npm - @cloudflare/sandbox - Versions diffs - 0.0.0-871f813 → 0.0.0-89632aa - Mend

@cloudflare/sandbox 0.0.0-871f813 → 0.0.0-89632aa

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (68) hide show

package/CHANGELOG.md +234 -0
package/Dockerfile +173 -89
package/README.md +92 -707
package/dist/index.d.ts +1953 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +3280 -0
package/dist/index.js.map +1 -0
package/package.json +16 -8
package/src/clients/base-client.ts +295 -0
package/src/clients/command-client.ts +115 -0
package/src/clients/file-client.ts +300 -0
package/src/clients/git-client.ts +98 -0
package/src/clients/index.ts +64 -0
package/src/clients/interpreter-client.ts +333 -0
package/src/clients/port-client.ts +105 -0
package/src/clients/process-client.ts +180 -0
package/src/clients/sandbox-client.ts +39 -0
package/src/clients/types.ts +88 -0
package/src/clients/utility-client.ts +156 -0
package/src/errors/adapter.ts +238 -0
package/src/errors/classes.ts +594 -0
package/src/errors/index.ts +109 -0
package/src/file-stream.ts +169 -0
package/src/index.ts +94 -44
package/src/interpreter.ts +62 -44
package/src/request-handler.ts +94 -55
package/src/sandbox.ts +887 -397
package/src/security.ts +34 -28
package/src/sse-parser.ts +8 -11
package/src/version.ts +6 -0
package/startup.sh +3 -0
package/tests/base-client.test.ts +364 -0
package/tests/command-client.test.ts +444 -0
package/tests/file-client.test.ts +831 -0
package/tests/file-stream.test.ts +310 -0
package/tests/get-sandbox.test.ts +149 -0
package/tests/git-client.test.ts +487 -0
package/tests/port-client.test.ts +293 -0
package/tests/process-client.test.ts +683 -0
package/tests/request-handler.test.ts +292 -0
package/tests/sandbox.test.ts +739 -0
package/tests/sse-parser.test.ts +291 -0
package/tests/utility-client.test.ts +339 -0
package/tests/version.test.ts +16 -0
package/tests/wrangler.jsonc +35 -0
package/tsconfig.json +9 -1
package/tsdown.config.ts +12 -0
package/vitest.config.ts +31 -0
package/container_src/bun.lock +0 -122
package/container_src/circuit-breaker.ts +0 -121
package/container_src/handler/exec.ts +0 -340
package/container_src/handler/file.ts +0 -844
package/container_src/handler/git.ts +0 -182
package/container_src/handler/ports.ts +0 -314
package/container_src/handler/process.ts +0 -640
package/container_src/index.ts +0 -656
package/container_src/jupyter-server.ts +0 -579
package/container_src/jupyter-service.ts +0 -458
package/container_src/jupyter_config.py +0 -48
package/container_src/mime-processor.ts +0 -255
package/container_src/package.json +0 -18
package/container_src/startup.sh +0 -84
package/container_src/types.ts +0 -108
package/src/client.ts +0 -1021
package/src/errors.ts +0 -218
package/src/interpreter-types.ts +0 -383
package/src/jupyter-client.ts +0 -349
package/src/types.ts +0 -401

package/src/request-handler.ts CHANGED Viewed

@@ -1,9 +1,7 @@
-import { getSandbox, type Sandbox } from "./sandbox";
-import {
-  logSecurityEvent,
-  sanitizeSandboxId,
-  validatePort
-} from "./security";
+import { switchPort } from '@cloudflare/containers';
+import { createLogger, type LogContext, TraceContext } from '@repo/shared';
+import { getSandbox, type Sandbox } from './sandbox';
+import { sanitizeSandboxId, validatePort } from './security';
 export interface SandboxEnv {
   Sandbox: DurableObjectNamespace<Sandbox>;
@@ -13,12 +11,22 @@ export interface RouteInfo {
   port: number;
   sandboxId: string;
   path: string;
+  token: string;
 }
 export async function proxyToSandbox<E extends SandboxEnv>(
   request: Request,
   env: E
 ): Promise<Response | null> {
+  // Create logger context for this request
+  const traceId =
+    TraceContext.fromHeaders(request.headers) || TraceContext.generate();
+  const logger = createLogger({
+    component: 'sandbox-do',
+    traceId,
+    operation: 'proxy'
+  });
   try {
     const url = new URL(request.url);
     const routeInfo = extractSandboxRoute(url);
@@ -27,9 +35,48 @@ export async function proxyToSandbox<E extends SandboxEnv>(
       return null; // Not a request to an exposed container port
     }
-    const { sandboxId, port, path } = routeInfo;
+    const { sandboxId, port, path, token } = routeInfo;
     const sandbox = getSandbox(env.Sandbox, sandboxId);
+    // Critical security check: Validate token (mandatory for all user ports)
+    // Skip check for control plane port 3000
+    if (port !== 3000) {
+      // Validate the token matches the port
+      const isValidToken = await sandbox.validatePortToken(port, token);
+      if (!isValidToken) {
+        logger.warn('Invalid token access blocked', {
+          port,
+          sandboxId,
+          path,
+          hostname: url.hostname,
+          url: request.url,
+          method: request.method,
+          userAgent: request.headers.get('User-Agent') || 'unknown'
+        });
+        return new Response(
+          JSON.stringify({
+            error: `Access denied: Invalid token or port not exposed`,
+            code: 'INVALID_TOKEN'
+          }),
+          {
+            status: 404,
+            headers: {
+              'Content-Type': 'application/json'
+            }
+          }
+        );
+      }
+    }
+    // Detect WebSocket upgrade request
+    const upgradeHeader = request.headers.get('Upgrade');
+    if (upgradeHeader?.toLowerCase() === 'websocket') {
+      // WebSocket path: Must use fetch() not containerFetch()
+      // This bypasses JSRPC serialization boundary which cannot handle WebSocket upgrades
+      return await sandbox.fetch(switchPort(request, port));
+    }
     // Build proxy request with proper headers
     let proxyUrl: string;
@@ -49,46 +96,41 @@ export async function proxyToSandbox<E extends SandboxEnv>(
         'X-Original-URL': request.url,
         'X-Forwarded-Host': url.hostname,
         'X-Forwarded-Proto': url.protocol.replace(':', ''),
-        'X-Sandbox-Name': sandboxId, // Pass the friendly name
+        'X-Sandbox-Name': sandboxId // Pass the friendly name
       },
       body: request.body,
+      // @ts-expect-error - duplex required for body streaming in modern runtimes
+      duplex: 'half'
     });
-    return sandbox.containerFetch(proxyRequest, port);
+    return await sandbox.containerFetch(proxyRequest, port);
   } catch (error) {
-    console.error('[Sandbox] Proxy routing error:', error);
+    logger.error(
+      'Proxy routing error',
+      error instanceof Error ? error : new Error(String(error))
+    );
     return new Response('Proxy routing error', { status: 500 });
   }
 }
 function extractSandboxRoute(url: URL): RouteInfo | null {
-  // Parse subdomain pattern: port-sandboxId.domain
-  const subdomainMatch = url.hostname.match(/^(\d{4,5})-([^.-][^.]*[^.-]|[^.-])\.(.+)$/);
+  // Parse subdomain pattern: port-sandboxId-token.domain (tokens mandatory)
+  // Token is always exactly 16 chars (generated by generatePortToken)
+  const subdomainMatch = url.hostname.match(
+    /^(\d{4,5})-([^.-][^.]*?[^.-]|[^.-])-([a-z0-9_-]{16})\.(.+)$/
+  );
   if (!subdomainMatch) {
-    // Log malformed subdomain attempts
-    if (url.hostname.includes('-') && url.hostname.includes('.')) {
-      logSecurityEvent('MALFORMED_SUBDOMAIN_ATTEMPT', {
-        hostname: url.hostname,
-        url: url.toString()
-      }, 'medium');
-    }
     return null;
   }
   const portStr = subdomainMatch[1];
   const sandboxId = subdomainMatch[2];
-  const domain = subdomainMatch[3];
+  const token = subdomainMatch[3]; // Mandatory token
+  const domain = subdomainMatch[4];
   const port = parseInt(portStr, 10);
   if (!validatePort(port)) {
-    logSecurityEvent('INVALID_PORT_IN_SUBDOMAIN', {
-      port,
-      portStr,
-      sandboxId,
-      hostname: url.hostname,
-      url: url.toString()
-    }, 'high');
     return null;
   }
@@ -96,49 +138,46 @@ function extractSandboxRoute(url: URL): RouteInfo | null {
   try {
     sanitizedSandboxId = sanitizeSandboxId(sandboxId);
   } catch (error) {
-    logSecurityEvent('INVALID_SANDBOX_ID_IN_SUBDOMAIN', {
-      sandboxId,
-      port,
-      hostname: url.hostname,
-      url: url.toString(),
-      error: error instanceof Error ? error.message : 'Unknown error'
-    }, 'high');
     return null;
   }
   // DNS subdomain length limit is 63 characters
   if (sandboxId.length > 63) {
-    logSecurityEvent('SANDBOX_ID_LENGTH_VIOLATION', {
-      sandboxId,
-      length: sandboxId.length,
-      port,
-      hostname: url.hostname
-    }, 'medium');
     return null;
   }
-  logSecurityEvent('SANDBOX_ROUTE_EXTRACTED', {
-    port,
-    sandboxId: sanitizedSandboxId,
-    domain,
-    path: url.pathname || "/",
-    hostname: url.hostname
-  }, 'low');
   return {
     port,
     sandboxId: sanitizedSandboxId,
-    path: url.pathname || "/",
+    path: url.pathname || '/',
+    token
   };
 }
 export function isLocalhostPattern(hostname: string): boolean {
-  const hostPart = hostname.split(":")[0];
+  // Handle IPv6 addresses in brackets (with or without port)
+  if (hostname.startsWith('[')) {
+    if (hostname.includes(']:')) {
+      // [::1]:port format
+      const ipv6Part = hostname.substring(0, hostname.indexOf(']:') + 1);
+      return ipv6Part === '[::1]';
+    } else {
+      // [::1] format without port
+      return hostname === '[::1]';
+    }
+  }
+  // Handle bare IPv6 without brackets
+  if (hostname === '::1') {
+    return true;
+  }
+  // For IPv4 and regular hostnames, split on colon to remove port
+  const hostPart = hostname.split(':')[0];
   return (
-    hostPart === "localhost" ||
-    hostPart === "127.0.0.1" ||
-    hostPart === "::1" ||
-    hostPart === "[::1]" ||
-    hostPart === "0.0.0.0"
+    hostPart === 'localhost' ||
+    hostPart === '127.0.0.1' ||
+    hostPart === '0.0.0.0'
   );
 }