@cloudflare/sandbox 0.0.8 → 0.1.0

package/src/index.ts

@@ -1,136 +1,20 @@
-import { Container, getContainer } from "@cloudflare/containers";
-import { HttpClient } from "./client";
-
-export function getSandbox(ns: DurableObjectNamespace<Sandbox>, id: string) {
-  return getContainer(ns, id);
-}
-
-export class Sandbox<Env = unknown> extends Container<Env> {
-  defaultPort = 3000; // The default port for the container to listen on
-  sleepAfter = "3m"; // Sleep the sandbox if no requests are made in this timeframe
-  client: HttpClient;
-
-  constructor(ctx: DurableObjectState, env: Env) {
-    super(ctx, env);
-    this.client = new HttpClient({
-      onCommandComplete: (success, exitCode, stdout, stderr, command, args) => {
-        console.log(
-          `[Container] Command completed: ${command}, Success: ${success}, Exit code: ${exitCode}`
-        );
-      },
-      onCommandStart: (command, args) => {
-        console.log(
-          `[Container] Command started: ${command} ${args.join(" ")}`
-        );
-      },
-      onError: (error, command, args) => {
-        console.error(`[Container] Command error: ${error}`);
-      },
-      onOutput: (stream, data, command) => {
-        console.log(`[Container] [${stream}] ${data}`);
-      },
-      port: this.defaultPort,
-      stub: this,
-    });
-  }
-
-  envVars = {
-    MESSAGE: "I was passed in via the Sandbox class!",
-  };
-
-  override onStart() {
-    console.log("Sandbox successfully started");
-  }
-
-  override onStop() {
-    console.log("Sandbox successfully shut down");
-    if (this.client) {
-      this.client.clearSession();
-    }
-  }
-
-  override onError(error: unknown) {
-    console.log("Sandbox error:", error);
-  }
-
-  async exec(command: string, args: string[], options?: { stream?: boolean }) {
-    if (options?.stream) {
-      return this.client.executeStream(command, args);
-    }
-    return this.client.execute(command, args);
-  }
-
-  async gitCheckout(
-    repoUrl: string,
-    options: { branch?: string; targetDir?: string; stream?: boolean }
-  ) {
-    if (options?.stream) {
-      return this.client.gitCheckoutStream(
-        repoUrl,
-        options.branch,
-        options.targetDir
-      );
-    }
-    return this.client.gitCheckout(repoUrl, options.branch, options.targetDir);
-  }
-
-  async mkdir(
-    path: string,
-    options: { recursive?: boolean; stream?: boolean } = {}
-  ) {
-    if (options?.stream) {
-      return this.client.mkdirStream(path, options.recursive);
-    }
-    return this.client.mkdir(path, options.recursive);
-  }
-
-  async writeFile(
-    path: string,
-    content: string,
-    options: { encoding?: string; stream?: boolean } = {}
-  ) {
-    if (options?.stream) {
-      return this.client.writeFileStream(path, content, options.encoding);
-    }
-    return this.client.writeFile(path, content, options.encoding);
-  }
-
-  async deleteFile(path: string, options: { stream?: boolean } = {}) {
-    if (options?.stream) {
-      return this.client.deleteFileStream(path);
-    }
-    return this.client.deleteFile(path);
-  }
-
-  async renameFile(
-    oldPath: string,
-    newPath: string,
-    options: { stream?: boolean } = {}
-  ) {
-    if (options?.stream) {
-      return this.client.renameFileStream(oldPath, newPath);
-    }
-    return this.client.renameFile(oldPath, newPath);
-  }
-
-  async moveFile(
-    sourcePath: string,
-    destinationPath: string,
-    options: { stream?: boolean } = {}
-  ) {
-    if (options?.stream) {
-      return this.client.moveFileStream(sourcePath, destinationPath);
-    }
-    return this.client.moveFile(sourcePath, destinationPath);
-  }
-
-  async readFile(
-    path: string,
-    options: { encoding?: string; stream?: boolean } = {}
-  ) {
-    if (options?.stream) {
-      return this.client.readFileStream(path, options.encoding);
-    }
-    return this.client.readFile(path, options.encoding);
-  }
-}
+// Export types from client
+export type {
+  DeleteFileResponse, ExecuteResponse,
+  GitCheckoutResponse,
+  MkdirResponse, MoveFileResponse,
+  ReadFileResponse, RenameFileResponse, WriteFileResponse
+} from "./client";
+
+// Re-export request handler utilities
+export {
+  proxyToSandbox, type RouteInfo, type SandboxEnv
+} from './request-handler';
+
+export { getSandbox, Sandbox } from "./sandbox";
+
+// Export SSE parser for converting ReadableStream to AsyncIterable
+export { asyncIterableToSSEStream, parseSSEStream, responseToAsyncIterable } from "./sse-parser";
+
+// Export event types for streaming
+export type { ExecEvent, LogEvent } from "./types";

package/src/request-handler.ts

@@ -0,0 +1,144 @@
+import { getSandbox, type Sandbox } from "./sandbox";
+import {
+  logSecurityEvent,
+  sanitizeSandboxId,
+  validatePort
+} from "./security";
+
+export interface SandboxEnv {
+  Sandbox: DurableObjectNamespace<Sandbox>;
+}
+
+export interface RouteInfo {
+  port: number;
+  sandboxId: string;
+  path: string;
+}
+
+export async function proxyToSandbox<E extends SandboxEnv>(
+  request: Request,
+  env: E
+): Promise<Response | null> {
+  try {
+    const url = new URL(request.url);
+    const routeInfo = extractSandboxRoute(url);
+
+    if (!routeInfo) {
+      return null; // Not a request to an exposed container port
+    }
+
+    const { sandboxId, port, path } = routeInfo;
+    const sandbox = getSandbox(env.Sandbox, sandboxId);
+
+    // Build proxy request with proper headers
+    let proxyUrl: string;
+
+    // Route based on the target port
+    if (port !== 3000) {
+      // Route directly to user's service on the specified port
+      proxyUrl = `http://localhost:${port}${path}${url.search}`;
+    } else {
+      // Port 3000 is our control plane - route normally
+      proxyUrl = `http://localhost:3000${path}${url.search}`;
+    }
+
+    const proxyRequest = new Request(proxyUrl, {
+      method: request.method,
+      headers: {
+        ...Object.fromEntries(request.headers),
+        'X-Original-URL': request.url,
+        'X-Forwarded-Host': url.hostname,
+        'X-Forwarded-Proto': url.protocol.replace(':', ''),
+        'X-Sandbox-Name': sandboxId, // Pass the friendly name
+      },
+      body: request.body,
+    });
+
+    return sandbox.containerFetch(proxyRequest, port);
+  } catch (error) {
+    console.error('[Sandbox] Proxy routing error:', error);
+    return new Response('Proxy routing error', { status: 500 });
+  }
+}
+
+function extractSandboxRoute(url: URL): RouteInfo | null {
+  // Parse subdomain pattern: port-sandboxId.domain
+  const subdomainMatch = url.hostname.match(/^(\d{4,5})-([^.-][^.]*[^.-]|[^.-])\.(.+)$/);
+
+  if (!subdomainMatch) {
+    // Log malformed subdomain attempts
+    if (url.hostname.includes('-') && url.hostname.includes('.')) {
+      logSecurityEvent('MALFORMED_SUBDOMAIN_ATTEMPT', {
+        hostname: url.hostname,
+        url: url.toString()
+      }, 'medium');
+    }
+    return null;
+  }
+
+  const portStr = subdomainMatch[1];
+  const sandboxId = subdomainMatch[2];
+  const domain = subdomainMatch[3];
+
+  const port = parseInt(portStr, 10);
+  if (!validatePort(port)) {
+    logSecurityEvent('INVALID_PORT_IN_SUBDOMAIN', {
+      port,
+      portStr,
+      sandboxId,
+      hostname: url.hostname,
+      url: url.toString()
+    }, 'high');
+    return null;
+  }
+
+  let sanitizedSandboxId: string;
+  try {
+    sanitizedSandboxId = sanitizeSandboxId(sandboxId);
+  } catch (error) {
+    logSecurityEvent('INVALID_SANDBOX_ID_IN_SUBDOMAIN', {
+      sandboxId,
+      port,
+      hostname: url.hostname,
+      url: url.toString(),
+      error: error instanceof Error ? error.message : 'Unknown error'
+    }, 'high');
+    return null;
+  }
+
+  // DNS subdomain length limit is 63 characters
+  if (sandboxId.length > 63) {
+    logSecurityEvent('SANDBOX_ID_LENGTH_VIOLATION', {
+      sandboxId,
+      length: sandboxId.length,
+      port,
+      hostname: url.hostname
+    }, 'medium');
+    return null;
+  }
+
+  logSecurityEvent('SANDBOX_ROUTE_EXTRACTED', {
+    port,
+    sandboxId: sanitizedSandboxId,
+    domain,
+    path: url.pathname || "/",
+    hostname: url.hostname
+  }, 'low');
+
+  return {
+    port,
+    sandboxId: sanitizedSandboxId,
+    path: url.pathname || "/",
+  };
+}
+
+export function isLocalhostPattern(hostname: string): boolean {
+  const hostPart = hostname.split(":")[0];
+  return (
+    hostPart === "localhost" ||
+    hostPart === "127.0.0.1" ||
+    hostPart === "::1" ||
+    hostPart === "[::1]" ||
+    hostPart === "0.0.0.0"
+  );
+}