From 4a7ed9afef2be924a167d21f7157ee8787b9b25f Mon Sep 17 00:00:00 2001
From: Yongteng Lei <yongtengrey@outlook.com>
Date: Tue, 20 May 2025 17:21:28 +0800
Subject: [PATCH] Feat: sandox enhancement (#7739)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

### What problem does this PR solve?

1. Add sandbox options for max memory and timeout.
2. ​Malicious code detection for Python only.​​

### Type of change

- [x] New Feature (non-breaking change which adds functionality)
---
 docker/.env                    | 2 ++
 docker/docker-compose-base.yml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/docker/.env b/docker/.env
index 76026199d..0d1d56035 100644
--- a/docker/.env
+++ b/docker/.env
@@ -169,6 +169,8 @@ REGISTER_ENABLED=1
 # SANDBOX_BASE_NODEJS_IMAGE=infiniflow/sandbox-base-nodejs:latest
 # SANDBOX_EXECUTOR_MANAGER_PORT=9385
 # SANDBOX_ENABLE_SECCOMP=false
+# SANDBOX_MAX_MEMORY=256m # b, k, m, g
+# SANDBOX_TIMEOUT=10s # s, m, 1m30s
 
 # Important: To enable sandbox, you must re-declare the compose profiles.
 # 1. Comment out the COMPOSE_PROFILES line above.
diff --git a/docker/docker-compose-base.yml b/docker/docker-compose-base.yml
index 64e78c5a8..4b88509d0 100644
--- a/docker/docker-compose-base.yml
+++ b/docker/docker-compose-base.yml
@@ -124,6 +124,8 @@ services:
       - SANDBOX_BASE_PYTHON_IMAGE=${SANDBOX_BASE_PYTHON_IMAGE:-infiniflow/sandbox-base-python:latest}
       - SANDBOX_BASE_NODEJS_IMAGE=${SANDBOX_BASE_NODEJS_IMAGE:-infiniflow/sandbox-base-nodejs:latest}
       - SANDBOX_ENABLE_SECCOMP=${SANDBOX_ENABLE_SECCOMP:-false}
+      - SANDBOX_MAX_MEMORY=${SANDBOX_MAX_MEMORY:-256m}
+      - SANDBOX_TIMEOUT=${SANDBOX_TIMEOUT:-10s}
     healthcheck:
       test: ["CMD", "curl", "http://localhost:9385/healthz"]
       interval: 10s