@cloudflare/sandbox 0.0.0-af082ab → 0.0.0-b61841c

package/src/request-handler.ts

@@ -1,6 +1,7 @@
+import { createLogger, type LogContext, TraceContext } from "@repo/shared";
+import { switchPort } from "@cloudflare/containers";
 import { getSandbox, type Sandbox } from "./sandbox";
 import {
-  logSecurityEvent,
   sanitizeSandboxId,
   validatePort
 } from "./security";
@@ -13,12 +14,21 @@ export interface RouteInfo {
   port: number;
   sandboxId: string;
   path: string;
+  token: string;
 }
 
 export async function proxyToSandbox<E extends SandboxEnv>(
   request: Request,
   env: E
 ): Promise<Response | null> {
+  // Create logger context for this request
+  const traceId = TraceContext.fromHeaders(request.headers) || TraceContext.generate();
+  const logger = createLogger({
+    component: 'sandbox-do',
+    traceId,
+    operation: 'proxy'
+  });
+
   try {
     const url = new URL(request.url);
     const routeInfo = extractSandboxRoute(url);
@@ -27,9 +37,48 @@ export async function proxyToSandbox<E extends SandboxEnv>(
       return null; // Not a request to an exposed container port
     }
 
-    const { sandboxId, port, path } = routeInfo;
+    const { sandboxId, port, path, token } = routeInfo;
     const sandbox = getSandbox(env.Sandbox, sandboxId);
 
+    // Critical security check: Validate token (mandatory for all user ports)
+    // Skip check for control plane port 3000
+    if (port !== 3000) {
+      // Validate the token matches the port
+      const isValidToken = await sandbox.validatePortToken(port, token);
+      if (!isValidToken) {
+        logger.warn('Invalid token access blocked', {
+          port,
+          sandboxId,
+          path,
+          hostname: url.hostname,
+          url: request.url,
+          method: request.method,
+          userAgent: request.headers.get('User-Agent') || 'unknown'
+        });
+
+        return new Response(
+          JSON.stringify({
+            error: `Access denied: Invalid token or port not exposed`,
+            code: 'INVALID_TOKEN'
+          }),
+          {
+            status: 404,
+            headers: {
+              'Content-Type': 'application/json'
+            }
+          }
+        );
+      }
+    }
+
+    // Detect WebSocket upgrade request
+    const upgradeHeader = request.headers.get('Upgrade');
+    if (upgradeHeader?.toLowerCase() === 'websocket') {
+      // WebSocket path: Must use fetch() not containerFetch()
+      // This bypasses JSRPC serialization boundary which cannot handle WebSocket upgrades
+      return await sandbox.fetch(switchPort(request, port));
+    }
+
     // Build proxy request with proper headers
     let proxyUrl: string;
 
@@ -52,43 +101,33 @@ export async function proxyToSandbox<E extends SandboxEnv>(
         'X-Sandbox-Name': sandboxId, // Pass the friendly name
       },
       body: request.body,
+      // @ts-expect-error - duplex required for body streaming in modern runtimes
+      duplex: 'half',
     });
 
-    return sandbox.containerFetch(proxyRequest, port);
+    return await sandbox.containerFetch(proxyRequest, port);
   } catch (error) {
-    console.error('[Sandbox] Proxy routing error:', error);
+    logger.error('Proxy routing error', error instanceof Error ? error : new Error(String(error)));
     return new Response('Proxy routing error', { status: 500 });
   }
 }
 
 function extractSandboxRoute(url: URL): RouteInfo | null {
-  // Parse subdomain pattern: port-sandboxId.domain
-  const subdomainMatch = url.hostname.match(/^(\d{4,5})-([^.-][^.]*[^.-]|[^.-])\.(.+)$/);
+  // Parse subdomain pattern: port-sandboxId-token.domain (tokens mandatory)
+  // Token is always exactly 16 chars (generated by generatePortToken)
+  const subdomainMatch = url.hostname.match(/^(\d{4,5})-([^.-][^.]*?[^.-]|[^.-])-([a-z0-9_-]{16})\.(.+)$/);
 
   if (!subdomainMatch) {
-    // Log malformed subdomain attempts
-    if (url.hostname.includes('-') && url.hostname.includes('.')) {
-      logSecurityEvent('MALFORMED_SUBDOMAIN_ATTEMPT', {
-        hostname: url.hostname,
-        url: url.toString()
-      }, 'medium');
-    }
     return null;
   }
 
   const portStr = subdomainMatch[1];
   const sandboxId = subdomainMatch[2];
-  const domain = subdomainMatch[3];
+  const token = subdomainMatch[3]; // Mandatory token
+  const domain = subdomainMatch[4];
 
   const port = parseInt(portStr, 10);
   if (!validatePort(port)) {
-    logSecurityEvent('INVALID_PORT_IN_SUBDOMAIN', {
-      port,
-      portStr,
-      sandboxId,
-      hostname: url.hostname,
-      url: url.toString()
-    }, 'high');
     return null;
   }
 
@@ -96,49 +135,46 @@ function extractSandboxRoute(url: URL): RouteInfo | null {
   try {
     sanitizedSandboxId = sanitizeSandboxId(sandboxId);
   } catch (error) {
-    logSecurityEvent('INVALID_SANDBOX_ID_IN_SUBDOMAIN', {
-      sandboxId,
-      port,
-      hostname: url.hostname,
-      url: url.toString(),
-      error: error instanceof Error ? error.message : 'Unknown error'
-    }, 'high');
     return null;
   }
 
   // DNS subdomain length limit is 63 characters
   if (sandboxId.length > 63) {
-    logSecurityEvent('SANDBOX_ID_LENGTH_VIOLATION', {
-      sandboxId,
-      length: sandboxId.length,
-      port,
-      hostname: url.hostname
-    }, 'medium');
     return null;
   }
 
-  logSecurityEvent('SANDBOX_ROUTE_EXTRACTED', {
-    port,
-    sandboxId: sanitizedSandboxId,
-    domain,
-    path: url.pathname || "/",
-    hostname: url.hostname
-  }, 'low');
-
   return {
     port,
     sandboxId: sanitizedSandboxId,
     path: url.pathname || "/",
+    token,
   };
 }
 
 export function isLocalhostPattern(hostname: string): boolean {
+  // Handle IPv6 addresses in brackets (with or without port)
+  if (hostname.startsWith('[')) {
+    if (hostname.includes(']:')) {
+      // [::1]:port format
+      const ipv6Part = hostname.substring(0, hostname.indexOf(']:') + 1);
+      return ipv6Part === '[::1]';
+    } else {
+      // [::1] format without port
+      return hostname === '[::1]';
+    }
+  }
+  
+  // Handle bare IPv6 without brackets
+  if (hostname === '::1') {
+    return true;
+  }
+  
+  // For IPv4 and regular hostnames, split on colon to remove port
   const hostPart = hostname.split(":")[0];
+  
   return (
     hostPart === "localhost" ||
     hostPart === "127.0.0.1" ||
-    hostPart === "::1" ||
-    hostPart === "[::1]" ||
     hostPart === "0.0.0.0"
   );
 }