security(executor): 统一工具级审批 + env 白名单 + 结构化结果

P0-1 统一审批: 高风险工具在 spawn 前统一走审批,与后续消息类型
      (result/http/db) 无关,堵住 stdio→result 绕过审批的漏洞。
      移除 http/db 分支内重复审批(入口已授权)。
P0-4 env 白名单: spawn 前 cmd.env_clear(),仅注入 PATH + spec 声明
      的 env 变量,避免工具读取宿主全部 API key/数据库密码。
      tool_manager spec 补充 HOME/CARGO_HOME/RUSTUP_HOME 供 cargo 使用。
P1-10 结构化结果: 引入 ToolRunOutcome{Ok,Err{kind,message}} 与
      ToolErrorKind 枚举,executor/registry dispatch 返回结构化结果。
      daemon 与 CLI 据此判断成败,删除脆弱的 is_tool_error 字符串前缀
      匹配;失败时记录 kind 便于追踪。
This commit is contained in:
2026-06-22 10:47:01 +08:00
parent bf231352fb
commit 4f80e81b0b
5 changed files with 160 additions and 115 deletions
+121 -57
View File
@@ -5,7 +5,11 @@
//! - `{"type":"db",...}` — 请求数据库操作
//! - `{"type":"result","content":"..."}` — 最终结果
//!
//! 所有消息必须是合法 JSON。审批在 http/db 操作前处理。
//! 所有消息必须是合法 JSON。
//!
//! ## 安全边界(授权层)
//! **工具级审批在入口统一执行**:高风险工具在 spawn 之前必须获得用户确认,
//! 与工具后续输出的消息类型(result/http/db)无关 —— 杜绝 stdio→result 绕过。
use std::sync::Arc;
use std::time::Duration;
@@ -24,6 +28,59 @@ struct HttpResponse {
body: Value,
}
// ─── 结构化结果 ───
/// 工具执行错误类别(供调用方区分,替代字符串前缀匹配)
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum ToolErrorKind {
SpawnFailed,
StdoutReadFailed,
StdoutTimeout,
ProcessTimeout,
ProcessAbnormal,
NonJsonOutput,
UnknownMessageType,
UnsupportedMethod,
HttpFailed,
ApprovalFailed,
ApprovalTimeout,
ApprovalRejected,
MaxRoundsExceeded,
UnknownTool,
MissingParams,
}
/// 工具执行返回值:成功带内容,失败带类别与消息
#[derive(Debug, Clone)]
pub enum ToolRunOutcome {
Ok(String),
Err {
kind: ToolErrorKind,
message: String,
},
}
impl ToolRunOutcome {
pub fn err(kind: ToolErrorKind, message: impl Into<String>) -> Self {
ToolRunOutcome::Err {
kind,
message: message.into(),
}
}
pub fn is_err(&self) -> bool {
matches!(self, ToolRunOutcome::Err { .. })
}
/// 取出最终展示给 LLM 的消息文本
pub fn into_message(self) -> String {
match self {
ToolRunOutcome::Ok(s) => s,
ToolRunOutcome::Err { message, .. } => message,
}
}
}
pub async fn execute_loop(
spec: &ToolSpec,
params: &Value,
@@ -36,11 +93,32 @@ pub async fn execute_loop(
+ Send
+ Sync
),
) -> String {
) -> ToolRunOutcome {
// ── 统一授权边界:高风险工具在 spawn 前必须通过用户审批 ──
// 不依赖后续消息类型,覆盖 stdio/http/db 所有路径
if spec.is_high_risk() && !approved {
let (code, rx) = match approval.create(user_id, &spec.name).await {
Ok((c, r)) => (c, r),
Err(e) => return ToolRunOutcome::err(ToolErrorKind::ApprovalFailed, format!("审批失败: {e}")),
};
wechat_send(
user_id,
&format!("⚠️ {}\n确认码: {}\n回复确认码继续,回复0取消", spec.desc, code),
)
.await;
match rx.await.unwrap_or(ApprovalDecision::Expired) {
ApprovalDecision::Approved => { /* 授权通过,继续执行 */ }
ApprovalDecision::Rejected => {
return ToolRunOutcome::err(ToolErrorKind::ApprovalRejected, "操作已被用户取消")
}
ApprovalDecision::Expired => {
return ToolRunOutcome::err(ToolErrorKind::ApprovalTimeout, "审批超时,操作已取消")
}
}
}
let start = std::time::Instant::now();
let binary_path = spec.path.as_deref().unwrap_or(&spec.tool);
const MAX_ROUNDS: u32 = 20;
let mut response: Option<HttpResponse> = None;
@@ -51,7 +129,10 @@ pub async fn execute_loop(
round += 1;
if round > MAX_ROUNDS {
error!(target: "ias::err", "[loop] 工具 '{}' 超过最大轮次 {}", spec.name, MAX_ROUNDS);
return format!("工具 '{}' 执行轮次过多(>{})", spec.name, MAX_ROUNDS);
return ToolRunOutcome::err(
ToolErrorKind::MaxRoundsExceeded,
format!("工具 '{}' 执行轮次过多(>{})", spec.name, MAX_ROUNDS),
);
}
// ── 信封 ──
@@ -69,7 +150,12 @@ pub async fn execute_loop(
if let Some(c) = &spec.command {
cmd.arg("--command").arg(c);
}
// 按工具 spec 定义的 env 列表,从当前进程环境推送对应变量
// 安全:清空继承环境,仅注入 PATH(子进程定位可执行)+ spec 声明的白名单变量
// 避免工具读取宿主全部 API key、数据库密码等敏感变量
cmd.env_clear();
if let Ok(path) = std::env::var("PATH") {
cmd.env("PATH", path);
}
for key in &spec.env {
match std::env::var(key) {
Ok(v) => {
@@ -89,7 +175,7 @@ pub async fn execute_loop(
Ok(c) => c,
Err(e) => {
error!(target: "ias::err","[spawn] {e}");
return format!("启动失败: {e}");
return ToolRunOutcome::err(ToolErrorKind::SpawnFailed, format!("启动失败: {e}"));
}
};
@@ -129,11 +215,14 @@ pub async fn execute_loop(
Ok(Ok(l)) => l,
Ok(Err(e)) => {
let _ = child.start_kill();
return format!("读取stdout失败: {e}");
return ToolRunOutcome::err(ToolErrorKind::StdoutReadFailed, format!("读取stdout失败: {e}"));
}
Err(_) => {
let _ = child.start_kill();
return format!("stdout超时({}s)", spec.timeout_secs);
return ToolRunOutcome::err(
ToolErrorKind::StdoutTimeout,
format!("stdout超时({}s)", spec.timeout_secs),
);
}
};
@@ -152,12 +241,15 @@ pub async fn execute_loop(
Ok(Ok(s)) => s,
Ok(Err(e)) => {
error!(target: "ias::err","[process] {e}");
return format!("进程异常: {e}");
return ToolRunOutcome::err(ToolErrorKind::ProcessAbnormal, format!("进程异常: {e}"));
}
Err(_) => {
let _ = child.start_kill();
error!(target: "ias::err","[timeout] {}s", spec.timeout_secs);
return format!("进程超时({}s)", spec.timeout_secs);
return ToolRunOutcome::err(
ToolErrorKind::ProcessTimeout,
format!("进程超时({}s)", spec.timeout_secs),
);
}
};
@@ -168,7 +260,10 @@ pub async fn execute_loop(
} else {
stderr_trimmed.to_string()
};
return format!("异常退出({}): {}", status.code().unwrap_or(-1), reason);
return ToolRunOutcome::err(
ToolErrorKind::ProcessAbnormal,
format!("异常退出({}): {}", status.code().unwrap_or(-1), reason),
);
}
// ── 解析 ──
@@ -177,7 +272,10 @@ pub async fn execute_loop(
Ok(v) => v,
Err(_) => {
warn!(target: "ias::err","[non-json] {:.100}", trimmed);
return format!("工具输出非JSON: {:.100}", trimmed);
return ToolRunOutcome::err(
ToolErrorKind::NonJsonOutput,
format!("工具输出非JSON: {:.100}", trimmed),
);
}
};
@@ -186,30 +284,11 @@ pub async fn execute_loop(
let content = msg["content"].as_str().unwrap_or("");
let elapsed = start.elapsed();
info!(target: "ias::tool", "[done] {} 完成, 耗时 {:?}, {} 轮", spec.name, elapsed, round);
return content.to_string();
return ToolRunOutcome::Ok(content.to_string());
}
Some("http") => {
let method = msg["method"].as_str().unwrap_or("GET");
let url = msg["url"].as_str().unwrap_or("");
let desc = msg["desc"].as_str().unwrap_or("");
if spec.is_high_risk() && !approved {
let (code, rx) = match approval.create(user_id, &spec.name).await {
Ok((c, r)) => (c, r),
Err(e) => return format!("审批失败: {e}"),
};
wechat_send(
user_id,
&format!("⚠️ {}\n确认码: {}\n回复确认码继续,回复0取消", desc, code),
)
.await;
let d = rx.await.unwrap_or(ApprovalDecision::Expired);
match d {
ApprovalDecision::Approved => { /* 继续执行 */ }
ApprovalDecision::Rejected => return "操作已被用户取消".to_string(),
ApprovalDecision::Expired => return "审批超时,操作已取消".to_string(),
}
}
let client = reqwest::Client::builder()
.timeout(Duration::from_secs(25))
@@ -227,7 +306,9 @@ pub async fn execute_loop(
.await
}
("POST", None) => client.post(url).send().await,
(o, _) => return format!("不支持的方法: {o}"),
(o, _) => {
return ToolRunOutcome::err(ToolErrorKind::UnsupportedMethod, format!("不支持的方法: {o}"))
}
};
match resp {
Ok(r) => {
@@ -237,32 +318,13 @@ pub async fn execute_loop(
}
Err(e) => {
error!(target: "ias::err","[http] {e}");
return format!("HTTP失败: {e}");
return ToolRunOutcome::err(ToolErrorKind::HttpFailed, format!("HTTP失败: {e}"));
}
}
}
Some("db") => {
let op = msg["operation"].as_str().unwrap_or("");
let op_params = msg.get("params").cloned().unwrap_or(Value::Null);
let desc = msg["desc"].as_str().unwrap_or(op);
if spec.is_high_risk() && !approved {
let (code, rx) = match approval.create(user_id, &spec.name).await {
Ok((c, r)) => (c, r),
Err(e) => return format!("审批失败: {e}"),
};
wechat_send(
user_id,
&format!("⚠️ {}\n确认码: {}\n回复确认码继续,回复0取消", desc, code),
)
.await;
let d = rx.await.unwrap_or(ApprovalDecision::Expired);
match d {
ApprovalDecision::Approved => { /* 继续执行 */ }
ApprovalDecision::Rejected => return "操作已被用户取消".to_string(),
ApprovalDecision::Expired => return "审批超时,操作已取消".to_string(),
}
}
let result = match op {
"read_memories" => memory.read_for(user_id, None).await,
@@ -271,8 +333,7 @@ pub async fn execute_loop(
if c.is_empty() {
"缺少 content".into()
} else {
let write_result = memory.write_for(user_id, c).await;
write_result
memory.write_for(user_id, c).await
}
}
"delete_memory" => {
@@ -290,7 +351,10 @@ pub async fn execute_loop(
}
_ => {
warn!(target: "ias::err","[unknown-type] {}", msg["type"]);
return format!("未知消息类型: {}", msg["type"]);
return ToolRunOutcome::err(
ToolErrorKind::UnknownMessageType,
format!("未知消息类型: {}", msg["type"]),
);
}
}
}