Bug: [Security] Lack of sandbox isolation: Unauthorized access to the server's file system via Python execution #2296
Description
Summary
The execution environment lacks proper sandbox isolation. Users can execute system-level commands to list, read, or potentially modify files on the server's root directory. This is a critical security vulnerability that could lead to data leaks or full server compromise.
Reproduction steps
1. Navigate to the Codebattle task editor.
2. Select Python from the list of available programming languages.
3. Enter the following code in the editor:
import os
print(os.listdir('/'))
4. Click the "Run" button.Expected result
The system must block the execution of system-level commands (e.g., os, subprocess, shutil).
The output should return a Permission Denied error or a Runtime Error.
Server file structure information must not be displayed in the console.
Actual result
The code executes successfully without any restrictions.
The output console displays the full list of root directories and files (e.g., /bin, /etc, /home, /var, /root).
Evidence: ['media', 'opt', 'mnt', 'var', 'srv', ...] is visible in the execution logs.
Browsers
Chrome
OS
Windows