From 80ae3f4b8f07ee48ed4efa2f270196fca2f48653 Mon Sep 17 00:00:00 2001
From: K2cr2O1 <2221577113@qq.com>
Date: Sun, 4 Jan 2026 22:37:42 +0800
Subject: [PATCH] =?UTF-8?q?codepy=E5=AE=89=E5=85=A8=E6=80=A7=E5=8D=87?=
 =?UTF-8?q?=E7=BA=A7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 plugins/code_py.py | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/plugins/code_py.py b/plugins/code_py.py
index b595354..2fa2988 100644
--- a/plugins/code_py.py
+++ b/plugins/code_py.py
@@ -22,20 +22,31 @@ __plugin_meta__ = {
     "usage": "/code_py - 进入交互模式，等待输入代码块\n/code_py [单行代码] - 快速执行单行代码",
 }
 
-# --- 安全配置：危险模块黑名单 ---
+# --- 安全配置：危险模块和内置函数黑名单 ---
 DANGEROUS_MODULES = [
     "os", "sys", "subprocess", "shutil", "socket", "requests", "urllib",
     "http", "ftplib", "telnetlib", "ctypes", "_thread", "multiprocessing",
     "asyncio",
 ]
+DANGEROUS_BUILTINS = [
+    "__import__", "open", "exec", "eval", "compile", "input", "breakpoint"
+]
 
 # 编译后的正则表达式，用于分割语句
 STATEMENT_SPLIT_PATTERN = re.compile(r'[;\n]')
+# 编译后的正则表达式，用于查找危险的内置函数调用
+BUILTIN_CALL_PATTERN = re.compile(r'\b(' + '|'.join(DANGEROUS_BUILTINS) + r')\s*\(')
 
 def is_code_safe(code: str) -> Tuple[bool, str]:
     """
-    检查代码中是否包含危险的模块导入。
+    检查代码中是否包含危险的模块导入或内置函数调用。
     """
+    # 1. 检查危险的内置函数
+    found_builtins = BUILTIN_CALL_PATTERN.search(code)
+    if found_builtins:
+        return False, f"检测到不允许的内置函数调用：'{found_builtins.group(1)}'"
+
+    # 2. 检查危险的模块导入
     statements = STATEMENT_SPLIT_PATTERN.split(code)
     for statement in statements:
         statement = statement.strip()