Update app.py

app.py

@@ -4,16 +4,21 @@ import subprocess
 import shutil
 import threading
 import io
+import socket
+import random
+import string
+import ast
+import re
 from huggingface_hub import HfApi, snapshot_download
-from flask import Flask
-from fastapi import FastAPI
-from fastapi.middleware.wsgi import WSGIMiddleware
-from starlette.responses import StreamingResponse
 
 # === Config ===
 DATASET_REPO = "Devity4756/Terminal"
 HF_TOKEN = os.environ.get("HF_TOKEN")
-api = HfApi(token=HF_TOKEN)
+if HF_TOKEN:
+    api = HfApi(token=HF_TOKEN)
+else:
+    api = None
+    print("Warning: HF_TOKEN not found. Save functionality will be limited.")
 
 WORKDIR = "workspace"
 os.makedirs(WORKDIR, exist_ok=True)
@@ -25,12 +30,15 @@ PATH_MAP = {"Alex": VIRTUAL_HOME}
 
 # === Restore state ===
 try:
-    snapshot_path = snapshot_download(
-        repo_id=DATASET_REPO,
-        repo_type="dataset",
-        token=HF_TOKEN
-    )
-    shutil.copytree(snapshot_path, WORKDIR, dirs_exist_ok=True)
+    if HF_TOKEN:
+        snapshot_path = snapshot_download(
+            repo_id=DATASET_REPO,
+            repo_type="dataset",
+            token=HF_TOKEN
+        )
+        shutil.copytree(snapshot_path, WORKDIR, dirs_exist_ok=True)
+    else:
+        print("Cannot restore state without HF_TOKEN")
 except Exception as e:
     print("No previous data restored:", e)
 
@@ -42,6 +50,29 @@ open_file_path = None
 # === Flask apps & logs ===
 flask_apps = {}
 flask_logs = {}
+flask_ports = {}
+next_port = 5000
+
+# Get the public URL of the Gradio app
+public_url = os.environ.get("SPACE_URL", "http://localhost:7860")
+
+# === Security Configuration ===
+ALLOWED_FLASK_IMPORTS = {
+    'Flask', 'request', 'jsonify', 'render_template', 
+    'redirect', 'url_for', 'send_file', 'abort'
+}
+
+RESTRICTED_KEYWORDS = {
+    'os.', 'subprocess.', 'sys.', 'importlib.', 'eval(', 'exec(',
+    'open(', 'file(', 'compile(', '__import__', 'globals()', 'locals()',
+    'getattr', 'setattr', 'delattr', 'input(', 'execfile'
+}
+
+MAX_CODE_LENGTH = 5000  # Maximum characters for Flask code
+
+def generate_random_name(length=12):
+    """Generate a random function/class name"""
+    return ''.join(random.choice(string.ascii_letters) for _ in range(length))
 
 def expand_path(path: str) -> str:
     for alias, real in PATH_MAP.items():
@@ -51,10 +82,109 @@ def expand_path(path: str) -> str:
         return os.path.join(WORKDIR, path.lstrip("/"))
     return os.path.join(current_dir, path)
 
-def run_flask_app(app_name: str, code: str, fastapi_app: FastAPI):
-    """Start a Flask app under /flask/<app_name>"""
+def get_local_ip():
+    """Get the local IP address of the machine"""
+    try:
+        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+        s.connect(("8.8.8.8", 80))
+        ip = s.getsockname()[0]
+        s.close()
+        return ip
+    except:
+        return "localhost"
+
+def validate_flask_code(code):
+    """Validate Flask code for security"""
+    # Check length
+    if len(code) > MAX_CODE_LENGTH:
+        return False, "Code too long (max 5000 characters)"
+    
+    # Check for restricted patterns
+    for pattern in RESTRICTED_KEYWORDS:
+        if pattern in code:
+            return False, f"Restricted pattern found: {pattern}"
+    
+    # Parse AST to check for dangerous constructs
+    try:
+        tree = ast.parse(code)
+        
+        for node in ast.walk(tree):
+            # Check for imports
+            if isinstance(node, ast.Import) or isinstance(node, ast.ImportFrom):
+                for alias in (node.names if isinstance(node, ast.Import) else [node]):
+                    module_name = alias.name if isinstance(node, ast.Import) else node.module
+                    if module_name and not any(module_name.startswith(allowed) 
+                                             for allowed in ['flask', 'werkzeug']):
+                        return False, f"Restricted import: {module_name}"
+            
+            # Check for function definitions with dangerous names
+            if isinstance(node, ast.FunctionDef):
+                if node.name.startswith('_') or node.name in ['exit', 'quit', 'help']:
+                    return False, f"Restricted function name: {node.name}"
+    
+    except SyntaxError as e:
+        return False, f"Syntax error: {e}"
+    
+    return True, "Code validated successfully"
+
+def secure_execute_flask_code(app_instance, code, log_func, request_obj):
+    """Safely execute Flask code with randomized function names"""
+    # Generate random names for functions to avoid conflicts
+    random_prefix = generate_random_name(8)
+    
+    # Replace function definitions with randomized names
+    # This pattern matches function definitions and adds a random prefix
+    code = re.sub(
+        r'def (\w+)\s*\(',
+        lambda m: f'def {random_prefix}_{m.group(1)}(',
+        code
+    )
+    
+    # Create a secure environment
+    secure_globals = {
+        'app': app_instance,
+        'log': log_func,
+        'request': request_obj,
+        '__builtins__': {
+            'str': str, 'int': int, 'float': float, 'bool': bool, 'list': list,
+            'dict': dict, 'tuple': tuple, 'set': set, 'len': len, 'range': range,
+            'print': print, 'isinstance': isinstance, 'type': type, 'repr': repr
+        }
+    }
+    
+    # Add allowed Flask imports
+    try:
+        from flask import Flask, request, jsonify, render_template, redirect, url_for, send_file, abort
+        secure_globals.update({
+            'Flask': Flask,
+            'request': request,
+            'jsonify': jsonify,
+            'render_template': render_template,
+            'redirect': redirect,
+            'url_for': url_for,
+            'send_file': send_file,
+            'abort': abort
+        })
+    except ImportError:
+        pass
+    
+    try:
+        # Compile and execute in restricted environment
+        compiled_code = compile(code, '<string>', 'exec')
+        exec(compiled_code, secure_globals)
+        return True, "Code executed successfully"
+    except Exception as e:
+        return False, f"Execution error: {e}"
+
+def run_flask_app(app_name: str, code: str):
+    """Start a Flask app on a dedicated port"""
+    global next_port
+    
     log_buffer = io.StringIO()
     flask_logs[app_name] = log_buffer
+    port = next_port
+    next_port += 1
+    flask_ports[app_name] = port
 
     def log(msg):
         log_buffer.write(msg + "\n")
@@ -62,44 +192,87 @@ def run_flask_app(app_name: str, code: str, fastapi_app: FastAPI):
         print(f"[{app_name}] {msg}")
 
     try:
+        # Validate code first
+        is_valid, validation_msg = validate_flask_code(code)
+        if not is_valid:
+            log(f"Code validation failed: {validation_msg}")
+            return
+
+        from flask import Flask, request
         local_flask = Flask(app_name)
 
         # Default route
         @local_flask.route("/")
         def home():
-            return f"Hello from {app_name}! (mounted at /flask/{app_name}/)"
-
-        # Execute user code (can add more routes, HTML, APIs)
-        exec(code, {"app": local_flask, "log": log})
-
-        # Mount into FastAPI
-        fastapi_app.mount(f"/flask/{app_name}", WSGIMiddleware(local_flask))
+            return f"Hello from {app_name}!<br><br>App is running successfully."
+
+        # Secure execution of user code
+        success, exec_msg = secure_execute_flask_code(local_flask, code, log, request)
+        if not success:
+            log(f"Failed to execute code: {exec_msg}")
+            return
+
+        # Start the Flask app in a separate thread
+        def run_app():
+            local_flask.run(host='0.0.0.0', port=port, debug=True, use_reloader=False)
+        
+        thread = threading.Thread(target=run_app, daemon=True)
+        thread.start()
+        
         flask_apps[app_name] = local_flask
-        log(f"Started Flask app: {app_name} mounted at /flask/{app_name}/")
+        
+        # Get the correct URLs
+        local_ip = get_local_ip()
+        local_url = f"http://{local_ip}:{port}"
+        
+        # For Hugging Face Spaces
+        if "hf.space" in public_url:
+            space_id = public_url.split("https://")[1].split(".hf.space")[0]
+            live_url = f"https://{space_id}.hf.space/proxy/{port}/"
+        else:
+            live_url = f"{public_url}/proxy/{port}/"
+        
+        log(f"Started Flask app: {app_name} on port {port}")
+        log(f"Local URL: {local_url}")
+        log(f"Live URL: {live_url}")
+        log("App is now live and accessible!")
 
     except Exception as e:
         log(f"Error starting Flask app {app_name}: {e}")
 
 def view_logs(app_name: str):
-    """Stream logs of a Flask app"""
+    """Get logs of a Flask app"""
     if app_name not in flask_logs:
         return f"No logs for {app_name}"
-
-    def stream():
-        log_buf = flask_logs[app_name]
-        last_pos = 0
-        while True:
-            log_buf.seek(last_pos)
-            new_data = log_buf.read()
-            if new_data:
-                yield new_data
-                last_pos = log_buf.tell()
-
-    return StreamingResponse(stream(), media_type="text/plain")
-
-def run_command(cmd: str, fastapi_app: FastAPI):
+    
+    log_buf = flask_logs[app_name]
+    log_buf.seek(0)
+    return log_buf.read()
+
+def get_flask_apps():
+    """Get list of running Flask apps with their URLs"""
+    if not flask_ports:
+        return "No Flask apps running"
+    
+    local_ip = get_local_ip()
+    result = "Running Flask apps:\n\n"
+    
+    for app_name, port in flask_ports.items():
+        local_url = f"http://{local_ip}:{port}"
+        
+        if "hf.space" in public_url:
+            space_id = public_url.split("https://")[1].split(".hf.space")[0]
+            live_url = f"https://{space_id}.hf.space/proxy/{port}/"
+            result += f"- {app_name}:\n  Local: {local_url}\n  Live: {live_url}\n\n"
+        else:
+            result += f"- {app_name}:\n  Local: {local_url}\n  Live: {public_url}/proxy/{port}/\n\n"
+    
+    return result
+
+def run_command(cmd: str):
     """Handle terminal-like commands including Flask"""
     global current_dir, running_process, open_file_path
+    
     try:
         raw_cmd = cmd.strip()
 
@@ -117,12 +290,23 @@ def run_command(cmd: str, fastapi_app: FastAPI):
             if len(parts) < 3:
                 return f"$ {cmd}\n\nUsage: flaskrun <appname> <python_code>", "", None
             appname, code = parts[1], parts[2]
-            threading.Thread(target=run_flask_app, args=(appname, code, fastapi_app), daemon=True).start()
-            return f"$ {cmd}\n\nFlask app '{appname}' started at /flask/{appname}/", "", None
+            threading.Thread(target=run_flask_app, args=(appname, code), daemon=True).start()
+            return f"$ {cmd}\n\nStarting Flask app '{appname}'... Check status with 'flasklist' or view logs with 'logs {appname}'", "", None
+
+        # === List Flask apps ===
+        if raw_cmd == "flasklist":
+            apps_info = get_flask_apps()
+            return f"$ {cmd}\n\n{apps_info}", "", None
+
+        # === View logs ===
+        if raw_cmd.startswith("logs "):
+            appname = raw_cmd.split(" ", 1)[1]
+            logs = view_logs(appname)
+            return f"$ {cmd}\n\nLogs for {appname}:\n{logs}", "", None
 
         # === Change directory (cd) ===
-        if raw_cmd.startswith("cd/") or raw_cmd.startswith("cd "):
-            new_path = raw_cmd.split(" ", 1)[-1].replace("cd/", "", 1)
+        if raw_cmd.startswith("cd "):
+            new_path = raw_cmd.split(" ", 1)[1]
             target = expand_path(new_path)
             if os.path.isdir(target):
                 current_dir = target
@@ -174,6 +358,19 @@ def run_command(cmd: str, fastapi_app: FastAPI):
             except Exception as e:
                 return f"$ {cmd}\n\nError reading file: {e}", "", None
 
+        # === List files ===
+        elif raw_cmd == "ls":
+            items = os.listdir(current_dir)
+            return f"$ {cmd}\n\n" + ("\n".join(items) if items else "(empty directory)"), "", None
+
+        # === Print working directory ===
+        elif raw_cmd == "pwd":
+            return f"$ {cmd}\n\n{current_dir}", "", None
+
+        # === Clear screen ===
+        elif raw_cmd == "clear":
+            return "", "", None
+
         # === Normal shell command ===
         running_process = subprocess.Popen(
             raw_cmd,
@@ -199,16 +396,19 @@ def save_file(new_content: str, file_path: str):
         with open(file_path, "w", encoding="utf-8") as f:
             f.write(new_content)
 
-        try:
-            api.upload_folder(
-                folder_path=WORKDIR,
-                repo_id=DATASET_REPO,
-                repo_type="dataset",
-                commit_message=f"Edited file: {file_path}",
-                token=HF_TOKEN
-            )
-        except Exception as e:
-            print("Upload failed:", e)
+        if HF_TOKEN and api:
+            try:
+                api.upload_folder(
+                    folder_path=WORKDIR,
+                    repo_id=DATASET_REPO,
+                    repo_type="dataset",
+                    commit_message=f"Edited file: {file_path}",
+                    token=HF_TOKEN
+                )
+            except Exception as e:
+                print("Upload failed:", e)
+        else:
+            print("Save local only - no HF token configured")
 
         return f"Saved file: {file_path}", new_content
     except Exception as e:
@@ -216,17 +416,23 @@ def save_file(new_content: str, file_path: str):
 
 # === Gradio UI ===
 with gr.Blocks() as demo:
-    gr.Markdown("## 🖥️ Hugging Face Terminal + Editor + Flask Apps")
+    gr.Markdown("## 🖥️ Secure Terminal + Editor + Flask Apps")
+    gr.Markdown("Create Flask apps with `flaskrun <name> <code>` - they will be accessible at the URLs shown in the logs")
 
     with gr.Row():
         cmd = gr.Textbox(
             label="Command",
             placeholder="Examples:\n"
-                        "flaskrun app1 'app.route(\"/hello\")(lambda: \"Hello App1\")'\n"
-                        "cd/Alex/project\n"
-                        "create /myapp/app.py\n"
-                        "delete /myapp/app.py\n"
-                        "open /myapp/app.py\n"
+                        "flaskrun myapp '@app.route(\"/hello\")\\ndef hello(): return \"Hello World!\"'\n"
+                        "flaskrun api '@app.route(\"/data\")\\ndef data(): return {\"message\": \"API working!\"}'\n"
+                        "flasklist\n"
+                        "logs myapp\n"
+                        "cd Alex/project\n"
+                        "create app.py\n"
+                        "open app.py\n"
+                        "ls\n"
+                        "pwd\n"
+                        "clear\n"
                         "close"
         )
         run_btn = gr.Button("Run")
@@ -237,13 +443,24 @@ with gr.Blocks() as demo:
     hidden_file = gr.Textbox(visible=False)
 
     # Attach events
-    run_btn.click(lambda c: run_command(c, app), inputs=cmd, outputs=[out, editor, hidden_file])
+    run_btn.click(run_command, inputs=cmd, outputs=[out, editor, hidden_file])
     save_btn.click(save_file, inputs=[editor, hidden_file], outputs=[out, editor])
 
-# === Main FastAPI app ===
-app = FastAPI()
-app = gr.mount_gradio_app(app, demo, path="/")
-
-@app.get("/flask/{appname}/logs")
-def flask_logs_stream(appname: str):
-    return view_logs(appname)
+# For Hugging Face Spaces, we need to set up the proxy routes
+if "hf.space" in public_url:
+    # This will be handled by Hugging Face's built-in proxy
+    pass
+else:
+    # For local development, we can set up a simple proxy
+    @demo.app.get("/proxy/{port}/{path:path}")
+    async def proxy_to_flask(port: int, path: str):
+        import httpx
+        try:
+            async with httpx.AsyncClient() as client:
+                response = await client.get(f"http://localhost:{port}/{path}")
+                return response.content
+        except:
+            return "Flask app not available"
+
+if __name__ == "__main__":
+    demo.launch(server_name="0.0.0.0", server_port=7860, share=True)