@cloudflare/sandbox 0.0.0-af082ab → 0.0.0-b61841c

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (105) hide show
  1. package/CHANGELOG.md +63 -6
  2. package/Dockerfile +91 -51
  3. package/README.md +88 -825
  4. package/dist/chunk-BFVUNTP4.js +104 -0
  5. package/dist/chunk-BFVUNTP4.js.map +1 -0
  6. package/dist/chunk-EKSWCBCA.js +86 -0
  7. package/dist/chunk-EKSWCBCA.js.map +1 -0
  8. package/dist/chunk-JXZMAU2C.js +559 -0
  9. package/dist/chunk-JXZMAU2C.js.map +1 -0
  10. package/dist/chunk-QHRFHK6X.js +7 -0
  11. package/dist/chunk-QHRFHK6X.js.map +1 -0
  12. package/dist/chunk-SFCV5YTY.js +2456 -0
  13. package/dist/chunk-SFCV5YTY.js.map +1 -0
  14. package/dist/chunk-Z532A7QC.js +78 -0
  15. package/dist/chunk-Z532A7QC.js.map +1 -0
  16. package/dist/file-stream.d.ts +43 -0
  17. package/dist/file-stream.js +9 -0
  18. package/dist/file-stream.js.map +1 -0
  19. package/dist/index.d.ts +9 -0
  20. package/dist/index.js +67 -0
  21. package/dist/index.js.map +1 -0
  22. package/dist/interpreter.d.ts +33 -0
  23. package/dist/interpreter.js +8 -0
  24. package/dist/interpreter.js.map +1 -0
  25. package/dist/request-handler.d.ts +18 -0
  26. package/dist/request-handler.js +13 -0
  27. package/dist/request-handler.js.map +1 -0
  28. package/dist/sandbox-DWQVgVTY.d.ts +603 -0
  29. package/dist/sandbox.d.ts +4 -0
  30. package/dist/sandbox.js +13 -0
  31. package/dist/sandbox.js.map +1 -0
  32. package/dist/security.d.ts +31 -0
  33. package/dist/security.js +13 -0
  34. package/dist/security.js.map +1 -0
  35. package/dist/sse-parser.d.ts +28 -0
  36. package/dist/sse-parser.js +11 -0
  37. package/dist/sse-parser.js.map +1 -0
  38. package/dist/version.d.ts +8 -0
  39. package/dist/version.js +7 -0
  40. package/dist/version.js.map +1 -0
  41. package/package.json +12 -4
  42. package/src/clients/base-client.ts +280 -0
  43. package/src/clients/command-client.ts +115 -0
  44. package/src/clients/file-client.ts +295 -0
  45. package/src/clients/git-client.ts +92 -0
  46. package/src/clients/index.ts +64 -0
  47. package/src/{interpreter-client.ts → clients/interpreter-client.ts} +148 -171
  48. package/src/clients/port-client.ts +105 -0
  49. package/src/clients/process-client.ts +177 -0
  50. package/src/clients/sandbox-client.ts +41 -0
  51. package/src/clients/types.ts +84 -0
  52. package/src/clients/utility-client.ts +119 -0
  53. package/src/errors/adapter.ts +180 -0
  54. package/src/errors/classes.ts +469 -0
  55. package/src/errors/index.ts +105 -0
  56. package/src/file-stream.ts +119 -117
  57. package/src/index.ts +81 -69
  58. package/src/interpreter.ts +17 -8
  59. package/src/request-handler.ts +80 -44
  60. package/src/sandbox.ts +794 -537
  61. package/src/security.ts +14 -23
  62. package/src/sse-parser.ts +4 -8
  63. package/src/version.ts +6 -0
  64. package/startup.sh +3 -0
  65. package/tests/base-client.test.ts +328 -0
  66. package/tests/command-client.test.ts +407 -0
  67. package/tests/file-client.test.ts +719 -0
  68. package/tests/file-stream.test.ts +306 -0
  69. package/tests/get-sandbox.test.ts +110 -0
  70. package/tests/git-client.test.ts +328 -0
  71. package/tests/port-client.test.ts +301 -0
  72. package/tests/process-client.test.ts +658 -0
  73. package/tests/request-handler.test.ts +240 -0
  74. package/tests/sandbox.test.ts +554 -0
  75. package/tests/sse-parser.test.ts +290 -0
  76. package/tests/utility-client.test.ts +332 -0
  77. package/tests/version.test.ts +16 -0
  78. package/tests/wrangler.jsonc +35 -0
  79. package/tsconfig.json +9 -1
  80. package/vitest.config.ts +31 -0
  81. package/container_src/bun.lock +0 -76
  82. package/container_src/circuit-breaker.ts +0 -121
  83. package/container_src/control-process.ts +0 -784
  84. package/container_src/handler/exec.ts +0 -185
  85. package/container_src/handler/file.ts +0 -457
  86. package/container_src/handler/git.ts +0 -130
  87. package/container_src/handler/ports.ts +0 -314
  88. package/container_src/handler/process.ts +0 -568
  89. package/container_src/handler/session.ts +0 -92
  90. package/container_src/index.ts +0 -601
  91. package/container_src/interpreter-service.ts +0 -276
  92. package/container_src/isolation.ts +0 -1213
  93. package/container_src/mime-processor.ts +0 -255
  94. package/container_src/package.json +0 -18
  95. package/container_src/runtime/executors/javascript/node_executor.ts +0 -123
  96. package/container_src/runtime/executors/python/ipython_executor.py +0 -338
  97. package/container_src/runtime/executors/typescript/ts_executor.ts +0 -138
  98. package/container_src/runtime/process-pool.ts +0 -464
  99. package/container_src/shell-escape.ts +0 -42
  100. package/container_src/startup.sh +0 -11
  101. package/container_src/types.ts +0 -131
  102. package/src/client.ts +0 -1048
  103. package/src/errors.ts +0 -219
  104. package/src/interpreter-types.ts +0 -390
  105. package/src/types.ts +0 -571
package/tests/request-handler.test.ts ADDED
@@ -0,0 +1,240 @@
1
+ import { beforeEach, describe, expect, it, vi } from 'vitest';
2
+ import { proxyToSandbox, type SandboxEnv } from '../src/request-handler';
3
+ import type { Sandbox } from '../src/sandbox';
4
+
5
+ // Mock getSandbox from sandbox.ts
6
+ vi.mock('../src/sandbox', () => {
7
+ const mockFn = vi.fn();
8
+ return {
9
+ getSandbox: mockFn,
10
+ Sandbox: vi.fn(),
11
+ };
12
+ });
13
+
14
+ // Import the mock after vi.mock is set up
15
+ import { getSandbox } from '../src/sandbox';
16
+
17
+ describe('proxyToSandbox - WebSocket Support', () => {
18
+ let mockSandbox: Partial<Sandbox>;
19
+ let mockEnv: SandboxEnv;
20
+
21
+ beforeEach(() => {
22
+ vi.clearAllMocks();
23
+
24
+ // Mock Sandbox with necessary methods
25
+ mockSandbox = {
26
+ validatePortToken: vi.fn().mockResolvedValue(true),
27
+ fetch: vi.fn().mockResolvedValue(new Response('WebSocket response')),
28
+ containerFetch: vi.fn().mockResolvedValue(new Response('HTTP response')),
29
+ };
30
+
31
+ mockEnv = {
32
+ Sandbox: {} as any,
33
+ };
34
+
35
+ vi.mocked(getSandbox).mockReturnValue(mockSandbox as Sandbox);
36
+ });
37
+
38
+ describe('WebSocket detection and routing', () => {
39
+ it('should detect WebSocket upgrade header (case-insensitive)', async () => {
40
+ const request = new Request('https://8080-sandbox-token12345678901.example.com/ws', {
41
+ headers: {
42
+ 'Upgrade': 'websocket',
43
+ 'Connection': 'Upgrade',
44
+ },
45
+ });
46
+
47
+ await proxyToSandbox(request, mockEnv);
48
+
49
+ // Should route through fetch() for WebSocket
50
+ expect(mockSandbox.fetch).toHaveBeenCalledTimes(1);
51
+ expect(mockSandbox.containerFetch).not.toHaveBeenCalled();
52
+ });
53
+
54
+ it('should set cf-container-target-port header for WebSocket', async () => {
55
+ const request = new Request('https://8080-sandbox-token12345678901.example.com/ws', {
56
+ headers: {
57
+ 'Upgrade': 'websocket',
58
+ },
59
+ });
60
+
61
+ await proxyToSandbox(request, mockEnv);
62
+
63
+ expect(mockSandbox.fetch).toHaveBeenCalledTimes(1);
64
+ const fetchCall = vi.mocked(mockSandbox.fetch as any).mock.calls[0][0] as Request;
65
+ expect(fetchCall.headers.get('cf-container-target-port')).toBe('8080');
66
+ });
67
+
68
+ it('should preserve original headers for WebSocket', async () => {
69
+ const request = new Request('https://8080-sandbox-token12345678901.example.com/ws', {
70
+ headers: {
71
+ 'Upgrade': 'websocket',
72
+ 'Sec-WebSocket-Key': 'test-key-123',
73
+ 'Sec-WebSocket-Version': '13',
74
+ 'User-Agent': 'test-client',
75
+ },
76
+ });
77
+
78
+ await proxyToSandbox(request, mockEnv);
79
+
80
+ const fetchCall = vi.mocked(mockSandbox.fetch as any).mock.calls[0][0] as Request;
81
+ expect(fetchCall.headers.get('Upgrade')).toBe('websocket');
82
+ expect(fetchCall.headers.get('Sec-WebSocket-Key')).toBe('test-key-123');
83
+ expect(fetchCall.headers.get('Sec-WebSocket-Version')).toBe('13');
84
+ expect(fetchCall.headers.get('User-Agent')).toBe('test-client');
85
+ });
86
+ });
87
+
88
+ describe('HTTP routing (existing behavior)', () => {
89
+ it('should route HTTP requests through containerFetch', async () => {
90
+ const request = new Request('https://8080-sandbox-token12345678901.example.com/api/data', {
91
+ method: 'GET',
92
+ });
93
+
94
+ await proxyToSandbox(request, mockEnv);
95
+
96
+ // Should route through containerFetch() for HTTP
97
+ expect(mockSandbox.containerFetch).toHaveBeenCalledTimes(1);
98
+ expect(mockSandbox.fetch).not.toHaveBeenCalled();
99
+ });
100
+
101
+ it('should route POST requests through containerFetch', async () => {
102
+ const request = new Request('https://8080-sandbox-token12345678901.example.com/api/data', {
103
+ method: 'POST',
104
+ body: JSON.stringify({ data: 'test' }),
105
+ headers: {
106
+ 'Content-Type': 'application/json',
107
+ },
108
+ });
109
+
110
+ await proxyToSandbox(request, mockEnv);
111
+
112
+ expect(mockSandbox.containerFetch).toHaveBeenCalledTimes(1);
113
+ expect(mockSandbox.fetch).not.toHaveBeenCalled();
114
+ });
115
+
116
+ it('should not detect SSE as WebSocket', async () => {
117
+ const request = new Request('https://8080-sandbox-token12345678901.example.com/events', {
118
+ headers: {
119
+ 'Accept': 'text/event-stream',
120
+ },
121
+ });
122
+
123
+ await proxyToSandbox(request, mockEnv);
124
+
125
+ // SSE should use HTTP path, not WebSocket path
126
+ expect(mockSandbox.containerFetch).toHaveBeenCalledTimes(1);
127
+ expect(mockSandbox.fetch).not.toHaveBeenCalled();
128
+ });
129
+ });
130
+
131
+ describe('Token validation', () => {
132
+ it('should validate token for both WebSocket and HTTP requests', async () => {
133
+ const wsRequest = new Request('https://8080-sandbox-token12345678901.example.com/ws', {
134
+ headers: { 'Upgrade': 'websocket' },
135
+ });
136
+
137
+ await proxyToSandbox(wsRequest, mockEnv);
138
+ expect(mockSandbox.validatePortToken).toHaveBeenCalledWith(8080, 'token12345678901');
139
+
140
+ vi.clearAllMocks();
141
+
142
+ const httpRequest = new Request('https://8080-sandbox-token12345678901.example.com/api');
143
+ await proxyToSandbox(httpRequest, mockEnv);
144
+ expect(mockSandbox.validatePortToken).toHaveBeenCalledWith(8080, 'token12345678901');
145
+ });
146
+
147
+ it('should reject requests with invalid token', async () => {
148
+ vi.mocked(mockSandbox.validatePortToken as any).mockResolvedValue(false);
149
+
150
+ const request = new Request('https://8080-sandbox-invalidtoken1234.example.com/ws', {
151
+ headers: { 'Upgrade': 'websocket' },
152
+ });
153
+
154
+ const response = await proxyToSandbox(request, mockEnv);
155
+
156
+ expect(response?.status).toBe(404);
157
+ expect(mockSandbox.fetch).not.toHaveBeenCalled();
158
+
159
+ const body = await response?.json();
160
+ expect(body).toMatchObject({
161
+ error: 'Access denied: Invalid token or port not exposed',
162
+ code: 'INVALID_TOKEN',
163
+ });
164
+ });
165
+
166
+ it('should reject reserved port 3000', async () => {
167
+ // Port 3000 is reserved as control plane port and rejected by validatePort()
168
+ const request = new Request('https://3000-sandbox-anytoken12345678.example.com/status', {
169
+ method: 'GET',
170
+ });
171
+
172
+ const response = await proxyToSandbox(request, mockEnv);
173
+
174
+ // Port 3000 is reserved and should be rejected (extractSandboxRoute returns null)
175
+ expect(response).toBeNull();
176
+ expect(mockSandbox.validatePortToken).not.toHaveBeenCalled();
177
+ expect(mockSandbox.containerFetch).not.toHaveBeenCalled();
178
+ });
179
+ });
180
+
181
+ describe('Port routing', () => {
182
+ it('should route to correct port from subdomain', async () => {
183
+ const request = new Request('https://9000-sandbox-token12345678901.example.com/api', {
184
+ method: 'GET',
185
+ });
186
+
187
+ await proxyToSandbox(request, mockEnv);
188
+
189
+ expect(mockSandbox.validatePortToken).toHaveBeenCalledWith(9000, 'token12345678901');
190
+ });
191
+ });
192
+
193
+ describe('Non-sandbox requests', () => {
194
+ it('should return null for non-sandbox URLs', async () => {
195
+ const request = new Request('https://example.com/some-path');
196
+
197
+ const response = await proxyToSandbox(request, mockEnv);
198
+
199
+ expect(response).toBeNull();
200
+ expect(mockSandbox.fetch).not.toHaveBeenCalled();
201
+ expect(mockSandbox.containerFetch).not.toHaveBeenCalled();
202
+ });
203
+
204
+ it('should return null for invalid subdomain patterns', async () => {
205
+ const request = new Request('https://invalid-pattern.example.com');
206
+
207
+ const response = await proxyToSandbox(request, mockEnv);
208
+
209
+ expect(response).toBeNull();
210
+ });
211
+ });
212
+
213
+ describe('Error handling', () => {
214
+ it('should handle errors during WebSocket routing', async () => {
215
+ (mockSandbox.fetch as any).mockImplementation(() => Promise.reject(new Error('Connection failed')));
216
+
217
+ const request = new Request('https://8080-sandbox-token12345678901.example.com/ws', {
218
+ headers: {
219
+ 'Upgrade': 'websocket',
220
+ },
221
+ });
222
+
223
+ const response = await proxyToSandbox(request, mockEnv);
224
+
225
+ expect(response?.status).toBe(500);
226
+ const text = await response?.text();
227
+ expect(text).toBe('Proxy routing error');
228
+ });
229
+
230
+ it('should handle errors during HTTP routing', async () => {
231
+ (mockSandbox.containerFetch as any).mockImplementation(() => Promise.reject(new Error('Service error')));
232
+
233
+ const request = new Request('https://8080-sandbox-token12345678901.example.com/api');
234
+
235
+ const response = await proxyToSandbox(request, mockEnv);
236
+
237
+ expect(response?.status).toBe(500);
238
+ });
239
+ });
240
+ });