@cloudflare/sandbox 0.0.0-9375c1e → 0.0.0-93e4f04

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (102) hide show
  1. package/CHANGELOG.md +72 -0
  2. package/Dockerfile +104 -65
  3. package/README.md +88 -772
  4. package/dist/chunk-3RA7RDAX.js +7 -0
  5. package/dist/chunk-3RA7RDAX.js.map +1 -0
  6. package/dist/chunk-BFVUNTP4.js +104 -0
  7. package/dist/chunk-BFVUNTP4.js.map +1 -0
  8. package/dist/chunk-EKSWCBCA.js +86 -0
  9. package/dist/chunk-EKSWCBCA.js.map +1 -0
  10. package/dist/chunk-JXZMAU2C.js +559 -0
  11. package/dist/chunk-JXZMAU2C.js.map +1 -0
  12. package/dist/chunk-MA44U7QN.js +2420 -0
  13. package/dist/chunk-MA44U7QN.js.map +1 -0
  14. package/dist/chunk-Z532A7QC.js +78 -0
  15. package/dist/chunk-Z532A7QC.js.map +1 -0
  16. package/dist/file-stream.d.ts +43 -0
  17. package/dist/file-stream.js +9 -0
  18. package/dist/file-stream.js.map +1 -0
  19. package/dist/index.d.ts +9 -0
  20. package/dist/index.js +67 -0
  21. package/dist/index.js.map +1 -0
  22. package/dist/interpreter.d.ts +33 -0
  23. package/dist/interpreter.js +8 -0
  24. package/dist/interpreter.js.map +1 -0
  25. package/dist/request-handler.d.ts +18 -0
  26. package/dist/request-handler.js +13 -0
  27. package/dist/request-handler.js.map +1 -0
  28. package/dist/sandbox-DMlNr93l.d.ts +596 -0
  29. package/dist/sandbox.d.ts +4 -0
  30. package/dist/sandbox.js +13 -0
  31. package/dist/sandbox.js.map +1 -0
  32. package/dist/security.d.ts +31 -0
  33. package/dist/security.js +13 -0
  34. package/dist/security.js.map +1 -0
  35. package/dist/sse-parser.d.ts +28 -0
  36. package/dist/sse-parser.js +11 -0
  37. package/dist/sse-parser.js.map +1 -0
  38. package/dist/version.d.ts +8 -0
  39. package/dist/version.js +7 -0
  40. package/dist/version.js.map +1 -0
  41. package/package.json +13 -5
  42. package/src/clients/base-client.ts +280 -0
  43. package/src/clients/command-client.ts +115 -0
  44. package/src/clients/file-client.ts +269 -0
  45. package/src/clients/git-client.ts +92 -0
  46. package/src/clients/index.ts +64 -0
  47. package/src/{jupyter-client.ts → clients/interpreter-client.ts} +148 -168
  48. package/src/clients/port-client.ts +105 -0
  49. package/src/clients/process-client.ts +177 -0
  50. package/src/clients/sandbox-client.ts +41 -0
  51. package/src/clients/types.ts +84 -0
  52. package/src/clients/utility-client.ts +119 -0
  53. package/src/errors/adapter.ts +180 -0
  54. package/src/errors/classes.ts +469 -0
  55. package/src/errors/index.ts +105 -0
  56. package/src/file-stream.ts +164 -0
  57. package/src/index.ts +82 -53
  58. package/src/interpreter.ts +22 -13
  59. package/src/request-handler.ts +70 -43
  60. package/src/sandbox.ts +781 -531
  61. package/src/security.ts +14 -23
  62. package/src/sse-parser.ts +4 -8
  63. package/src/version.ts +6 -0
  64. package/startup.sh +3 -0
  65. package/tests/base-client.test.ts +328 -0
  66. package/tests/command-client.test.ts +407 -0
  67. package/tests/file-client.test.ts +643 -0
  68. package/tests/file-stream.test.ts +306 -0
  69. package/tests/get-sandbox.test.ts +110 -0
  70. package/tests/git-client.test.ts +328 -0
  71. package/tests/port-client.test.ts +301 -0
  72. package/tests/process-client.test.ts +658 -0
  73. package/tests/sandbox.test.ts +465 -0
  74. package/tests/sse-parser.test.ts +290 -0
  75. package/tests/utility-client.test.ts +332 -0
  76. package/tests/version.test.ts +16 -0
  77. package/tests/wrangler.jsonc +35 -0
  78. package/tsconfig.json +9 -1
  79. package/vitest.config.ts +31 -0
  80. package/container_src/bun.lock +0 -122
  81. package/container_src/circuit-breaker.ts +0 -121
  82. package/container_src/control-process.ts +0 -784
  83. package/container_src/handler/exec.ts +0 -185
  84. package/container_src/handler/file.ts +0 -406
  85. package/container_src/handler/git.ts +0 -130
  86. package/container_src/handler/ports.ts +0 -314
  87. package/container_src/handler/process.ts +0 -568
  88. package/container_src/handler/session.ts +0 -92
  89. package/container_src/index.ts +0 -601
  90. package/container_src/isolation.ts +0 -1038
  91. package/container_src/jupyter-server.ts +0 -579
  92. package/container_src/jupyter-service.ts +0 -461
  93. package/container_src/jupyter_config.py +0 -48
  94. package/container_src/mime-processor.ts +0 -255
  95. package/container_src/package.json +0 -18
  96. package/container_src/shell-escape.ts +0 -42
  97. package/container_src/startup.sh +0 -84
  98. package/container_src/types.ts +0 -131
  99. package/src/client.ts +0 -1009
  100. package/src/errors.ts +0 -218
  101. package/src/interpreter-types.ts +0 -383
  102. package/src/types.ts +0 -502
@@ -0,0 +1,164 @@
1
+ import type { FileChunk, FileMetadata, FileStreamEvent } from '@repo/shared';
2
+
3
+ /**
4
+ * Parse SSE (Server-Sent Events) lines from a stream
5
+ */
6
+ async function* parseSSE(stream: ReadableStream<Uint8Array>): AsyncGenerator<FileStreamEvent> {
7
+ const reader = stream.getReader();
8
+ const decoder = new TextDecoder();
9
+ let buffer = '';
10
+
11
+ try {
12
+ while (true) {
13
+ const { done, value } = await reader.read();
14
+
15
+ if (done) {
16
+ break;
17
+ }
18
+
19
+ buffer += decoder.decode(value, { stream: true });
20
+ const lines = buffer.split('\n');
21
+
22
+ // Keep the last incomplete line in the buffer
23
+ buffer = lines.pop() || '';
24
+
25
+ for (const line of lines) {
26
+ if (line.startsWith('data: ')) {
27
+ const data = line.slice(6); // Remove 'data: ' prefix
28
+ try {
29
+ const event = JSON.parse(data) as FileStreamEvent;
30
+ yield event;
31
+ } catch {
32
+ // Skip invalid JSON events and continue processing
33
+ }
34
+ }
35
+ }
36
+ }
37
+ } finally {
38
+ reader.releaseLock();
39
+ }
40
+ }
41
+
42
+ /**
43
+ * Stream a file from the sandbox with automatic base64 decoding for binary files
44
+ *
45
+ * @param stream - The ReadableStream from readFileStream()
46
+ * @returns AsyncGenerator that yields FileChunk (string for text, Uint8Array for binary)
47
+ *
48
+ * @example
49
+ * ```ts
50
+ * const stream = await sandbox.readFileStream('/path/to/file.png');
51
+ * for await (const chunk of streamFile(stream)) {
52
+ * if (chunk instanceof Uint8Array) {
53
+ * // Binary chunk
54
+ * console.log('Binary chunk:', chunk.length, 'bytes');
55
+ * } else {
56
+ * // Text chunk
57
+ * console.log('Text chunk:', chunk);
58
+ * }
59
+ * }
60
+ * ```
61
+ */
62
+ export async function* streamFile(stream: ReadableStream<Uint8Array>): AsyncGenerator<FileChunk, FileMetadata> {
63
+ let metadata: FileMetadata | null = null;
64
+
65
+ for await (const event of parseSSE(stream)) {
66
+ switch (event.type) {
67
+ case 'metadata':
68
+ metadata = {
69
+ mimeType: event.mimeType,
70
+ size: event.size,
71
+ isBinary: event.isBinary,
72
+ encoding: event.encoding,
73
+ };
74
+ break;
75
+
76
+ case 'chunk':
77
+ if (!metadata) {
78
+ throw new Error('Received chunk before metadata');
79
+ }
80
+
81
+ if (metadata.isBinary && metadata.encoding === 'base64') {
82
+ // Decode base64 to Uint8Array for binary files
83
+ const binaryString = atob(event.data);
84
+ const bytes = new Uint8Array(binaryString.length);
85
+ for (let i = 0; i < binaryString.length; i++) {
86
+ bytes[i] = binaryString.charCodeAt(i);
87
+ }
88
+ yield bytes;
89
+ } else {
90
+ // Text files - yield as-is
91
+ yield event.data;
92
+ }
93
+ break;
94
+
95
+ case 'complete':
96
+ if (!metadata) {
97
+ throw new Error('Stream completed without metadata');
98
+ }
99
+ return metadata;
100
+
101
+ case 'error':
102
+ throw new Error(`File streaming error: ${event.error}`);
103
+ }
104
+ }
105
+
106
+ throw new Error('Stream ended unexpectedly');
107
+ }
108
+
109
+ /**
110
+ * Collect an entire file into memory from a stream
111
+ *
112
+ * @param stream - The ReadableStream from readFileStream()
113
+ * @returns Object containing the file content and metadata
114
+ *
115
+ * @example
116
+ * ```ts
117
+ * const stream = await sandbox.readFileStream('/path/to/file.txt');
118
+ * const { content, metadata } = await collectFile(stream);
119
+ * console.log('Content:', content);
120
+ * console.log('MIME type:', metadata.mimeType);
121
+ * ```
122
+ */
123
+ export async function collectFile(stream: ReadableStream<Uint8Array>): Promise<{
124
+ content: string | Uint8Array;
125
+ metadata: FileMetadata;
126
+ }> {
127
+ const chunks: Array<string | Uint8Array> = [];
128
+
129
+ // Iterate through the generator and get the return value (metadata)
130
+ const generator = streamFile(stream);
131
+ let result = await generator.next();
132
+
133
+ while (!result.done) {
134
+ chunks.push(result.value);
135
+ result = await generator.next();
136
+ }
137
+
138
+ const metadata = result.value;
139
+
140
+ if (!metadata) {
141
+ throw new Error('Failed to get file metadata');
142
+ }
143
+
144
+ // Combine chunks based on type
145
+ if (metadata.isBinary) {
146
+ // Binary file - combine Uint8Arrays
147
+ const totalLength = chunks.reduce((sum, chunk) =>
148
+ sum + (chunk instanceof Uint8Array ? chunk.length : 0), 0
149
+ );
150
+ const combined = new Uint8Array(totalLength);
151
+ let offset = 0;
152
+ for (const chunk of chunks) {
153
+ if (chunk instanceof Uint8Array) {
154
+ combined.set(chunk, offset);
155
+ offset += chunk.length;
156
+ }
157
+ }
158
+ return { content: combined, metadata };
159
+ } else {
160
+ // Text file - combine strings
161
+ const combined = chunks.filter(c => typeof c === 'string').join('');
162
+ return { content: combined, metadata };
163
+ }
164
+ }
package/src/index.ts CHANGED
@@ -1,64 +1,93 @@
1
- // Export API response types
1
+ // Export the main Sandbox class and utilities
2
2
 
3
- // Export errors
4
- export {
5
- CodeExecutionError,
6
- ContainerNotReadyError,
7
- ContextNotFoundError,
8
- isJupyterNotReadyError,
9
- isRetryableError,
10
- isSandboxError,
11
- JupyterNotReadyError,
12
- parseErrorResponse,
13
- SandboxError,
14
- type SandboxErrorResponse,
15
- SandboxNetworkError,
16
- ServiceUnavailableError,
17
- } from "./errors";
18
- // Export code interpreter types
19
- export type {
20
- ChartData,
21
- CodeContext,
22
- CreateContextOptions,
23
- Execution,
24
- ExecutionError,
25
- OutputMessage,
26
- Result,
27
- RunCodeOptions,
28
- } from "./interpreter-types";
29
- // Export the implementations
30
- export { ResultImpl } from "./interpreter-types";
31
- // Re-export request handler utilities
3
+
4
+ // Export the new client architecture
32
5
  export {
33
- proxyToSandbox,
34
- type RouteInfo,
35
- type SandboxEnv,
36
- } from "./request-handler";
6
+ CommandClient,
7
+ FileClient,
8
+ GitClient,
9
+ PortClient,
10
+ ProcessClient,
11
+ SandboxClient,
12
+ UtilityClient
13
+ } from "./clients";
37
14
  export { getSandbox, Sandbox } from "./sandbox";
38
- // Export SSE parser for converting ReadableStream to AsyncIterable
39
- export {
40
- asyncIterableToSSEStream,
41
- parseSSEStream,
42
- responseToAsyncIterable,
43
- } from "./sse-parser";
15
+
16
+ // Legacy types are now imported from the new client architecture
17
+
18
+ // Export core SDK types for consumers
44
19
  export type {
45
- DeleteFileResponse,
20
+ BaseExecOptions,
46
21
  ExecEvent,
47
22
  ExecOptions,
48
- ExecResult,
49
- ExecuteResponse,
50
- ExecutionSession,
51
- GitCheckoutResponse,
23
+ ExecResult,FileChunk, FileMetadata, FileStreamEvent,
52
24
  ISandbox,
53
- ListFilesResponse,
54
25
  LogEvent,
55
- MkdirResponse,
56
- MoveFileResponse,
57
26
  Process,
58
27
  ProcessOptions,
59
28
  ProcessStatus,
60
- ReadFileResponse,
61
- RenameFileResponse,
62
- StreamOptions,
63
- WriteFileResponse
64
- } from "./types";
29
+ StreamOptions
30
+ } from "@repo/shared";
31
+ export * from '@repo/shared';
32
+ // Export type guards for runtime validation
33
+ export {
34
+ isExecResult,
35
+ isProcess,
36
+ isProcessStatus
37
+ } from "@repo/shared";
38
+ // Export all client types from new architecture
39
+ export type {
40
+ BaseApiResponse,
41
+ CommandsResponse,
42
+ ContainerStub,
43
+ ErrorResponse,
44
+
45
+ // Command client types
46
+ ExecuteRequest,
47
+ ExecuteResponse as CommandExecuteResponse,
48
+
49
+ // Port client types
50
+ ExposePortRequest,
51
+ FileOperationRequest,
52
+
53
+ // Git client types
54
+ GitCheckoutRequest,
55
+ GitCheckoutResult,
56
+ // Base client types
57
+ HttpClientOptions as SandboxClientOptions,
58
+
59
+ // File client types
60
+ MkdirRequest,
61
+
62
+ // Utility client types
63
+ PingResponse,
64
+ PortCloseResult,
65
+ PortExposeResult,
66
+ PortListResult,
67
+ ProcessCleanupResult,
68
+ ProcessInfoResult,
69
+ ProcessKillResult,
70
+ ProcessListResult,
71
+ ProcessLogsResult,
72
+ ProcessStartResult,
73
+ ReadFileRequest,
74
+ RequestConfig,
75
+ ResponseHandler,
76
+ SessionRequest,
77
+
78
+ // Process client types
79
+ StartProcessRequest,
80
+ UnexposePortRequest,
81
+ WriteFileRequest
82
+ } from "./clients";
83
+ export type { ExecutionCallbacks, InterpreterClient } from './clients/interpreter-client.js';
84
+ // Export file streaming utilities for binary file support
85
+ export { collectFile, streamFile } from './file-stream';
86
+ // Export interpreter functionality
87
+ export { CodeInterpreter } from './interpreter.js';
88
+ // Re-export request handler utilities
89
+ export {
90
+ proxyToSandbox, type RouteInfo, type SandboxEnv
91
+ } from './request-handler';
92
+ // Export SSE parser for converting ReadableStream to AsyncIterable
93
+ export { asyncIterableToSSEStream, parseSSEStream, responseToAsyncIterable } from "./sse-parser";
@@ -2,18 +2,23 @@ import {
2
2
  type CodeContext,
3
3
  type CreateContextOptions,
4
4
  Execution,
5
+ type ExecutionError,
6
+ type OutputMessage,
7
+ type Result,
5
8
  ResultImpl,
6
9
  type RunCodeOptions,
7
- } from "./interpreter-types.js";
8
- import type { JupyterClient } from "./jupyter-client.js";
10
+ } from "@repo/shared";
11
+ import type { InterpreterClient } from "./clients/interpreter-client.js";
9
12
  import type { Sandbox } from "./sandbox.js";
13
+ import { validateLanguage } from "./security.js";
10
14
 
11
15
  export class CodeInterpreter {
12
- private jupyterClient: JupyterClient;
16
+ private interpreterClient: InterpreterClient;
13
17
  private contexts = new Map<string, CodeContext>();
14
18
 
15
19
  constructor(sandbox: Sandbox) {
16
- this.jupyterClient = sandbox.client as JupyterClient;
20
+ // In init-testing architecture, client is a SandboxClient with an interpreter property
21
+ this.interpreterClient = (sandbox.client as any).interpreter as InterpreterClient;
17
22
  }
18
23
 
19
24
  /**
@@ -22,7 +27,10 @@ export class CodeInterpreter {
22
27
  async createCodeContext(
23
28
  options: CreateContextOptions = {}
24
29
  ): Promise<CodeContext> {
25
- const context = await this.jupyterClient.createCodeContext(options);
30
+ // Validate language before sending to container
31
+ validateLanguage(options.language);
32
+
33
+ const context = await this.interpreterClient.createCodeContext(options);
26
34
  this.contexts.set(context.id, context);
27
35
  return context;
28
36
  }
@@ -46,20 +54,20 @@ export class CodeInterpreter {
46
54
  const execution = new Execution(code, context);
47
55
 
48
56
  // Stream execution
49
- await this.jupyterClient.runCodeStream(context.id, code, options.language, {
50
- onStdout: (output) => {
57
+ await this.interpreterClient.runCodeStream(context.id, code, options.language, {
58
+ onStdout: (output: OutputMessage) => {
51
59
  execution.logs.stdout.push(output.text);
52
60
  if (options.onStdout) return options.onStdout(output);
53
61
  },
54
- onStderr: (output) => {
62
+ onStderr: (output: OutputMessage) => {
55
63
  execution.logs.stderr.push(output.text);
56
64
  if (options.onStderr) return options.onStderr(output);
57
65
  },
58
- onResult: async (result) => {
66
+ onResult: async (result: Result) => {
59
67
  execution.results.push(new ResultImpl(result) as any);
60
68
  if (options.onResult) return options.onResult(result);
61
69
  },
62
- onError: (error) => {
70
+ onError: (error: ExecutionError) => {
63
71
  execution.error = error;
64
72
  if (options.onError) return options.onError(error);
65
73
  },
@@ -83,7 +91,8 @@ export class CodeInterpreter {
83
91
  }
84
92
 
85
93
  // Create streaming response
86
- const response = await this.jupyterClient.doFetch("/api/execute/code", {
94
+ // Note: doFetch is protected but we need direct access for raw stream response
95
+ const response = await (this.interpreterClient as any).doFetch("/api/execute/code", {
87
96
  method: "POST",
88
97
  headers: {
89
98
  "Content-Type": "application/json",
@@ -116,7 +125,7 @@ export class CodeInterpreter {
116
125
  * List all code contexts
117
126
  */
118
127
  async listCodeContexts(): Promise<CodeContext[]> {
119
- const contexts = await this.jupyterClient.listCodeContexts();
128
+ const contexts = await this.interpreterClient.listCodeContexts();
120
129
 
121
130
  // Update local cache
122
131
  for (const context of contexts) {
@@ -130,7 +139,7 @@ export class CodeInterpreter {
130
139
  * Delete a code context
131
140
  */
132
141
  async deleteCodeContext(contextId: string): Promise<void> {
133
- await this.jupyterClient.deleteCodeContext(contextId);
142
+ await this.interpreterClient.deleteCodeContext(contextId);
134
143
  this.contexts.delete(contextId);
135
144
  }
136
145
 
@@ -1,6 +1,6 @@
1
+ import { createLogger, type LogContext, TraceContext } from "@repo/shared";
1
2
  import { getSandbox, type Sandbox } from "./sandbox";
2
3
  import {
3
- logSecurityEvent,
4
4
  sanitizeSandboxId,
5
5
  validatePort
6
6
  } from "./security";
@@ -13,12 +13,21 @@ export interface RouteInfo {
13
13
  port: number;
14
14
  sandboxId: string;
15
15
  path: string;
16
+ token: string;
16
17
  }
17
18
 
18
19
  export async function proxyToSandbox<E extends SandboxEnv>(
19
20
  request: Request,
20
21
  env: E
21
22
  ): Promise<Response | null> {
23
+ // Create logger context for this request
24
+ const traceId = TraceContext.fromHeaders(request.headers) || TraceContext.generate();
25
+ const logger = createLogger({
26
+ component: 'sandbox-do',
27
+ traceId,
28
+ operation: 'proxy'
29
+ });
30
+
22
31
  try {
23
32
  const url = new URL(request.url);
24
33
  const routeInfo = extractSandboxRoute(url);
@@ -27,9 +36,40 @@ export async function proxyToSandbox<E extends SandboxEnv>(
27
36
  return null; // Not a request to an exposed container port
28
37
  }
29
38
 
30
- const { sandboxId, port, path } = routeInfo;
39
+ const { sandboxId, port, path, token } = routeInfo;
31
40
  const sandbox = getSandbox(env.Sandbox, sandboxId);
32
41
 
42
+ // Critical security check: Validate token (mandatory for all user ports)
43
+ // Skip check for control plane port 3000
44
+ if (port !== 3000) {
45
+ // Validate the token matches the port
46
+ const isValidToken = await sandbox.validatePortToken(port, token);
47
+ if (!isValidToken) {
48
+ logger.warn('Invalid token access blocked', {
49
+ port,
50
+ sandboxId,
51
+ path,
52
+ hostname: url.hostname,
53
+ url: request.url,
54
+ method: request.method,
55
+ userAgent: request.headers.get('User-Agent') || 'unknown'
56
+ });
57
+
58
+ return new Response(
59
+ JSON.stringify({
60
+ error: `Access denied: Invalid token or port not exposed`,
61
+ code: 'INVALID_TOKEN'
62
+ }),
63
+ {
64
+ status: 404,
65
+ headers: {
66
+ 'Content-Type': 'application/json'
67
+ }
68
+ }
69
+ );
70
+ }
71
+ }
72
+
33
73
  // Build proxy request with proper headers
34
74
  let proxyUrl: string;
35
75
 
@@ -52,43 +92,33 @@ export async function proxyToSandbox<E extends SandboxEnv>(
52
92
  'X-Sandbox-Name': sandboxId, // Pass the friendly name
53
93
  },
54
94
  body: request.body,
95
+ // @ts-expect-error - duplex required for body streaming in modern runtimes
96
+ duplex: 'half',
55
97
  });
56
98
 
57
99
  return sandbox.containerFetch(proxyRequest, port);
58
100
  } catch (error) {
59
- console.error('[Sandbox] Proxy routing error:', error);
101
+ logger.error('Proxy routing error', error instanceof Error ? error : new Error(String(error)));
60
102
  return new Response('Proxy routing error', { status: 500 });
61
103
  }
62
104
  }
63
105
 
64
106
  function extractSandboxRoute(url: URL): RouteInfo | null {
65
- // Parse subdomain pattern: port-sandboxId.domain
66
- const subdomainMatch = url.hostname.match(/^(\d{4,5})-([^.-][^.]*[^.-]|[^.-])\.(.+)$/);
107
+ // Parse subdomain pattern: port-sandboxId-token.domain (tokens mandatory)
108
+ // Token is always exactly 16 chars (generated by generatePortToken)
109
+ const subdomainMatch = url.hostname.match(/^(\d{4,5})-([^.-][^.]*?[^.-]|[^.-])-([a-z0-9_-]{16})\.(.+)$/);
67
110
 
68
111
  if (!subdomainMatch) {
69
- // Log malformed subdomain attempts
70
- if (url.hostname.includes('-') && url.hostname.includes('.')) {
71
- logSecurityEvent('MALFORMED_SUBDOMAIN_ATTEMPT', {
72
- hostname: url.hostname,
73
- url: url.toString()
74
- }, 'medium');
75
- }
76
112
  return null;
77
113
  }
78
114
 
79
115
  const portStr = subdomainMatch[1];
80
116
  const sandboxId = subdomainMatch[2];
81
- const domain = subdomainMatch[3];
117
+ const token = subdomainMatch[3]; // Mandatory token
118
+ const domain = subdomainMatch[4];
82
119
 
83
120
  const port = parseInt(portStr, 10);
84
121
  if (!validatePort(port)) {
85
- logSecurityEvent('INVALID_PORT_IN_SUBDOMAIN', {
86
- port,
87
- portStr,
88
- sandboxId,
89
- hostname: url.hostname,
90
- url: url.toString()
91
- }, 'high');
92
122
  return null;
93
123
  }
94
124
 
@@ -96,49 +126,46 @@ function extractSandboxRoute(url: URL): RouteInfo | null {
96
126
  try {
97
127
  sanitizedSandboxId = sanitizeSandboxId(sandboxId);
98
128
  } catch (error) {
99
- logSecurityEvent('INVALID_SANDBOX_ID_IN_SUBDOMAIN', {
100
- sandboxId,
101
- port,
102
- hostname: url.hostname,
103
- url: url.toString(),
104
- error: error instanceof Error ? error.message : 'Unknown error'
105
- }, 'high');
106
129
  return null;
107
130
  }
108
131
 
109
132
  // DNS subdomain length limit is 63 characters
110
133
  if (sandboxId.length > 63) {
111
- logSecurityEvent('SANDBOX_ID_LENGTH_VIOLATION', {
112
- sandboxId,
113
- length: sandboxId.length,
114
- port,
115
- hostname: url.hostname
116
- }, 'medium');
117
134
  return null;
118
135
  }
119
136
 
120
- logSecurityEvent('SANDBOX_ROUTE_EXTRACTED', {
121
- port,
122
- sandboxId: sanitizedSandboxId,
123
- domain,
124
- path: url.pathname || "/",
125
- hostname: url.hostname
126
- }, 'low');
127
-
128
137
  return {
129
138
  port,
130
139
  sandboxId: sanitizedSandboxId,
131
140
  path: url.pathname || "/",
141
+ token,
132
142
  };
133
143
  }
134
144
 
135
145
  export function isLocalhostPattern(hostname: string): boolean {
146
+ // Handle IPv6 addresses in brackets (with or without port)
147
+ if (hostname.startsWith('[')) {
148
+ if (hostname.includes(']:')) {
149
+ // [::1]:port format
150
+ const ipv6Part = hostname.substring(0, hostname.indexOf(']:') + 1);
151
+ return ipv6Part === '[::1]';
152
+ } else {
153
+ // [::1] format without port
154
+ return hostname === '[::1]';
155
+ }
156
+ }
157
+
158
+ // Handle bare IPv6 without brackets
159
+ if (hostname === '::1') {
160
+ return true;
161
+ }
162
+
163
+ // For IPv4 and regular hostnames, split on colon to remove port
136
164
  const hostPart = hostname.split(":")[0];
165
+
137
166
  return (
138
167
  hostPart === "localhost" ||
139
168
  hostPart === "127.0.0.1" ||
140
- hostPart === "::1" ||
141
- hostPart === "[::1]" ||
142
169
  hostPart === "0.0.0.0"
143
170
  );
144
171
  }