Simulate sandbox execution of bash code or python code.

[cangcang-zcr]

I'm trying to build an agent to execute some shell and python code locally as follows

from langchain import OpenAI, LLMBashChain

llm = OpenAI(temperature=0)
llm_bash_chain = LLMBashChain(llm=llm, verbose=True)
print(llm_bash_chain.prompt)

tools = load_tools(["python_repl", "terminal"])
agent = initialize_agent(tools, llm, agent="zero-shot-react-description", verbose=True)
agent.run("Delete a file in the local path.")

During the process, I find that there is still some possibility that it could generate erroneous code.And running this erroneous code directly on the local machine could pose risks and vulnerabilities.Therefore, I thought of setting up a sandbox environment based on Docker locally, to execute users' agent code, so as to avoid damage to local files or the system.

I tried to set up a web service in Docker to execute python code and provide feedback. The following is a simple demo operation process.

Before starting the operation, I have installed Docker and pulled the Python 3.10 image.

Create Dockerfile

FROM python:3.10

RUN pip install -i https://pypi.tuna.tsinghua.edu.cn/simple pip -U \
    && pip config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple

RUN pip install fastapi
RUN pip install uvicorn

COPY main.py /app/
WORKDIR /app

EXPOSE 8000
CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]

and I have set up a service in my project folder that can accept and execute code.

main.py

import sys
from fastapi import FastAPI, HTTPException
from pydantic import BaseModel
from typing import Any, Dict
import subprocess

app = FastAPI()


class CodeData(BaseModel):
    code: str
    code_type: str


@app.post("/execute", response_model=Dict[str, Any])
async def execute_code(code_data: CodeData):
    if code_data.code_type == "python":
        try:
            buffer = io.StringIO()
            sys.stdout = buffer
            exec(code_data.code)
            sys.stdout = sys.__stdout__
            exec_result = buffer.getvalue()

            return {"output": exec_result} if exec_result else {"message": "OK"}
        except Exception as e:
            raise HTTPException(status_code=400, detail=str(e))
    elif code_data.code_type == "shell":
        try:
            output = subprocess.check_output(code_data.code, stderr=subprocess.STDOUT, shell=True, text=True)
            return {"output": output.strip()} if output.strip() else {"message": "OK"}
        except subprocess.CalledProcessError as e:
            raise HTTPException(status_code=400, detail=str(e.output))

    else:
        raise HTTPException(status_code=400, detail="Invalid code_type")


if __name__ == "__main__":
    import uvicorn

    uvicorn.run("remote:app", host="localhost", port=8000)

then I've started it using Docker on a local port,and I can use the Langchain Agent to execute code in the sandbox and return results to avoid damage to the local environment.

the agent as follows

from langchain.llms import OpenAI
from langchain.agents import initialize_agent
from langchain.tools.base import BaseTool
import requests


class SandboxTool(BaseTool):
    name = "SandboxTool"
    description = '''Useful for when you need to execute python code or install library by pip for python code. 
    The input to this tool should be a comma separated list of numbers of length two, 
    the first value is code_type(type:String), the second value is code(type:String) needed to execute. 
    For example: 
    ["python", "print(1+2)"], ["shell", "pip install langchain"], ["shell", "ls"] ... '''

    def _run(self, query: str) -> str:
        return self.remote_request(query)

    async def _arun(self, tool_input: str) -> str:
        raise NotImplementedError("PythonRemoteReplTool does not support async")

    def remote_request(self, query: str) -> str:
        list = ast.literal_eval(query)
        url = "http://localhost:8000/execute"
        headers = {
            "Content-Type": "application/json",  
        }
        json_data = {
            "code_type": list[0],
            "code": list[1]
        }
        response = requests.post(url, headers=headers, json=json_data)

        if response.status_code == 200:
            data = response.json()
            return data
        else:
            return f"Request failed, status code：{response.status_code}"


llm = OpenAI(temperature=0)
tool =SandboxTool()
tools = [tool]
sandboxagent = initialize_agent(tools, llm, agent="zero-shot-react-description", verbose=True)
sandboxagent.run("print result from 5 + 5")

Could this be a feasible sandbox solution?

[psychemedia]

Would another approach to sandboxing be to use a WASM solution, such as pyodide for executing Python code? There is some limitation on the installable packages, but it would work for testing simple python usage. eg https://til.simonwillison.net/webassembly/python-in-a-wasm-sandbox

[mick-net]

I was researching the possibility to use glot.io (open source) as custom Langchain tool to remotely execute Python (or other languages). Let me know what you think.

Glot.io: http api for running untrusted code inside transient docker containers. For every run request a new container is started and deleted. The payload is passed to the container by attaching to it and writing it to stdin. The result is read from stdout. The communication with the docker daemon happens via it's api over the unix socket. This is used to run code on [glot.io](https://glot.io/).

https://glot.io/
https://github.com/glotcode/glot/blob/master/api_docs/run/run.md

[Jflick58]

Have a Wasm Sandboxed interpreter PR in progress that should support running the code locally in a safe manner: #5640

[IsaacRe]

Sorry for the commit spam...
I've been working off of @cangcang-zcr 's above code to set up a bash sandbox to allow persistent command line interactions within a linux container. This way the agent can install and access third-party clients across a chain's action sequences.

Example: "Install numpy and sample a number between 0 and 10, returning the value."

> Entering new  chain...
 I need to install numpy and then use it to sample a number.
Action: terminal
Action Input: pip install numpy
Observation: pip install numpy
Collecting numpy
  Downloading numpy-1.25.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (17.6 MB)
     ━╺━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0.5/17.6 MB 8.0 MB/s eta 0:00:03ning pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

[notice] A new release of pip is available: 23.0.1 -> 23.1.2
[notice] To update, run: pip install --upgrade pip
root@sandbox:/app# 
Thought: I now need to use numpy to sample a number.
Action: terminal
Action Input: python
Observation: python
Python 3.10.12 (main, Jun 14 2023, 18:40:54) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> 
Thought: I can now use numpy to sample a number.
Action: terminal
Action Input: import numpy as np
Observation: import numpy as np
>>> 
Thought: I can now use numpy to sample a number.
Action: terminal
Action Input: np.random.randint(0, 10)
Observation: np.random.randint(0, 10)
4
>>> 
Thought: I now know the final answer.
Final Answer: The sampled number is 4.

> Finished chain.
Spent a total of 4004 tokens

It requires standing up a local docker image with the API to receive and run commands so probably overkill for one-off calls to repl().

Open to any feedback/collaboration!

[dosubot]

Hi, @cangcang-zcr! I'm Dosu, and I'm here to help the LangChain team manage their backlog. I wanted to let you know that we are marking this issue as stale.

From what I understand, you were looking to set up a sandbox environment using Docker to execute users' agent code. There have been some suggestions made, such as using a WASM solution like pyodide or glot.io, as well as a PR for a Wasm Sandboxed interpreter. Another user has been working on setting up a bash sandbox for persistent command line interactions within a Linux container.

Before we close this issue, we wanted to check with you if it is still relevant to the latest version of the LangChain repository. If it is, please let us know by commenting on the issue. Otherwise, feel free to close the issue yourself or it will be automatically closed in 7 days.

Thank you for your contribution and we look forward to hearing from you soon!