@cloudflare/sandbox 0.5.6 → 0.6.0

package/src/security.ts

@@ -1,119 +0,0 @@
-/**
- * Security utilities for URL construction and input validation
- *
- * This module contains critical security functions to prevent:
- * - URL injection attacks
- * - SSRF (Server-Side Request Forgery) attacks
- * - DNS rebinding attacks
- * - Host header injection
- * - Open redirect vulnerabilities
- */
-
-export class SecurityError extends Error {
-  constructor(
-    message: string,
-    public readonly code?: string
-  ) {
-    super(message);
-    this.name = 'SecurityError';
-  }
-}
-
-/**
- * Validates port numbers for sandbox services
- * Only allows non-system ports to prevent conflicts and security issues
- */
-export function validatePort(port: number): boolean {
-  // Must be a valid integer
-  if (!Number.isInteger(port)) {
-    return false;
-  }
-
-  // Only allow non-system ports (1024-65535)
-  if (port < 1024 || port > 65535) {
-    return false;
-  }
-
-  // Exclude ports reserved by our system
-  const reservedPorts = [
-    3000, // Control plane port
-    8787 // Common wrangler dev port
-  ];
-
-  if (reservedPorts.includes(port)) {
-    return false;
-  }
-
-  return true;
-}
-
-/**
- * Sanitizes and validates sandbox IDs for DNS compliance and security
- * Only enforces critical requirements - allows maximum developer flexibility
- */
-export function sanitizeSandboxId(id: string): string {
-  // Basic validation: not empty, reasonable length limit (DNS subdomain limit is 63 chars)
-  if (!id || id.length > 63) {
-    throw new SecurityError(
-      'Sandbox ID must be 1-63 characters long.',
-      'INVALID_SANDBOX_ID_LENGTH'
-    );
-  }
-
-  // DNS compliance: cannot start or end with hyphens (RFC requirement)
-  if (id.startsWith('-') || id.endsWith('-')) {
-    throw new SecurityError(
-      'Sandbox ID cannot start or end with hyphens (DNS requirement).',
-      'INVALID_SANDBOX_ID_HYPHENS'
-    );
-  }
-
-  // Prevent reserved names that cause technical conflicts
-  const reservedNames = [
-    'www',
-    'api',
-    'admin',
-    'root',
-    'system',
-    'cloudflare',
-    'workers'
-  ];
-
-  const lowerCaseId = id.toLowerCase();
-  if (reservedNames.includes(lowerCaseId)) {
-    throw new SecurityError(
-      `Reserved sandbox ID '${id}' is not allowed.`,
-      'RESERVED_SANDBOX_ID'
-    );
-  }
-
-  return id;
-}
-
-/**
- * Validates language for code interpreter
- * Only allows supported languages
- */
-export function validateLanguage(language: string | undefined): void {
-  if (!language) {
-    return; // undefined is valid, will default to python
-  }
-
-  const supportedLanguages = [
-    'python',
-    'python3',
-    'javascript',
-    'js',
-    'node',
-    'typescript',
-    'ts'
-  ];
-  const normalized = language.toLowerCase();
-
-  if (!supportedLanguages.includes(normalized)) {
-    throw new SecurityError(
-      `Unsupported language '${language}'. Supported languages: python, javascript, typescript`,
-      'INVALID_LANGUAGE'
-    );
-  }
-}

package/src/sse-parser.ts

@@ -1,147 +0,0 @@
-/**
- * Server-Sent Events (SSE) parser for streaming responses
- * Converts ReadableStream<Uint8Array> to typed AsyncIterable<T>
- */
-
-/**
- * Parse a ReadableStream of SSE events into typed AsyncIterable
- * @param stream - The ReadableStream from fetch response
- * @param signal - Optional AbortSignal for cancellation
- */
-export async function* parseSSEStream<T>(
-  stream: ReadableStream<Uint8Array>,
-  signal?: AbortSignal
-): AsyncIterable<T> {
-  const reader = stream.getReader();
-  const decoder = new TextDecoder();
-  let buffer = '';
-
-  try {
-    while (true) {
-      // Check for cancellation
-      if (signal?.aborted) {
-        throw new Error('Operation was aborted');
-      }
-
-      const { done, value } = await reader.read();
-      if (done) break;
-
-      // Decode chunk and add to buffer
-      buffer += decoder.decode(value, { stream: true });
-
-      // Process complete SSE events in buffer
-      const lines = buffer.split('\n');
-
-      // Keep the last incomplete line in buffer
-      buffer = lines.pop() || '';
-
-      for (const line of lines) {
-        // Skip empty lines
-        if (line.trim() === '') continue;
-
-        // Process SSE data lines
-        if (line.startsWith('data: ')) {
-          const data = line.substring(6);
-
-          // Skip [DONE] markers or empty data
-          if (data === '[DONE]' || data.trim() === '') continue;
-
-          try {
-            const event = JSON.parse(data) as T;
-            yield event;
-          } catch {
-            // Skip invalid JSON events and continue processing
-          }
-        }
-        // Handle other SSE fields if needed (event:, id:, retry:)
-        // For now, we only care about data: lines
-      }
-    }
-
-    // Process any remaining data in buffer
-    if (buffer.trim() && buffer.startsWith('data: ')) {
-      const data = buffer.substring(6);
-      if (data !== '[DONE]' && data.trim()) {
-        try {
-          const event = JSON.parse(data) as T;
-          yield event;
-        } catch {
-          // Skip invalid JSON in final event
-        }
-      }
-    }
-  } finally {
-    // Clean up resources
-    try {
-      await reader.cancel();
-    } catch {}
-    reader.releaseLock();
-  }
-}
-
-/**
- * Helper to convert a Response with SSE stream directly to AsyncIterable
- * @param response - Response object with SSE stream
- * @param signal - Optional AbortSignal for cancellation
- */
-export async function* responseToAsyncIterable<T>(
-  response: Response,
-  signal?: AbortSignal
-): AsyncIterable<T> {
-  if (!response.ok) {
-    throw new Error(
-      `Response not ok: ${response.status} ${response.statusText}`
-    );
-  }
-
-  if (!response.body) {
-    throw new Error('No response body');
-  }
-
-  yield* parseSSEStream<T>(response.body, signal);
-}
-
-/**
- * Create an SSE-formatted ReadableStream from an AsyncIterable
- * (Useful for Worker endpoints that need to forward AsyncIterable as SSE)
- * @param events - AsyncIterable of events
- * @param options - Stream options
- */
-export function asyncIterableToSSEStream<T>(
-  events: AsyncIterable<T>,
-  options?: {
-    signal?: AbortSignal;
-    serialize?: (event: T) => string;
-  }
-): ReadableStream<Uint8Array> {
-  const encoder = new TextEncoder();
-  const serialize = options?.serialize || JSON.stringify;
-
-  return new ReadableStream({
-    async start(controller) {
-      try {
-        for await (const event of events) {
-          if (options?.signal?.aborted) {
-            controller.error(new Error('Operation was aborted'));
-            break;
-          }
-
-          const data = serialize(event);
-          const sseEvent = `data: ${data}\n\n`;
-          controller.enqueue(encoder.encode(sseEvent));
-        }
-
-        // Send completion marker
-        controller.enqueue(encoder.encode('data: [DONE]\n\n'));
-      } catch (error) {
-        controller.error(error);
-      } finally {
-        controller.close();
-      }
-    },
-
-    cancel() {
-      // Handle stream cancellation
-    }
-  });
-}

package/src/storage-mount/credential-detection.ts

@@ -1,41 +0,0 @@
-import type { BucketCredentials, MountBucketOptions } from '@repo/shared';
-import { MissingCredentialsError } from './errors';
-
-/**
- * Detect credentials for bucket mounting from environment variables
- * Priority order:
- * 1. Explicit options.credentials
- * 2. Standard AWS env vars: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
- * 3. Error: no credentials found
- *
- * @param options - Mount options
- * @param envVars - Environment variables
- * @returns Detected credentials
- * @throws MissingCredentialsError if no credentials found
- */
-export function detectCredentials(
-  options: MountBucketOptions,
-  envVars: Record<string, string | undefined>
-): BucketCredentials {
-  // Priority 1: Explicit credentials in options
-  if (options.credentials) {
-    return options.credentials;
-  }
-
-  // Priority 2: Standard AWS env vars
-  const awsAccessKeyId = envVars.AWS_ACCESS_KEY_ID;
-  const awsSecretAccessKey = envVars.AWS_SECRET_ACCESS_KEY;
-
-  if (awsAccessKeyId && awsSecretAccessKey) {
-    return {
-      accessKeyId: awsAccessKeyId,
-      secretAccessKey: awsSecretAccessKey
-    };
-  }
-
-  // No credentials found - throw error with helpful message
-  throw new MissingCredentialsError(
-    `No credentials found. Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY ` +
-      `environment variables, or pass explicit credentials in options.`
-  );
-}

package/src/storage-mount/errors.ts

@@ -1,51 +0,0 @@
-/**
- * Bucket mounting error classes
- *
- * These are SDK-side validation errors that follow the same pattern as SecurityError.
- * They are thrown before any container interaction occurs.
- */
-
-import { ErrorCode } from '@repo/shared/errors';
-
-/**
- * Base error for bucket mounting operations
- */
-export class BucketMountError extends Error {
-  public readonly code: ErrorCode;
-
-  constructor(message: string, code: ErrorCode = ErrorCode.BUCKET_MOUNT_ERROR) {
-    super(message);
-    this.name = 'BucketMountError';
-    this.code = code;
-  }
-}
-
-/**
- * Thrown when S3FS mount command fails
- */
-export class S3FSMountError extends BucketMountError {
-  constructor(message: string) {
-    super(message, ErrorCode.S3FS_MOUNT_ERROR);
-    this.name = 'S3FSMountError';
-  }
-}
-
-/**
- * Thrown when no credentials found in environment
- */
-export class MissingCredentialsError extends BucketMountError {
-  constructor(message: string) {
-    super(message, ErrorCode.MISSING_CREDENTIALS);
-    this.name = 'MissingCredentialsError';
-  }
-}
-
-/**
- * Thrown when bucket name, mount path, or options are invalid
- */
-export class InvalidMountConfigError extends BucketMountError {
-  constructor(message: string) {
-    super(message, ErrorCode.INVALID_MOUNT_CONFIG);
-    this.name = 'InvalidMountConfigError';
-  }
-}

package/src/storage-mount/index.ts

@@ -1,17 +0,0 @@
-/**
- * Bucket mounting functionality
- */
-
-export { detectCredentials } from './credential-detection';
-export {
-  BucketMountError,
-  InvalidMountConfigError,
-  MissingCredentialsError,
-  S3FSMountError
-} from './errors';
-export {
-  detectProviderFromUrl,
-  getProviderFlags,
-  resolveS3fsOptions
-} from './provider-detection';
-export type { MountInfo } from './types';

package/src/storage-mount/provider-detection.ts

@@ -1,93 +0,0 @@
-/**
- * Provider detection and s3fs flag configuration
- *
- * Based on s3fs-fuse documentation:
- * https://github.com/s3fs-fuse/s3fs-fuse/wiki/Non-Amazon-S3
- */
-
-import type { BucketProvider } from '@repo/shared';
-
-/**
- * Detect provider from endpoint URL using pattern matching
- */
-export function detectProviderFromUrl(endpoint: string): BucketProvider | null {
-  try {
-    const url = new URL(endpoint);
-    const hostname = url.hostname.toLowerCase();
-
-    if (hostname.endsWith('.r2.cloudflarestorage.com')) {
-      return 'r2';
-    }
-
-    // Match AWS S3: *.amazonaws.com or s3.amazonaws.com
-    if (
-      hostname.endsWith('.amazonaws.com') ||
-      hostname === 's3.amazonaws.com'
-    ) {
-      return 's3';
-    }
-
-    if (hostname === 'storage.googleapis.com') {
-      return 'gcs';
-    }
-
-    return null;
-  } catch {
-    return null;
-  }
-}
-
-/**
- * Get s3fs flags for a given provider
- *
- * Based on s3fs-fuse wiki recommendations:
- * https://github.com/s3fs-fuse/s3fs-fuse/wiki/Non-Amazon-S3
- */
-export function getProviderFlags(provider: BucketProvider | null): string[] {
-  if (!provider) {
-    return ['use_path_request_style'];
-  }
-
-  switch (provider) {
-    case 'r2':
-      return ['nomixupload'];
-
-    case 's3':
-      return [];
-
-    case 'gcs':
-      return [];
-
-    default:
-      return ['use_path_request_style'];
-  }
-}
-
-/**
- * Resolve s3fs options by combining provider defaults with user overrides
- */
-export function resolveS3fsOptions(
-  provider: BucketProvider | null,
-  userOptions?: string[]
-): string[] {
-  const providerFlags = getProviderFlags(provider);
-
-  if (!userOptions || userOptions.length === 0) {
-    return providerFlags;
-  }
-
-  // Merge provider flags with user options
-  // User options take precedence (come last in the array)
-  const allFlags = [...providerFlags, ...userOptions];
-
-  // Deduplicate flags (keep last occurrence)
-  const flagMap = new Map<string, string>();
-
-  for (const flag of allFlags) {
-    // Split on '=' to get the flag name
-    const [flagName] = flag.split('=');
-    flagMap.set(flagName, flag);
-  }
-
-  return Array.from(flagMap.values());
-}

package/src/storage-mount/types.ts

@@ -1,17 +0,0 @@
-/**
- * Internal bucket mounting types
- */
-
-import type { BucketProvider } from '@repo/shared';
-
-/**
- * Internal tracking information for active mounts
- */
-export interface MountInfo {
-  bucket: string;
-  mountPath: string;
-  endpoint: string;
-  provider: BucketProvider | null;
-  passwordFilePath: string;
-  mounted: boolean;
-}

package/src/version.ts

@@ -1,6 +0,0 @@
-/**
- * SDK version - automatically synchronized with package.json by Changesets
- * This file is auto-updated by .github/changeset-version.ts during releases
- * DO NOT EDIT MANUALLY - Changes will be overwritten on the next version bump
- */
-export const SDK_VERSION = '0.5.6';