I’m working on a LangChain agent that generates and runs Python scripts using PythonREPLTool for answering user queries. The problem I’m facing is that my agent keeps creating code that includes input() statements to collect user data.
I need to block any code execution that contains input() functions since they cause the program to hang waiting for user interaction. I’m looking for solutions to either:
- Filter out scripts containing
input() before they run
- Set up execution timeouts when code gets stuck waiting for user input
I already tried using max_execution_time during agent setup but it didn’t solve the issue. Any suggestions on how to handle this would be really helpful.
Skip the monkey patching and globals filtering - just wrap the execution in a subprocess with a timeout. This completely isolates the problematic code and kills it when it hangs. I’ve used subprocess.run() with a timeout for similar stuff - keeps your main process from getting stuck and handles errors properly. You’ll lose some REPL state between runs, but the reliability is worth it. Also, redirect stdin to /dev/null (or Windows equivalent) so input calls fail fast instead of hanging forever.
Try using RestrictedPython instead. I used it on a similar project where agents kept generating sketchy code. You can whitelist exactly which functions and modules are allowed, so input() and other dangerous calls get completely blocked. Just compile with compile_restricted() and run it in a controlled namespace. Way more control than subprocess isolation and faster than regex filtering. Works great with LangChain too - you can drop it right into your PythonREPLTool wrapper without rebuilding everything.
had the same issue b4. i ended up monkey patching input - builtins.input = lambda *args: "" makes it return an empty string. way simpler than filtering code and it works every time.
You could also just modify the langchain tool directly. Subclass PythonREPLTool and override the _run method with a quick string check - if 'input(' in code: raise ValueError('input not allowed'). The agent gets error feedback and learns to avoid it. Works great and doesn’t mess with builtins or need extra dependencies.
Monkey patching works, but I’ve seen it mess things up when the agent needs input somewhere else.
I had better luck overriding the globals dict during execution. Just pass custom globals that cuts out input completely:
safe_globals = {k: v for k, v in globals().items() if k != 'input'}
safe_globals['__builtins__'] = {k: v for k, v in __builtins__.items() if k != 'input'}
Use that with exec(). If the code tries calling input, you’ll get a NameError that’s easy to catch and handle.
I also throw in a quick regex check re.search(r'\binput\s*\(', code) before running anything. Catches most attempts upfront and saves time.