@cloudflare/sandbox 0.2.4 → 0.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +75 -0
- package/Dockerfile +9 -11
- package/README.md +69 -7
- package/container_src/control-process.ts +784 -0
- package/container_src/handler/exec.ts +99 -254
- package/container_src/handler/file.ts +179 -837
- package/container_src/handler/git.ts +28 -80
- package/container_src/handler/process.ts +443 -515
- package/container_src/handler/session.ts +92 -0
- package/container_src/index.ts +68 -130
- package/container_src/isolation.ts +1038 -0
- package/container_src/shell-escape.ts +42 -0
- package/container_src/types.ts +27 -13
- package/dist/{chunk-HHUDRGPY.js → chunk-BEQUGUY4.js} +2 -2
- package/dist/{chunk-CKIGERRS.js → chunk-LFLJGISB.js} +240 -264
- package/dist/chunk-LFLJGISB.js.map +1 -0
- package/dist/{chunk-3CQ6THKA.js → chunk-SMUEY5JR.js} +85 -103
- package/dist/chunk-SMUEY5JR.js.map +1 -0
- package/dist/{client-Ce40ujDF.d.ts → client-Dny_ro_v.d.ts} +41 -25
- package/dist/client.d.ts +1 -1
- package/dist/client.js +1 -1
- package/dist/index.d.ts +2 -2
- package/dist/index.js +8 -9
- package/dist/interpreter.d.ts +1 -1
- package/dist/jupyter-client.d.ts +1 -1
- package/dist/jupyter-client.js +2 -2
- package/dist/request-handler.d.ts +1 -1
- package/dist/request-handler.js +3 -5
- package/dist/sandbox.d.ts +1 -1
- package/dist/sandbox.js +3 -5
- package/dist/types.d.ts +10 -21
- package/dist/types.js +35 -9
- package/dist/types.js.map +1 -1
- package/package.json +2 -2
- package/src/client.ts +120 -135
- package/src/index.ts +8 -0
- package/src/sandbox.ts +290 -331
- package/src/types.ts +15 -24
- package/dist/chunk-3CQ6THKA.js.map +0 -1
- package/dist/chunk-6EWSYSO7.js +0 -46
- package/dist/chunk-6EWSYSO7.js.map +0 -1
- package/dist/chunk-CKIGERRS.js.map +0 -1
- /package/dist/{chunk-HHUDRGPY.js.map → chunk-BEQUGUY4.js.map} +0 -0
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Secure shell command utilities to prevent injection attacks
|
|
3
|
+
*/
|
|
4
|
+
|
|
5
|
+
/**
|
|
6
|
+
* Escapes a string for safe use in shell commands.
|
|
7
|
+
* This follows POSIX shell escaping rules to prevent command injection.
|
|
8
|
+
*
|
|
9
|
+
* @param str - The string to escape
|
|
10
|
+
* @returns The escaped string safe for shell use
|
|
11
|
+
*/
|
|
12
|
+
export function escapeShellArg(str: string): string {
|
|
13
|
+
// If string is empty, return empty quotes
|
|
14
|
+
if (str === '') {
|
|
15
|
+
return "''";
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
// Check if string contains any characters that need escaping
|
|
19
|
+
// Safe characters: alphanumeric, dash, underscore, dot, slash
|
|
20
|
+
if (/^[a-zA-Z0-9._\-/]+$/.test(str)) {
|
|
21
|
+
return str;
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
// For strings with special characters, use single quotes and escape single quotes
|
|
25
|
+
// Single quotes preserve all characters literally except the single quote itself
|
|
26
|
+
// To include a single quote, we end the quoted string, add an escaped quote, and start a new quoted string
|
|
27
|
+
return `'${str.replace(/'/g, "'\\''")}'`;
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
/**
|
|
31
|
+
* Escapes a file path for safe use in shell commands.
|
|
32
|
+
*
|
|
33
|
+
* @param path - The file path to escape
|
|
34
|
+
* @returns The escaped path safe for shell use
|
|
35
|
+
*/
|
|
36
|
+
export function escapeShellPath(path: string): string {
|
|
37
|
+
// Normalize path to prevent issues with multiple slashes
|
|
38
|
+
const normalizedPath = path.replace(/\/+/g, '/');
|
|
39
|
+
|
|
40
|
+
// Apply standard shell escaping
|
|
41
|
+
return escapeShellArg(normalizedPath);
|
|
42
|
+
}
|
package/container_src/types.ts
CHANGED
|
@@ -17,19 +17,20 @@ export interface ProcessRecord {
|
|
|
17
17
|
startTime: Date;
|
|
18
18
|
endTime?: Date;
|
|
19
19
|
exitCode?: number;
|
|
20
|
-
|
|
21
|
-
|
|
20
|
+
stdoutFile?: string; // Path to temp file containing stdout
|
|
21
|
+
stderrFile?: string; // Path to temp file containing stderr
|
|
22
22
|
stdout: string;
|
|
23
23
|
stderr: string;
|
|
24
24
|
outputListeners: Set<(stream: 'stdout' | 'stderr', data: string) => void>;
|
|
25
25
|
statusListeners: Set<(status: ProcessStatus) => void>;
|
|
26
|
+
monitoringInterval?: NodeJS.Timeout; // For polling temp files when streaming
|
|
26
27
|
}
|
|
27
28
|
|
|
28
29
|
export interface StartProcessRequest {
|
|
29
30
|
command: string;
|
|
31
|
+
sessionId: string;
|
|
30
32
|
options?: {
|
|
31
33
|
processId?: string;
|
|
32
|
-
sessionId?: string;
|
|
33
34
|
timeout?: number;
|
|
34
35
|
env?: Record<string, string>;
|
|
35
36
|
cwd?: string;
|
|
@@ -39,7 +40,6 @@ export interface StartProcessRequest {
|
|
|
39
40
|
}
|
|
40
41
|
|
|
41
42
|
export interface ExecuteOptions {
|
|
42
|
-
sessionId?: string | null;
|
|
43
43
|
background?: boolean;
|
|
44
44
|
cwd?: string | URL;
|
|
45
45
|
env?: Record<string, string>;
|
|
@@ -47,49 +47,50 @@ export interface ExecuteOptions {
|
|
|
47
47
|
|
|
48
48
|
export interface ExecuteRequest extends ExecuteOptions {
|
|
49
49
|
command: string;
|
|
50
|
+
sessionId: string;
|
|
50
51
|
}
|
|
51
52
|
|
|
52
53
|
export interface GitCheckoutRequest {
|
|
53
54
|
repoUrl: string;
|
|
54
55
|
branch?: string;
|
|
55
56
|
targetDir?: string;
|
|
56
|
-
sessionId
|
|
57
|
+
sessionId: string;
|
|
57
58
|
}
|
|
58
59
|
|
|
59
60
|
export interface MkdirRequest {
|
|
60
61
|
path: string;
|
|
61
62
|
recursive?: boolean;
|
|
62
|
-
sessionId
|
|
63
|
+
sessionId: string;
|
|
63
64
|
}
|
|
64
65
|
|
|
65
66
|
export interface WriteFileRequest {
|
|
66
67
|
path: string;
|
|
67
68
|
content: string;
|
|
68
69
|
encoding?: string;
|
|
69
|
-
sessionId
|
|
70
|
+
sessionId: string;
|
|
70
71
|
}
|
|
71
72
|
|
|
72
73
|
export interface ReadFileRequest {
|
|
73
74
|
path: string;
|
|
74
75
|
encoding?: string;
|
|
75
|
-
sessionId
|
|
76
|
+
sessionId: string;
|
|
76
77
|
}
|
|
77
78
|
|
|
78
79
|
export interface DeleteFileRequest {
|
|
79
80
|
path: string;
|
|
80
|
-
sessionId
|
|
81
|
+
sessionId: string;
|
|
81
82
|
}
|
|
82
83
|
|
|
83
84
|
export interface RenameFileRequest {
|
|
84
85
|
oldPath: string;
|
|
85
86
|
newPath: string;
|
|
86
|
-
sessionId
|
|
87
|
+
sessionId: string;
|
|
87
88
|
}
|
|
88
89
|
|
|
89
90
|
export interface MoveFileRequest {
|
|
90
91
|
sourcePath: string;
|
|
91
92
|
destinationPath: string;
|
|
92
|
-
sessionId
|
|
93
|
+
sessionId: string;
|
|
93
94
|
}
|
|
94
95
|
|
|
95
96
|
export interface ListFilesRequest {
|
|
@@ -98,7 +99,7 @@ export interface ListFilesRequest {
|
|
|
98
99
|
recursive?: boolean;
|
|
99
100
|
includeHidden?: boolean;
|
|
100
101
|
};
|
|
101
|
-
sessionId
|
|
102
|
+
sessionId: string;
|
|
102
103
|
}
|
|
103
104
|
|
|
104
105
|
export interface ExposePortRequest {
|
|
@@ -111,7 +112,20 @@ export interface UnexposePortRequest {
|
|
|
111
112
|
}
|
|
112
113
|
|
|
113
114
|
export interface SessionData {
|
|
114
|
-
|
|
115
|
+
id: string;
|
|
115
116
|
activeProcess: ChildProcess | null;
|
|
116
117
|
createdAt: Date;
|
|
117
118
|
}
|
|
119
|
+
|
|
120
|
+
// Session management API types
|
|
121
|
+
export interface CreateSessionRequest {
|
|
122
|
+
id: string;
|
|
123
|
+
env?: Record<string, string>;
|
|
124
|
+
cwd?: string;
|
|
125
|
+
isolation?: boolean;
|
|
126
|
+
}
|
|
127
|
+
|
|
128
|
+
export interface SessionExecRequest {
|
|
129
|
+
id: string;
|
|
130
|
+
command: string;
|
|
131
|
+
}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import {
|
|
2
2
|
HttpClient
|
|
3
|
-
} from "./chunk-
|
|
3
|
+
} from "./chunk-SMUEY5JR.js";
|
|
4
4
|
import {
|
|
5
5
|
isRetryableError,
|
|
6
6
|
parseErrorResponse
|
|
@@ -234,4 +234,4 @@ var JupyterClient = class extends HttpClient {
|
|
|
234
234
|
export {
|
|
235
235
|
JupyterClient
|
|
236
236
|
};
|
|
237
|
-
//# sourceMappingURL=chunk-
|
|
237
|
+
//# sourceMappingURL=chunk-BEQUGUY4.js.map
|