@cloudflare/sandbox 0.4.18 → 0.5.2

package/tests/openai-shell-editor.test.ts

@@ -0,0 +1,434 @@
+import type { ApplyPatchOperation } from '@openai/agents';
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+import { Editor, Shell } from '../src/openai/index';
+import type { Sandbox } from '../src/sandbox';
+
+interface MockSandbox {
+  exec?: ReturnType<typeof vi.fn>;
+  mkdir?: ReturnType<typeof vi.fn>;
+  writeFile?: ReturnType<typeof vi.fn>;
+  readFile?: ReturnType<typeof vi.fn>;
+  deleteFile?: ReturnType<typeof vi.fn>;
+}
+
+const { loggerSpies, createLoggerMock, applyDiffMock } = vi.hoisted(() => {
+  const logger = {
+    debug: vi.fn(),
+    info: vi.fn(),
+    warn: vi.fn(),
+    error: vi.fn(),
+    child: vi.fn().mockReturnThis()
+  };
+
+  return {
+    loggerSpies: logger,
+    createLoggerMock: vi.fn(() => logger),
+    applyDiffMock: vi.fn<(...args: any[]) => string>()
+  };
+});
+
+vi.mock('@repo/shared', () => ({
+  createLogger: createLoggerMock
+}));
+
+vi.mock('@openai/agents', () => ({
+  applyDiff: applyDiffMock
+}));
+
+describe('Shell', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it('runs commands and collects results', async () => {
+    const execMock = vi.fn().mockResolvedValue({
+      stdout: 'hello\n',
+      stderr: '',
+      exitCode: 0
+    });
+
+    const mockSandbox: MockSandbox = { exec: execMock };
+    const shell = new Shell(mockSandbox as unknown as Sandbox);
+
+    const result = await shell.run({
+      commands: ['echo hello'],
+      timeoutMs: 500
+    });
+
+    expect(execMock).toHaveBeenCalledWith('echo hello', {
+      timeout: 500,
+      cwd: '/workspace'
+    });
+    expect(result.output).toHaveLength(1);
+    expect(result.output[0]).toMatchObject({
+      command: 'echo hello',
+      stdout: 'hello\n',
+      stderr: '',
+      outcome: { type: 'exit', exitCode: 0 }
+    });
+    expect(shell.results).toHaveLength(1);
+    expect(loggerSpies.info).toHaveBeenCalledWith(
+      'Command completed successfully',
+      { command: 'echo hello' }
+    );
+  });
+
+  it('halts subsequent commands after a timeout error', async () => {
+    const timeoutError = new Error('Command timed out');
+    const execMock = vi.fn().mockRejectedValue(timeoutError);
+
+    const mockSandbox: MockSandbox = { exec: execMock };
+    const shell = new Shell(mockSandbox as unknown as Sandbox);
+    const action = {
+      commands: ['sleep 1', 'echo never'],
+      timeoutMs: 25
+    };
+
+    const result = await shell.run(action);
+
+    expect(execMock).toHaveBeenCalledTimes(1);
+    expect(result.output[0].outcome).toEqual({ type: 'timeout' });
+    expect(shell.results[0].exitCode).toBeNull();
+    expect(loggerSpies.warn).toHaveBeenCalledWith(
+      'Breaking command loop due to timeout'
+    );
+    expect(loggerSpies.error).toHaveBeenCalledWith(
+      'Command timed out',
+      undefined,
+      expect.objectContaining({
+        command: 'sleep 1',
+        timeout: 25
+      })
+    );
+  });
+});
+
+describe('Editor', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    applyDiffMock.mockReset();
+  });
+
+  it('creates files using applyDiff output', async () => {
+    applyDiffMock.mockReturnValueOnce('file contents');
+
+    const mockSandbox: MockSandbox = {
+      mkdir: vi.fn().mockResolvedValue(undefined),
+      writeFile: vi.fn().mockResolvedValue(undefined)
+    };
+
+    const editor = new Editor(mockSandbox as unknown as Sandbox);
+    const operation = {
+      type: 'create_file',
+      path: 'src/app.ts',
+      diff: '--- diff ---'
+    } as Extract<ApplyPatchOperation, { type: 'create_file' }>;
+
+    await editor.createFile(operation);
+
+    expect(applyDiffMock).toHaveBeenCalledWith('', operation.diff, 'create');
+    expect(mockSandbox.mkdir).toHaveBeenCalledWith('/workspace/src', {
+      recursive: true
+    });
+    expect(mockSandbox.writeFile).toHaveBeenCalledWith(
+      '/workspace/src/app.ts',
+      'file contents',
+      { encoding: 'utf-8' }
+    );
+    expect(editor.results[0]).toMatchObject({
+      operation: 'create',
+      path: 'src/app.ts',
+      status: 'completed'
+    });
+    expect(loggerSpies.info).toHaveBeenCalledWith(
+      'File created successfully',
+      expect.objectContaining({ path: 'src/app.ts' })
+    );
+  });
+
+  it('applies diffs when updating existing files', async () => {
+    applyDiffMock.mockReturnValueOnce('patched content');
+
+    const mockSandbox: MockSandbox = {
+      readFile: vi.fn().mockResolvedValue({ content: 'original content' }),
+      writeFile: vi.fn().mockResolvedValue(undefined)
+    };
+
+    const editor = new Editor(mockSandbox as unknown as Sandbox);
+    const operation = {
+      type: 'update_file',
+      path: 'README.md',
+      diff: 'patch diff'
+    } as Extract<ApplyPatchOperation, { type: 'update_file' }>;
+
+    await editor.updateFile(operation);
+
+    expect(mockSandbox.readFile).toHaveBeenCalledWith('/workspace/README.md', {
+      encoding: 'utf-8'
+    });
+    expect(applyDiffMock).toHaveBeenCalledWith(
+      'original content',
+      operation.diff
+    );
+    expect(mockSandbox.writeFile).toHaveBeenCalledWith(
+      '/workspace/README.md',
+      'patched content',
+      { encoding: 'utf-8' }
+    );
+    expect(editor.results[0]).toMatchObject({
+      operation: 'update',
+      path: 'README.md',
+      status: 'completed'
+    });
+  });
+
+  it('throws descriptive error when attempting to update a missing file', async () => {
+    const missingError = Object.assign(new Error('not found'), { status: 404 });
+    const mockSandbox: MockSandbox = {
+      readFile: vi.fn().mockRejectedValue(missingError)
+    };
+
+    const editor = new Editor(mockSandbox as unknown as Sandbox);
+    const operation = {
+      type: 'update_file',
+      path: 'missing.txt',
+      diff: 'patch diff'
+    } as Extract<ApplyPatchOperation, { type: 'update_file' }>;
+
+    await expect(editor.updateFile(operation)).rejects.toThrow(
+      'Cannot update missing file: missing.txt'
+    );
+    expect(loggerSpies.error).toHaveBeenCalledWith(
+      'Cannot update missing file',
+      undefined,
+      { path: 'missing.txt' }
+    );
+  });
+
+  describe('Path traversal security', () => {
+    it('should reject path traversal attempts with ../', async () => {
+      const mockSandbox: MockSandbox = {
+        mkdir: vi.fn(),
+        writeFile: vi.fn()
+      };
+
+      const editor = new Editor(mockSandbox as unknown as Sandbox);
+      const operation = {
+        type: 'create_file',
+        path: '../etc/passwd',
+        diff: 'malicious content'
+      } as Extract<ApplyPatchOperation, { type: 'create_file' }>;
+
+      await expect(editor.createFile(operation)).rejects.toThrow(
+        'Operation outside workspace: ../etc/passwd'
+      );
+      expect(mockSandbox.writeFile).not.toHaveBeenCalled();
+    });
+
+    it('should reject path traversal attempts with ../../', async () => {
+      const mockSandbox: MockSandbox = {
+        mkdir: vi.fn(),
+        writeFile: vi.fn()
+      };
+
+      const editor = new Editor(mockSandbox as unknown as Sandbox);
+      const operation = {
+        type: 'create_file',
+        path: '../../etc/passwd',
+        diff: 'malicious content'
+      } as Extract<ApplyPatchOperation, { type: 'create_file' }>;
+
+      await expect(editor.createFile(operation)).rejects.toThrow(
+        'Operation outside workspace: ../../etc/passwd'
+      );
+      expect(mockSandbox.writeFile).not.toHaveBeenCalled();
+    });
+
+    it('should reject path traversal attempts with mixed paths like src/../../etc/passwd', async () => {
+      const mockSandbox: MockSandbox = {
+        mkdir: vi.fn(),
+        writeFile: vi.fn()
+      };
+
+      const editor = new Editor(mockSandbox as unknown as Sandbox);
+      const operation = {
+        type: 'create_file',
+        path: 'src/../../etc/passwd',
+        diff: 'malicious content'
+      } as Extract<ApplyPatchOperation, { type: 'create_file' }>;
+
+      await expect(editor.createFile(operation)).rejects.toThrow(
+        'Operation outside workspace: src/../../etc/passwd'
+      );
+      expect(mockSandbox.writeFile).not.toHaveBeenCalled();
+    });
+
+    it('should reject path traversal attempts with leading slash /../../etc/passwd', async () => {
+      const mockSandbox: MockSandbox = {
+        mkdir: vi.fn(),
+        writeFile: vi.fn()
+      };
+
+      const editor = new Editor(mockSandbox as unknown as Sandbox);
+      const operation = {
+        type: 'create_file',
+        path: '/../../etc/passwd',
+        diff: 'malicious content'
+      } as Extract<ApplyPatchOperation, { type: 'create_file' }>;
+
+      await expect(editor.createFile(operation)).rejects.toThrow(
+        'Operation outside workspace: /../../etc/passwd'
+      );
+      expect(mockSandbox.writeFile).not.toHaveBeenCalled();
+    });
+
+    it('should reject path traversal attempts with leading dot-slash ./../../etc/passwd', async () => {
+      const mockSandbox: MockSandbox = {
+        mkdir: vi.fn(),
+        writeFile: vi.fn()
+      };
+
+      const editor = new Editor(mockSandbox as unknown as Sandbox);
+      const operation = {
+        type: 'create_file',
+        path: './../../etc/passwd',
+        diff: 'malicious content'
+      } as Extract<ApplyPatchOperation, { type: 'create_file' }>;
+
+      await expect(editor.createFile(operation)).rejects.toThrow(
+        'Operation outside workspace: ./../../etc/passwd'
+      );
+      expect(mockSandbox.writeFile).not.toHaveBeenCalled();
+    });
+
+    it('should reject path traversal in updateFile operations', async () => {
+      const mockSandbox: MockSandbox = {
+        readFile: vi.fn()
+      };
+
+      const editor = new Editor(mockSandbox as unknown as Sandbox);
+      const operation = {
+        type: 'update_file',
+        path: '../../etc/passwd',
+        diff: 'patch diff'
+      } as Extract<ApplyPatchOperation, { type: 'update_file' }>;
+
+      await expect(editor.updateFile(operation)).rejects.toThrow(
+        'Operation outside workspace: ../../etc/passwd'
+      );
+      expect(mockSandbox.readFile).not.toHaveBeenCalled();
+    });
+
+    it('should reject path traversal in deleteFile operations', async () => {
+      const mockSandbox: MockSandbox = {
+        deleteFile: vi.fn()
+      };
+
+      const editor = new Editor(mockSandbox as unknown as Sandbox);
+      const operation = {
+        type: 'delete_file',
+        path: '../../etc/passwd'
+      } as Extract<ApplyPatchOperation, { type: 'delete_file' }>;
+
+      await expect(editor.deleteFile(operation)).rejects.toThrow(
+        'Operation outside workspace: ../../etc/passwd'
+      );
+      expect(mockSandbox.deleteFile).not.toHaveBeenCalled();
+    });
+
+    it('should allow valid paths that use .. but stay within workspace', async () => {
+      applyDiffMock.mockReturnValueOnce('file contents');
+
+      const mockSandbox: MockSandbox = {
+        mkdir: vi.fn().mockResolvedValue(undefined),
+        writeFile: vi.fn().mockResolvedValue(undefined)
+      };
+
+      const editor = new Editor(mockSandbox as unknown as Sandbox);
+      const operation = {
+        type: 'create_file',
+        path: 'src/subdir/../../file.txt',
+        diff: '--- diff ---'
+      } as Extract<ApplyPatchOperation, { type: 'create_file' }>;
+
+      await editor.createFile(operation);
+
+      // Should resolve to /workspace/file.txt
+      expect(mockSandbox.writeFile).toHaveBeenCalledWith(
+        '/workspace/file.txt',
+        'file contents',
+        { encoding: 'utf-8' }
+      );
+    });
+
+    it('should handle paths with multiple consecutive slashes correctly', async () => {
+      applyDiffMock.mockReturnValueOnce('file contents');
+
+      const mockSandbox: MockSandbox = {
+        mkdir: vi.fn().mockResolvedValue(undefined),
+        writeFile: vi.fn().mockResolvedValue(undefined)
+      };
+
+      const editor = new Editor(mockSandbox as unknown as Sandbox);
+      const operation = {
+        type: 'create_file',
+        path: 'src//subdir///file.txt',
+        diff: '--- diff ---'
+      } as Extract<ApplyPatchOperation, { type: 'create_file' }>;
+
+      await editor.createFile(operation);
+
+      expect(mockSandbox.writeFile).toHaveBeenCalledWith(
+        '/workspace/src/subdir/file.txt',
+        'file contents',
+        { encoding: 'utf-8' }
+      );
+    });
+
+    it('should reject deep path traversal attempts', async () => {
+      const mockSandbox: MockSandbox = {
+        mkdir: vi.fn(),
+        writeFile: vi.fn()
+      };
+
+      const editor = new Editor(mockSandbox as unknown as Sandbox);
+      const operation = {
+        type: 'create_file',
+        path: 'a/b/c/../../../../etc/passwd',
+        diff: 'malicious content'
+      } as Extract<ApplyPatchOperation, { type: 'create_file' }>;
+
+      await expect(editor.createFile(operation)).rejects.toThrow(
+        'Operation outside workspace: a/b/c/../../../../etc/passwd'
+      );
+      expect(mockSandbox.writeFile).not.toHaveBeenCalled();
+    });
+
+    it('should handle absolute paths within workspace', async () => {
+      applyDiffMock.mockReturnValueOnce('content');
+
+      const mockSandbox: MockSandbox = {
+        mkdir: vi.fn().mockResolvedValue(undefined),
+        writeFile: vi.fn().mockResolvedValue(undefined)
+      };
+
+      const editor = new Editor(
+        mockSandbox as unknown as Sandbox,
+        '/workspace'
+      );
+      const operation = {
+        type: 'create_file',
+        path: '/workspace/file.txt',
+        diff: 'content'
+      } as Extract<ApplyPatchOperation, { type: 'create_file' }>;
+
+      await editor.createFile(operation);
+
+      expect(mockSandbox.writeFile).toHaveBeenCalledWith(
+        '/workspace/file.txt', // Not /workspace/workspace/file.txt
+        'content',
+        { encoding: 'utf-8' }
+      );
+    });
+  });
+});

package/tests/port-client.test.ts

@@ -1,9 +1,9 @@
-import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 import type {
-  ExposePortResponse,
-  GetExposedPortsResponse,
-  UnexposePortResponse
-} from '../src/clients';
+  PortCloseResult,
+  PortExposeResult,
+  PortListResult
+} from '@repo/shared';
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 import { PortClient } from '../src/clients/port-client';
 import {
   InvalidPortError,
@@ -37,11 +37,10 @@ describe('PortClient', () => {
 
   describe('service exposure', () => {
     it('should expose web services successfully', async () => {
-      const mockResponse: ExposePortResponse = {
+      const mockResponse: PortExposeResult = {
         success: true,
         port: 3001,
-        exposedAt: 'https://preview-abc123.workers.dev',
-        name: 'web-server',
+        url: 'https://preview-abc123.workers.dev',
         timestamp: '2023-01-01T00:00:00Z'
       };
 
@@ -53,17 +52,15 @@ describe('PortClient', () => {
 
       expect(result.success).toBe(true);
       expect(result.port).toBe(3001);
-      expect(result.exposedAt).toBe('https://preview-abc123.workers.dev');
-      expect(result.name).toBe('web-server');
-      expect(result.exposedAt.startsWith('https://')).toBe(true);
+      expect(result.url).toBe('https://preview-abc123.workers.dev');
+      expect(result.url.startsWith('https://')).toBe(true);
     });
 
     it('should expose API services on different ports', async () => {
-      const mockResponse: ExposePortResponse = {
+      const mockResponse: PortExposeResult = {
         success: true,
         port: 8080,
-        exposedAt: 'https://api-def456.workers.dev',
-        name: 'api-server',
+        url: 'https://api-def456.workers.dev',
         timestamp: '2023-01-01T00:00:00Z'
       };
 
@@ -75,15 +72,14 @@ describe('PortClient', () => {
 
       expect(result.success).toBe(true);
       expect(result.port).toBe(8080);
-      expect(result.name).toBe('api-server');
-      expect(result.exposedAt).toContain('api-');
+      expect(result.url).toContain('api-');
     });
 
     it('should expose services without explicit names', async () => {
-      const mockResponse: ExposePortResponse = {
+      const mockResponse: PortExposeResult = {
         success: true,
         port: 5000,
-        exposedAt: 'https://service-ghi789.workers.dev',
+        url: 'https://service-ghi789.workers.dev',
         timestamp: '2023-01-01T00:00:00Z'
       };
 
@@ -95,33 +91,31 @@ describe('PortClient', () => {
 
       expect(result.success).toBe(true);
       expect(result.port).toBe(5000);
-      expect(result.name).toBeUndefined();
-      expect(result.exposedAt).toBeDefined();
+      expect(result.url).toBeDefined();
     });
   });
 
   describe('service management', () => {
     it('should list all exposed services', async () => {
-      const mockResponse: GetExposedPortsResponse = {
+      const mockResponse: PortListResult = {
         success: true,
         ports: [
           {
             port: 3000,
-            exposedAt: 'https://frontend-abc123.workers.dev',
-            name: 'frontend'
+            url: 'https://frontend-abc123.workers.dev',
+            status: 'active'
           },
           {
             port: 4000,
-            exposedAt: 'https://api-def456.workers.dev',
-            name: 'api'
+            url: 'https://api-def456.workers.dev',
+            status: 'active'
           },
           {
             port: 5432,
-            exposedAt: 'https://db-ghi789.workers.dev',
-            name: 'database'
+            url: 'https://db-ghi789.workers.dev',
+            status: 'active'
           }
         ],
-        count: 3,
         timestamp: '2023-01-01T00:10:00Z'
       };
 
@@ -132,21 +126,18 @@ describe('PortClient', () => {
       const result = await client.getExposedPorts('session-list');
 
       expect(result.success).toBe(true);
-      expect(result.count).toBe(3);
       expect(result.ports).toHaveLength(3);
 
       result.ports.forEach((service) => {
-        expect(service.exposedAt).toContain('.workers.dev');
+        expect(service.url).toContain('.workers.dev');
         expect(service.port).toBeGreaterThan(0);
-        expect(service.name).toBeDefined();
       });
     });
 
     it('should handle empty exposed ports list', async () => {
-      const mockResponse: GetExposedPortsResponse = {
+      const mockResponse: PortListResult = {
         success: true,
         ports: [],
-        count: 0,
         timestamp: '2023-01-01T00:00:00Z'
       };
 
@@ -157,12 +148,11 @@ describe('PortClient', () => {
       const result = await client.getExposedPorts('session-empty');
 
       expect(result.success).toBe(true);
-      expect(result.count).toBe(0);
       expect(result.ports).toHaveLength(0);
     });
 
     it('should unexpose services cleanly', async () => {
-      const mockResponse: UnexposePortResponse = {
+      const mockResponse: PortCloseResult = {
         success: true,
         port: 3001,
         timestamp: '2023-01-01T00:15:00Z'