSPlugin) init() error {
 	// 注入基础 API
@@ -231,22 +238,50 @@ func (p *JSPlugin) createFsAPI() map[string]interface{} {
 	}
 }
 
-func (p *JSPlugin) fsReadFile(path string) string {
+func (p *JSPlugin) fsReadFile(path string) map[string]interface{} {
+	if err := p.sandbox.ValidateReadPath(path); err != nil {
+		return map[string]interface{}{"error": err.Error(), "data": ""}
+	}
+
+	info, err := os.Stat(path)
+	if err != nil {
+		return map[string]interface{}{"error": err.Error(), "data": ""}
+	}
+	if info.Size() > p.sandbox.MaxReadSize {
+		return map[string]interface{}{"error": "file too large", "data": ""}
+	}
+
 	data, err := os.ReadFile(path)
 	if err != nil {
-		return ""
+		return map[string]interface{}{"error": err.Error(), "data": ""}
 	}
-	return string(data)
+	return map[string]interface{}{"error": "", "data": string(data)}
 }
 
-func (p *JSPlugin) fsWriteFile(path, content string) bool {
-	return os.WriteFile(path, []byte(content), 0644) == nil
+func (p *JSPlugin) fsWriteFile(path, content string) map[string]interface{} {
+	if err := p.sandbox.ValidateWritePath(path); err != nil {
+		return map[string]interface{}{"error": err.Error(), "ok": false}
+	}
+
+	if int64(len(content)) > p.sandbox.MaxWriteSize {
+		return map[string]interface{}{"error": "content too large", "ok": false}
+	}
+
+	err := os.WriteFile(path, []byte(content), 0644)
+	if err != nil {
+		return map[string]interface{}{"error": err.Error(), "ok": false}
+	}
+	return map[string]interface{}{"error": "", "ok": true}
 }
 
-func (p *JSPlugin) fsReadDir(path string) []map[string]interface{} {
+func (p *JSPlugin) fsReadDir(path string) map[string]interface{} {
+	if err := p.sandbox.ValidateReadPath(path); err != nil {
+		return map[string]interface{}{"error": err.Error(), "entries": nil}
+	}
+
 	entries, err := os.ReadDir(path)
 	if err != nil {
-		return nil
+		return map[string]interface{}{"error": err.Error(), "entries": nil}
 	}
 	var result []map[string]interface{}
 	for _, e := range entries {
@@ -257,15 +292,20 @@ func (p *JSPlugin) fsReadDir(path string) []map[string]interface{} {
 			"size":  info.Size(),
 		})
 	}
-	return result
+	return map[string]interface{}{"error": "", "entries": result}
 }
 
 func (p *JSPlugin) fsStat(path string) map[string]interface{} {
+	if err := p.sandbox.ValidateReadPath(path); err != nil {
+		return map[string]interface{}{"error": err.Error()}
+	}
+
 	info, err := os.Stat(path)
 	if err != nil {
-		return nil
+		return map[string]interface{}{"error": err.Error()}
 	}
 	return map[string]interface{}{
+		"error":   "",
 		"name":    info.Name(),
 		"size":    info.Size(),
 		"isDir":   info.IsDir(),
@@ -273,17 +313,34 @@ func (p *JSPlugin) fsStat(path string) map[string]interface{} {
 	}
 }
 
-func (p *JSPlugin) fsExists(path string) bool {
+func (p *JSPlugin) fsExists(path string) map[string]interface{} {
+	if err := p.sandbox.ValidateReadPath(path); err != nil {
+		return map[string]interface{}{"error": err.Error(), "exists": false}
+	}
 	_, err := os.Stat(path)
-	return err == nil
+	return map[string]interface{}{"error": "", "exists": err == nil}
 }
 
-func (p *JSPlugin) fsMkdir(path string) bool {
-	return os.MkdirAll(path, 0755) == nil
+func (p *JSPlugin) fsMkdir(path string) map[string]interface{} {
+	if err := p.sandbox.ValidateWritePath(path); err != nil {
+		return map[string]interface{}{"error": err.Error(), "ok": false}
+	}
+	err := os.MkdirAll(path, 0755)
+	if err != nil {
+		return map[string]interface{}{"error": err.Error(), "ok": false}
+	}
+	return map[string]interface{}{"error": "", "ok": true}
 }
 
-func (p *JSPlugin) fsRemove(path string) bool {
-	return os.RemoveAll(path) == nil
+func (p *JSPlugin) fsRemove(path string) map[string]interface{} {
+	if err := p.sandbox.ValidateWritePath(path); err != nil {
+		return map[string]interface{}{"error": err.Error(), "ok": false}
+	}
+	err := os.RemoveAll(path)
+	if err != nil {
+		return map[string]interface{}{"error": err.Error(), "ok": false}
+	}
+	return map[string]interface{}{"error": "", "ok": true}
 }
 
 // =============================================================================

pkg/plugin/script/sandbox.go

@@ -0,0 +1,155 @@
+package script
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// Sandbox 插件沙箱配置
+type Sandbox struct {
+	// 允许访问的路径列表（绝对路径）
+	AllowedPaths []string
+	// 允许写入的路径列表（必须是 AllowedPaths 的子集）
+	WritablePaths []string
+	// 禁止访问的路径（黑名单，优先级高于白名单）
+	DeniedPaths []string
+	// 是否允许网络访问
+	AllowNetwork bool
+	// 最大文件读取大小 (bytes)
+	MaxReadSize int64
+	// 最大文件写入大小 (bytes)
+	MaxWriteSize int64
+}
+
+// DefaultSandbox 返回默认沙箱配置（最小权限）
+func DefaultSandbox() *Sandbox {
+	return &Sandbox{
+		AllowedPaths:  []string{},
+		WritablePaths: []string{},
+		DeniedPaths:   defaultDeniedPaths(),
+		AllowNetwork:  false,
+		MaxReadSize:   10 * 1024 * 1024,  // 10MB
+		MaxWriteSize:  1 * 1024 * 1024,   // 1MB
+	}
+}
+
+// defaultDeniedPaths 返回默认禁止访问的路径
+func defaultDeniedPaths() []string {
+	home, _ := os.UserHomeDir()
+	denied := []string{
+		"/etc/passwd",
+		"/etc/shadow",
+		"/etc/sudoers",
+		"/root",
+		"/.ssh",
+		"/.gnupg",
+		"/.aws",
+		"/.kube",
+		"/proc",
+		"/sys",
+	}
+	if home != "" {
+		denied = append(denied,
+			filepath.Join(home, ".ssh"),
+			filepath.Join(home, ".gnupg"),
+			filepath.Join(home, ".aws"),
+			filepath.Join(home, ".kube"),
+			filepath.Join(home, ".config"),
+			filepath.Join(home, ".local"),
+		)
+	}
+	return denied
+}
+
+// ValidateReadPath 验证读取路径是否允许
+func (s *Sandbox) ValidateReadPath(path string) error {
+	return s.validatePath(path, false)
+}
+
+// ValidateWritePath 验证写入路径是否允许
+func (s *Sandbox) ValidateWritePath(path string) error {
+	return s.validatePath(path, true)
+}
+
+func (s *Sandbox) validatePath(path string, write bool) error {
+	// 清理路径，防止路径遍历攻击
+	cleanPath, err := s.cleanPath(path)
+	if err != nil {
+		return err
+	}
+
+	// 检查黑名单（优先级最高）
+	if s.isDenied(cleanPath) {
+		return fmt.Errorf("access denied: path is in denied list")
+	}
+
+	// 检查白名单
+	allowedList := s.AllowedPaths
+	if write {
+		allowedList = s.WritablePaths
+	}
+
+	if len(allowedList) == 0 {
+		return fmt.Errorf("access denied: no paths allowed")
+	}
+
+	if !s.isAllowed(cleanPath, allowedList) {
+		if write {
+			return fmt.Errorf("access denied: path not in writable list")
+		}
+		return fmt.Errorf("access denied: path not in allowed list")
+	}
+
+	return nil
+}
+
+// cleanPath 清理并验证路径
+func (s *Sandbox) cleanPath(path string) (string, error) {
+	// 转换为绝对路径
+	absPath, err := filepath.Abs(path)
+	if err != nil {
+		return "", fmt.Errorf("invalid path: %w", err)
+	}
+
+	// 清理路径（解析 .. 和 .）
+	cleanPath := filepath.Clean(absPath)
+
+	// 检查符号链接（防止通过符号链接绕过限制）
+	realPath, err := filepath.EvalSymlinks(cleanPath)
+	if err != nil {
+		// 文件可能不存在，使用清理后的路径
+		if !os.IsNotExist(err) {
+			return "", fmt.Errorf("invalid path: %w", err)
+		}
+		realPath = cleanPath
+	}
+
+	// 再次检查路径遍历
+	if strings.Contains(realPath, "..") {
+		return "", fmt.Errorf("path traversal detected")
+	}
+
+	return realPath, nil
+}
+
+// isDenied 检查路径是否在黑名单中
+func (s *Sandbox) isDenied(path string) bool {
+	for _, denied := range s.DeniedPaths {
+		if strings.HasPrefix(path, denied) || path == denied {
+			return true
+		}
+	}
+	return false
+}
+
+// isAllowed 检查路径是否在白名单中
+func (s *Sandbox) isAllowed(path string, allowedList []string) bool {
+	for _, allowed := range allowedList {
+		if strings.HasPrefix(path, allowed) || path == allowed {
+			return true
+		}
+	}
+	return false
+}