@cloudflare/sandbox 0.2.3 → 0.3.0

package/container_src/jupyter-service.ts

@@ -141,13 +141,16 @@ export class JupyterService {
         "[JupyterService] Pre-warming context pools for better performance"
       );
 
-      // Warm one at a time with delay between them
+      // Only pre-warm Python contexts to avoid Bun WebSocket validation errors
+      // JavaScript contexts will be created on-demand
       await this.jupyterServer.enablePoolWarming("python", 1);
 
-      // Small delay between different language kernels
-      await new Promise((resolve) => setTimeout(resolve, 1000));
-
-      await this.jupyterServer.enablePoolWarming("javascript", 1);
+      // Commenting out JavaScript pre-warming due to kernel message validation errors
+      // The errors appear to be related to Bun's handling of WebSocket messages
+      // JavaScript contexts still work fine when created on-demand
+      // 
+      // await new Promise((resolve) => setTimeout(resolve, 1000));
+      // await this.jupyterServer.enablePoolWarming("javascript", 1);
     } catch (error) {
       console.error("[JupyterService] Error pre-warming context pools:", error);
       console.error(

package/container_src/shell-escape.ts

@@ -0,0 +1,42 @@
+/**
+ * Secure shell command utilities to prevent injection attacks
+ */
+
+/**
+ * Escapes a string for safe use in shell commands.
+ * This follows POSIX shell escaping rules to prevent command injection.
+ * 
+ * @param str - The string to escape
+ * @returns The escaped string safe for shell use
+ */
+export function escapeShellArg(str: string): string {
+  // If string is empty, return empty quotes
+  if (str === '') {
+    return "''";
+  }
+
+  // Check if string contains any characters that need escaping
+  // Safe characters: alphanumeric, dash, underscore, dot, slash
+  if (/^[a-zA-Z0-9._\-/]+$/.test(str)) {
+    return str;
+  }
+
+  // For strings with special characters, use single quotes and escape single quotes
+  // Single quotes preserve all characters literally except the single quote itself
+  // To include a single quote, we end the quoted string, add an escaped quote, and start a new quoted string
+  return `'${str.replace(/'/g, "'\\''")}'`;
+}
+
+/**
+ * Escapes a file path for safe use in shell commands.
+ * 
+ * @param path - The file path to escape
+ * @returns The escaped path safe for shell use
+ */
+export function escapeShellPath(path: string): string {
+  // Normalize path to prevent issues with multiple slashes
+  const normalizedPath = path.replace(/\/+/g, '/');
+  
+  // Apply standard shell escaping
+  return escapeShellArg(normalizedPath);
+}

package/container_src/types.ts

@@ -17,19 +17,20 @@ export interface ProcessRecord {
   startTime: Date;
   endTime?: Date;
   exitCode?: number;
-  sessionId?: string;
-  childProcess?: ChildProcess;
+  stdoutFile?: string;  // Path to temp file containing stdout
+  stderrFile?: string;  // Path to temp file containing stderr
   stdout: string;
   stderr: string;
   outputListeners: Set<(stream: 'stdout' | 'stderr', data: string) => void>;
   statusListeners: Set<(status: ProcessStatus) => void>;
+  monitoringInterval?: NodeJS.Timeout;  // For polling temp files when streaming
 }
 
 export interface StartProcessRequest {
   command: string;
+  sessionId: string;
   options?: {
     processId?: string;
-    sessionId?: string;
     timeout?: number;
     env?: Record<string, string>;
     cwd?: string;
@@ -39,7 +40,6 @@ export interface StartProcessRequest {
 }
 
 export interface ExecuteOptions {
-  sessionId?: string | null;
   background?: boolean;
   cwd?: string | URL;
   env?: Record<string, string>;
@@ -47,49 +47,59 @@ export interface ExecuteOptions {
 
 export interface ExecuteRequest extends ExecuteOptions {
   command: string;
+  sessionId: string;
 }
 
 export interface GitCheckoutRequest {
   repoUrl: string;
   branch?: string;
   targetDir?: string;
-  sessionId?: string;
+  sessionId: string;
 }
 
 export interface MkdirRequest {
   path: string;
   recursive?: boolean;
-  sessionId?: string;
+  sessionId: string;
 }
 
 export interface WriteFileRequest {
   path: string;
   content: string;
   encoding?: string;
-  sessionId?: string;
+  sessionId: string;
 }
 
 export interface ReadFileRequest {
   path: string;
   encoding?: string;
-  sessionId?: string;
+  sessionId: string;
 }
 
 export interface DeleteFileRequest {
   path: string;
-  sessionId?: string;
+  sessionId: string;
 }
 
 export interface RenameFileRequest {
   oldPath: string;
   newPath: string;
-  sessionId?: string;
+  sessionId: string;
 }
 
 export interface MoveFileRequest {
   sourcePath: string;
   destinationPath: string;
-  sessionId?: string;
+  sessionId: string;
+}
+
+export interface ListFilesRequest {
+  path: string;
+  options?: {
+    recursive?: boolean;
+    includeHidden?: boolean;
+  };
+  sessionId: string;
 }
 
 export interface ExposePortRequest {
@@ -102,7 +112,20 @@ export interface UnexposePortRequest {
 }
 
 export interface SessionData {
-  sessionId: string;
+  id: string;
   activeProcess: ChildProcess | null;
   createdAt: Date;
 }
+
+// Session management API types
+export interface CreateSessionRequest {
+  id: string;
+  env?: Record<string, string>;
+  cwd?: string;
+  isolation?: boolean;
+}
+
+export interface SessionExecRequest {
+  id: string;
+  command: string;
+}

package/dist/{chunk-VTKZL632.js → chunk-BEQUGUY4.js}

@@ -1,6 +1,6 @@
 import {
   HttpClient
-} from "./chunk-CUHYLCMT.js";
+} from "./chunk-SMUEY5JR.js";
 import {
   isRetryableError,
   parseErrorResponse
@@ -234,4 +234,4 @@ var JupyterClient = class extends HttpClient {
 export {
   JupyterClient
 };
-//# sourceMappingURL=chunk-VTKZL632.js.map
+//# sourceMappingURL=chunk-BEQUGUY4.js.map