@cloudflare/sandbox 0.0.0-46eb4e6 → 0.0.0-485cf61

package/dist/chunk-3NEP4CNV.js

@@ -0,0 +1,99 @@
+// src/security.ts
+var SecurityError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "SecurityError";
+  }
+};
+function validatePort(port) {
+  if (!Number.isInteger(port)) {
+    return false;
+  }
+  if (port < 1024 || port > 65535) {
+    return false;
+  }
+  const reservedPorts = [
+    3e3,
+    // Control plane port
+    8787
+    // Common wrangler dev port
+  ];
+  if (reservedPorts.includes(port)) {
+    return false;
+  }
+  return true;
+}
+function sanitizeSandboxId(id) {
+  if (!id || id.length > 63) {
+    throw new SecurityError(
+      "Sandbox ID must be 1-63 characters long.",
+      "INVALID_SANDBOX_ID_LENGTH"
+    );
+  }
+  if (id.startsWith("-") || id.endsWith("-")) {
+    throw new SecurityError(
+      "Sandbox ID cannot start or end with hyphens (DNS requirement).",
+      "INVALID_SANDBOX_ID_HYPHENS"
+    );
+  }
+  const reservedNames = [
+    "www",
+    "api",
+    "admin",
+    "root",
+    "system",
+    "cloudflare",
+    "workers"
+  ];
+  const lowerCaseId = id.toLowerCase();
+  if (reservedNames.includes(lowerCaseId)) {
+    throw new SecurityError(
+      `Reserved sandbox ID '${id}' is not allowed.`,
+      "RESERVED_SANDBOX_ID"
+    );
+  }
+  return id;
+}
+function validateLanguage(language) {
+  if (!language) {
+    return;
+  }
+  const supportedLanguages = ["python", "python3", "javascript", "js", "node", "typescript", "ts"];
+  const normalized = language.toLowerCase();
+  if (!supportedLanguages.includes(normalized)) {
+    throw new SecurityError(
+      `Unsupported language '${language}'. Supported languages: python, javascript, typescript`,
+      "INVALID_LANGUAGE"
+    );
+  }
+}
+function logSecurityEvent(event, details, severity = "medium") {
+  const logEntry = {
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    event,
+    severity,
+    ...details
+  };
+  switch (severity) {
+    case "critical":
+    case "high":
+      console.error(`[SECURITY:${severity.toUpperCase()}] ${event}:`, JSON.stringify(logEntry));
+      break;
+    case "medium":
+      console.warn(`[SECURITY:${severity.toUpperCase()}] ${event}:`, JSON.stringify(logEntry));
+      break;
+    case "low":
+      console.info(`[SECURITY:${severity.toUpperCase()}] ${event}:`, JSON.stringify(logEntry));
+      break;
+  }
+}
+
+export {
+  SecurityError,
+  validatePort,
+  sanitizeSandboxId,
+  validateLanguage,
+  logSecurityEvent
+};
+//# sourceMappingURL=chunk-3NEP4CNV.js.map

package/dist/chunk-3NEP4CNV.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/security.ts"],"sourcesContent":["/**\n * Security utilities for URL construction and input validation\n *\n * This module contains critical security functions to prevent:\n * - URL injection attacks\n * - SSRF (Server-Side Request Forgery) attacks\n * - DNS rebinding attacks\n * - Host header injection\n * - Open redirect vulnerabilities\n */\n\nexport class SecurityError extends Error {\n  constructor(message: string, public readonly code?: string) {\n    super(message);\n    this.name = 'SecurityError';\n  }\n}\n\n/**\n * Validates port numbers for sandbox services\n * Only allows non-system ports to prevent conflicts and security issues\n */\nexport function validatePort(port: number): boolean {\n  // Must be a valid integer\n  if (!Number.isInteger(port)) {\n    return false;\n  }\n\n  // Only allow non-system ports (1024-65535)\n  if (port < 1024 || port > 65535) {\n    return false;\n  }\n\n  // Exclude ports reserved by our system\n  const reservedPorts = [\n    3000, // Control plane port\n    8787, // Common wrangler dev port\n  ];\n\n  if (reservedPorts.includes(port)) {\n    return false;\n  }\n\n  return true;\n}\n\n/**\n * Sanitizes and validates sandbox IDs for DNS compliance and security\n * Only enforces critical requirements - allows maximum developer flexibility\n */\nexport function sanitizeSandboxId(id: string): string {\n  // Basic validation: not empty, reasonable length limit (DNS subdomain limit is 63 chars)\n  if (!id || id.length > 63) {\n    throw new SecurityError(\n      'Sandbox ID must be 1-63 characters long.',\n      'INVALID_SANDBOX_ID_LENGTH'\n    );\n  }\n\n  // DNS compliance: cannot start or end with hyphens (RFC requirement)\n  if (id.startsWith('-') || id.endsWith('-')) {\n    throw new SecurityError(\n      'Sandbox ID cannot start or end with hyphens (DNS requirement).',\n      'INVALID_SANDBOX_ID_HYPHENS'\n    );\n  }\n\n  // Prevent reserved names that cause technical conflicts\n  const reservedNames = [\n    'www', 'api', 'admin', 'root', 'system',\n    'cloudflare', 'workers'\n  ];\n\n  const lowerCaseId = id.toLowerCase();\n  if (reservedNames.includes(lowerCaseId)) {\n    throw new SecurityError(\n      `Reserved sandbox ID '${id}' is not allowed.`,\n      'RESERVED_SANDBOX_ID'\n    );\n  }\n\n  return id;\n}\n\n\n/**\n * Validates language for code interpreter\n * Only allows supported languages\n */\nexport function validateLanguage(language: string | undefined): void {\n  if (!language) {\n    return; // undefined is valid, will default to python\n  }\n\n  const supportedLanguages = ['python', 'python3', 'javascript', 'js', 'node', 'typescript', 'ts'];\n  const normalized = language.toLowerCase();\n\n  if (!supportedLanguages.includes(normalized)) {\n    throw new SecurityError(\n      `Unsupported language '${language}'. Supported languages: python, javascript, typescript`,\n      'INVALID_LANGUAGE'\n    );\n  }\n}\n\n/**\n * Logs security events for monitoring\n */\nexport function logSecurityEvent(\n  event: string,\n  details: Record<string, any>,\n  severity: 'low' | 'medium' | 'high' | 'critical' = 'medium'\n): void {\n  const logEntry = {\n    timestamp: new Date().toISOString(),\n    event,\n    severity,\n    ...details\n  };\n\n  switch (severity) {\n    case 'critical':\n    case 'high':\n      console.error(`[SECURITY:${severity.toUpperCase()}] ${event}:`, JSON.stringify(logEntry));\n      break;\n    case 'medium':\n      console.warn(`[SECURITY:${severity.toUpperCase()}] ${event}:`, JSON.stringify(logEntry));\n      break;\n    case 'low':\n      console.info(`[SECURITY:${severity.toUpperCase()}] ${event}:`, JSON.stringify(logEntry));\n      break;\n  }\n}\n"],"mappings":";AAWO,IAAM,gBAAN,cAA4B,MAAM;AAAA,EACvC,YAAY,SAAiC,MAAe;AAC1D,UAAM,OAAO;AAD8B;AAE3C,SAAK,OAAO;AAAA,EACd;AACF;AAMO,SAAS,aAAa,MAAuB;AAElD,MAAI,CAAC,OAAO,UAAU,IAAI,GAAG;AAC3B,WAAO;AAAA,EACT;AAGA,MAAI,OAAO,QAAQ,OAAO,OAAO;AAC/B,WAAO;AAAA,EACT;AAGA,QAAM,gBAAgB;AAAA,IACpB;AAAA;AAAA,IACA;AAAA;AAAA,EACF;AAEA,MAAI,cAAc,SAAS,IAAI,GAAG;AAChC,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAMO,SAAS,kBAAkB,IAAoB;AAEpD,MAAI,CAAC,MAAM,GAAG,SAAS,IAAI;AACzB,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAGA,MAAI,GAAG,WAAW,GAAG,KAAK,GAAG,SAAS,GAAG,GAAG;AAC1C,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAGA,QAAM,gBAAgB;AAAA,IACpB;AAAA,IAAO;AAAA,IAAO;AAAA,IAAS;AAAA,IAAQ;AAAA,IAC/B;AAAA,IAAc;AAAA,EAChB;AAEA,QAAM,cAAc,GAAG,YAAY;AACnC,MAAI,cAAc,SAAS,WAAW,GAAG;AACvC,UAAM,IAAI;AAAA,MACR,wBAAwB,EAAE;AAAA,MAC1B;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAOO,SAAS,iBAAiB,UAAoC;AACnE,MAAI,CAAC,UAAU;AACb;AAAA,EACF;AAEA,QAAM,qBAAqB,CAAC,UAAU,WAAW,cAAc,MAAM,QAAQ,cAAc,IAAI;AAC/F,QAAM,aAAa,SAAS,YAAY;AAExC,MAAI,CAAC,mBAAmB,SAAS,UAAU,GAAG;AAC5C,UAAM,IAAI;AAAA,MACR,yBAAyB,QAAQ;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AACF;AAKO,SAAS,iBACd,OACA,SACA,WAAmD,UAC7C;AACN,QAAM,WAAW;AAAA,IACf,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC;AAAA,IACA;AAAA,IACA,GAAG;AAAA,EACL;AAEA,UAAQ,UAAU;AAAA,IAChB,KAAK;AAAA,IACL,KAAK;AACH,cAAQ,MAAM,aAAa,SAAS,YAAY,CAAC,KAAK,KAAK,KAAK,KAAK,UAAU,QAAQ,CAAC;AACxF;AAAA,IACF,KAAK;AACH,cAAQ,KAAK,aAAa,SAAS,YAAY,CAAC,KAAK,KAAK,KAAK,KAAK,UAAU,QAAQ,CAAC;AACvF;AAAA,IACF,KAAK;AACH,cAAQ,KAAK,aAAa,SAAS,YAAY,CAAC,KAAK,KAAK,KAAK,KAAK,UAAU,QAAQ,CAAC;AACvF;AAAA,EACJ;AACF;","names":[]}

package/dist/chunk-6IYG2RIN.js

@@ -0,0 +1,117 @@
+import {
+  validateLanguage
+} from "./chunk-3NEP4CNV.js";
+
+// src/interpreter.ts
+import {
+  Execution,
+  ResultImpl
+} from "@repo/shared";
+var CodeInterpreter = class {
+  interpreterClient;
+  contexts = /* @__PURE__ */ new Map();
+  constructor(sandbox) {
+    this.interpreterClient = sandbox.client.interpreter;
+  }
+  /**
+   * Create a new code execution context
+   */
+  async createCodeContext(options = {}) {
+    validateLanguage(options.language);
+    const context = await this.interpreterClient.createCodeContext(options);
+    this.contexts.set(context.id, context);
+    return context;
+  }
+  /**
+   * Run code with optional context
+   */
+  async runCode(code, options = {}) {
+    let context = options.context;
+    if (!context) {
+      const language = options.language || "python";
+      context = await this.getOrCreateDefaultContext(language);
+    }
+    const execution = new Execution(code, context);
+    await this.interpreterClient.runCodeStream(context.id, code, options.language, {
+      onStdout: (output) => {
+        execution.logs.stdout.push(output.text);
+        if (options.onStdout) return options.onStdout(output);
+      },
+      onStderr: (output) => {
+        execution.logs.stderr.push(output.text);
+        if (options.onStderr) return options.onStderr(output);
+      },
+      onResult: async (result) => {
+        execution.results.push(new ResultImpl(result));
+        if (options.onResult) return options.onResult(result);
+      },
+      onError: (error) => {
+        execution.error = error;
+        if (options.onError) return options.onError(error);
+      }
+    });
+    return execution;
+  }
+  /**
+   * Run code and return a streaming response
+   */
+  async runCodeStream(code, options = {}) {
+    let context = options.context;
+    if (!context) {
+      const language = options.language || "python";
+      context = await this.getOrCreateDefaultContext(language);
+    }
+    const response = await this.interpreterClient.doFetch("/api/execute/code", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "text/event-stream"
+      },
+      body: JSON.stringify({
+        context_id: context.id,
+        code,
+        language: options.language
+      })
+    });
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({ error: "Unknown error" }));
+      throw new Error(
+        errorData.error || `Failed to execute code: ${response.status}`
+      );
+    }
+    if (!response.body) {
+      throw new Error("No response body for streaming execution");
+    }
+    return response.body;
+  }
+  /**
+   * List all code contexts
+   */
+  async listCodeContexts() {
+    const contexts = await this.interpreterClient.listCodeContexts();
+    for (const context of contexts) {
+      this.contexts.set(context.id, context);
+    }
+    return contexts;
+  }
+  /**
+   * Delete a code context
+   */
+  async deleteCodeContext(contextId) {
+    await this.interpreterClient.deleteCodeContext(contextId);
+    this.contexts.delete(contextId);
+  }
+  async getOrCreateDefaultContext(language) {
+    for (const context of this.contexts.values()) {
+      if (context.language === language) {
+        return context;
+      }
+    }
+    return this.createCodeContext({ language });
+  }
+};
+
+export {
+  CodeInterpreter
+};
+//# sourceMappingURL=chunk-6IYG2RIN.js.map

package/dist/chunk-6IYG2RIN.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/interpreter.ts"],"sourcesContent":["import {\n  type CodeContext,\n  type CreateContextOptions,\n  Execution,\n  type ExecutionError,\n  type OutputMessage,\n  type Result,\n  ResultImpl,\n  type RunCodeOptions,\n} from \"@repo/shared\";\nimport type { InterpreterClient } from \"./clients/interpreter-client.js\";\nimport type { Sandbox } from \"./sandbox.js\";\nimport { validateLanguage } from \"./security.js\";\n\nexport class CodeInterpreter {\n  private interpreterClient: InterpreterClient;\n  private contexts = new Map<string, CodeContext>();\n\n  constructor(sandbox: Sandbox) {\n    // In init-testing architecture, client is a SandboxClient with an interpreter property\n    this.interpreterClient = (sandbox.client as any).interpreter as InterpreterClient;\n  }\n\n  /**\n   * Create a new code execution context\n   */\n  async createCodeContext(\n    options: CreateContextOptions = {}\n  ): Promise<CodeContext> {\n    // Validate language before sending to container\n    validateLanguage(options.language);\n\n    const context = await this.interpreterClient.createCodeContext(options);\n    this.contexts.set(context.id, context);\n    return context;\n  }\n\n  /**\n   * Run code with optional context\n   */\n  async runCode(\n    code: string,\n    options: RunCodeOptions = {}\n  ): Promise<Execution> {\n    // Get or create context\n    let context = options.context;\n    if (!context) {\n      // Try to find or create a default context for the language\n      const language = options.language || \"python\";\n      context = await this.getOrCreateDefaultContext(language);\n    }\n\n    // Create execution object to collect results\n    const execution = new Execution(code, context);\n\n    // Stream execution\n    await this.interpreterClient.runCodeStream(context.id, code, options.language, {\n      onStdout: (output: OutputMessage) => {\n        execution.logs.stdout.push(output.text);\n        if (options.onStdout) return options.onStdout(output);\n      },\n      onStderr: (output: OutputMessage) => {\n        execution.logs.stderr.push(output.text);\n        if (options.onStderr) return options.onStderr(output);\n      },\n      onResult: async (result: Result) => {\n        execution.results.push(new ResultImpl(result) as any);\n        if (options.onResult) return options.onResult(result);\n      },\n      onError: (error: ExecutionError) => {\n        execution.error = error;\n        if (options.onError) return options.onError(error);\n      },\n    });\n\n    return execution;\n  }\n\n  /**\n   * Run code and return a streaming response\n   */\n  async runCodeStream(\n    code: string,\n    options: RunCodeOptions = {}\n  ): Promise<ReadableStream> {\n    // Get or create context\n    let context = options.context;\n    if (!context) {\n      const language = options.language || \"python\";\n      context = await this.getOrCreateDefaultContext(language);\n    }\n\n    // Create streaming response\n    // Note: doFetch is protected but we need direct access for raw stream response\n    const response = await (this.interpreterClient as any).doFetch(\"/api/execute/code\", {\n      method: \"POST\",\n      headers: {\n        \"Content-Type\": \"application/json\",\n        Accept: \"text/event-stream\",\n      },\n      body: JSON.stringify({\n        context_id: context.id,\n        code,\n        language: options.language,\n      }),\n    });\n\n    if (!response.ok) {\n      const errorData = (await response\n        .json()\n        .catch(() => ({ error: \"Unknown error\" }))) as { error?: string };\n      throw new Error(\n        errorData.error || `Failed to execute code: ${response.status}`\n      );\n    }\n\n    if (!response.body) {\n      throw new Error(\"No response body for streaming execution\");\n    }\n\n    return response.body;\n  }\n\n  /**\n   * List all code contexts\n   */\n  async listCodeContexts(): Promise<CodeContext[]> {\n    const contexts = await this.interpreterClient.listCodeContexts();\n\n    // Update local cache\n    for (const context of contexts) {\n      this.contexts.set(context.id, context);\n    }\n\n    return contexts;\n  }\n\n  /**\n   * Delete a code context\n   */\n  async deleteCodeContext(contextId: string): Promise<void> {\n    await this.interpreterClient.deleteCodeContext(contextId);\n    this.contexts.delete(contextId);\n  }\n\n  private async getOrCreateDefaultContext(\n    language: \"python\" | \"javascript\" | \"typescript\"\n  ): Promise<CodeContext> {\n    // Check if we have a cached context for this language\n    for (const context of this.contexts.values()) {\n      if (context.language === language) {\n        return context;\n      }\n    }\n\n    // Create new default context\n    return this.createCodeContext({ language });\n  }\n}\n"],"mappings":";;;;;AAAA;AAAA,EAGE;AAAA,EAIA;AAAA,OAEK;AAKA,IAAM,kBAAN,MAAsB;AAAA,EACnB;AAAA,EACA,WAAW,oBAAI,IAAyB;AAAA,EAEhD,YAAY,SAAkB;AAE5B,SAAK,oBAAqB,QAAQ,OAAe;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,kBACJ,UAAgC,CAAC,GACX;AAEtB,qBAAiB,QAAQ,QAAQ;AAEjC,UAAM,UAAU,MAAM,KAAK,kBAAkB,kBAAkB,OAAO;AACtE,SAAK,SAAS,IAAI,QAAQ,IAAI,OAAO;AACrC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QACJ,MACA,UAA0B,CAAC,GACP;AAEpB,QAAI,UAAU,QAAQ;AACtB,QAAI,CAAC,SAAS;AAEZ,YAAM,WAAW,QAAQ,YAAY;AACrC,gBAAU,MAAM,KAAK,0BAA0B,QAAQ;AAAA,IACzD;AAGA,UAAM,YAAY,IAAI,UAAU,MAAM,OAAO;AAG7C,UAAM,KAAK,kBAAkB,cAAc,QAAQ,IAAI,MAAM,QAAQ,UAAU;AAAA,MAC7E,UAAU,CAAC,WAA0B;AACnC,kBAAU,KAAK,OAAO,KAAK,OAAO,IAAI;AACtC,YAAI,QAAQ,SAAU,QAAO,QAAQ,SAAS,MAAM;AAAA,MACtD;AAAA,MACA,UAAU,CAAC,WAA0B;AACnC,kBAAU,KAAK,OAAO,KAAK,OAAO,IAAI;AACtC,YAAI,QAAQ,SAAU,QAAO,QAAQ,SAAS,MAAM;AAAA,MACtD;AAAA,MACA,UAAU,OAAO,WAAmB;AAClC,kBAAU,QAAQ,KAAK,IAAI,WAAW,MAAM,CAAQ;AACpD,YAAI,QAAQ,SAAU,QAAO,QAAQ,SAAS,MAAM;AAAA,MACtD;AAAA,MACA,SAAS,CAAC,UAA0B;AAClC,kBAAU,QAAQ;AAClB,YAAI,QAAQ,QAAS,QAAO,QAAQ,QAAQ,KAAK;AAAA,MACnD;AAAA,IACF,CAAC;AAED,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cACJ,MACA,UAA0B,CAAC,GACF;AAEzB,QAAI,UAAU,QAAQ;AACtB,QAAI,CAAC,SAAS;AACZ,YAAM,WAAW,QAAQ,YAAY;AACrC,gBAAU,MAAM,KAAK,0BAA0B,QAAQ;AAAA,IACzD;AAIA,UAAM,WAAW,MAAO,KAAK,kBAA0B,QAAQ,qBAAqB;AAAA,MAClF,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,QAAQ;AAAA,MACV;AAAA,MACA,MAAM,KAAK,UAAU;AAAA,QACnB,YAAY,QAAQ;AAAA,QACpB;AAAA,QACA,UAAU,QAAQ;AAAA,MACpB,CAAC;AAAA,IACH,CAAC;AAED,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,YAAa,MAAM,SACtB,KAAK,EACL,MAAM,OAAO,EAAE,OAAO,gBAAgB,EAAE;AAC3C,YAAM,IAAI;AAAA,QACR,UAAU,SAAS,2BAA2B,SAAS,MAAM;AAAA,MAC/D;AAAA,IACF;AAEA,QAAI,CAAC,SAAS,MAAM;AAClB,YAAM,IAAI,MAAM,0CAA0C;AAAA,IAC5D;AAEA,WAAO,SAAS;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,mBAA2C;AAC/C,UAAM,WAAW,MAAM,KAAK,kBAAkB,iBAAiB;AAG/D,eAAW,WAAW,UAAU;AAC9B,WAAK,SAAS,IAAI,QAAQ,IAAI,OAAO;AAAA,IACvC;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,kBAAkB,WAAkC;AACxD,UAAM,KAAK,kBAAkB,kBAAkB,SAAS;AACxD,SAAK,SAAS,OAAO,SAAS;AAAA,EAChC;AAAA,EAEA,MAAc,0BACZ,UACsB;AAEtB,eAAW,WAAW,KAAK,SAAS,OAAO,GAAG;AAC5C,UAAI,QAAQ,aAAa,UAAU;AACjC,eAAO;AAAA,MACT;AAAA,IACF;AAGA,WAAO,KAAK,kBAAkB,EAAE,SAAS,CAAC;AAAA,EAC5C;AACF;","names":[]}