Skip to content

feat: add tool script safety guard#113

Open
xyxhhhhh wants to merge 1 commit into
trpc-group:mainfrom
xyxhhhhh:issue-90-tool-script-safety-guard
Open

feat: add tool script safety guard#113
xyxhhhhh wants to merge 1 commit into
trpc-group:mainfrom
xyxhhhhh:issue-90-tool-script-safety-guard

Conversation

@xyxhhhhh

@xyxhhhhh xyxhhhhh commented Jul 2, 2026

Copy link
Copy Markdown

概述

Resolves #90

本 PR 实现 了Tool Script Safety Guard,用于在 Tool / Skill / MCP Tool /
CodeExecutor 执行脚本或命令前进行安全扫描、策略判断、拦截和审计。

主要能力:

  • 支持 Python 脚本和 Bash 命令的静态安全扫描
  • 支持 allow / deny / needs_human_review 三类决策
  • 支持 YAML 策略配置:白名单域名、允许命令、禁止路径、最大超时、最大输出大小
  • 输出结构化安全报告,包含 decision、risk level、rule id、evidence、
    recommendation
  • 输出 JSONL 审计事件,便于监控系统消费
  • 预留 OpenTelemetry 兼容的 tool.safety.* attributes
  • 提供 CLI、Filter、Wrapper、示例和自动化测试
  • BashToolUnsafeLocalCodeExecutor 提供 opt-in 接入,不改变默认历史
    行为
  • 提供 31 条可运行样例,覆盖 issue 要求的主要风险类型

风险覆盖

已覆盖的风险类型:

  • 危险文件操作:递归删除、系统路径覆盖、.env~/.ssh、凭据文件访问等
  • 网络外连:curlwgetrequestsaiohttpsocket、非白名单域名访问
  • 进程和系统命令:subprocessos.system、shell 管道、命令替换、后台进程、
    提权命令等
  • 依赖安装:pip installpython -m pip installnpm installapt install
  • 资源滥用:无限循环、fork bomb、长时间 sleep、超时和输出大小策略检查等
  • 敏感信息泄漏:API key、token、password、私钥内容输出或传输等

兼容性

核心执行链路接入采用 opt-in 方式,避免破坏现有默认行为。

BashToolUnsafeLocalCodeExecutor 默认保持原有执行逻辑。用户可以通过参数
enable_safety_guard=True 显式启用安全扫描。

启用后:

  • deny 会在执行前阻断脚本或命令
  • needs_human_review 默认只记录到 safety_report,不阻断执行
  • 如需严格模式,可设置 block_on_review=True

验证

已通过本 PR 相关测试:

  • python -m pytest tests/tools/safety -q
  • python -m pytest tests/file_tools/test_bash_tool.py tests/code_executors/ local/test_unsafe_local_code_executor.py tests/code_executors/ test_local_unsafe_local_code_executor.py -q

同时验证了 31 条公开样例均可扫描并输出结构化报告。

文档

新增 examples/tool_safety/README.md,说明规则体系、策略配置、CLI 使用方式、
Filter / Wrapper / 核心链路 opt-in 接入方式、报告和审计日志格式、OpenTelemetry
字段、已知限制,以及为什么静态扫描不能替代沙箱隔离。

@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@73655ab). Learn more about missing BASE report.

Additional details and impacted files
@@            Coverage Diff             @@
##             main        #113   +/-   ##
==========================================
  Coverage        ?   87.84235%           
==========================================
  Files           ?         442           
  Lines           ?       42245           
  Branches        ?           0           
==========================================
  Hits            ?       37109           
  Misses          ?        5136           
  Partials        ?           0           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

@xyxhhhhh xyxhhhhh force-pushed the issue-90-tool-script-safety-guard branch from ccf18ad to 8bc9647 Compare July 2, 2026 09:16
@xyxhhhhh

xyxhhhhh commented Jul 2, 2026

Copy link
Copy Markdown
Author

I have read the CLA Document and I hereby sign the CLA

Rook1ex added a commit to trpc-group/cla-database that referenced this pull request Jul 2, 2026
@xyxhhhhh xyxhhhhh force-pushed the issue-90-tool-script-safety-guard branch from 8bc9647 to 343a75c Compare July 2, 2026 10:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

构建 Tool 执行脚本安全扫描、Filter 拦截与监控机制

1 participant