@cloudflare/sandbox 0.7.0 → 0.7.2

package/dist/index.js

@@ -1,5 +1,5 @@
-import { _ as getEnvString, a as isExecResult, c as shellEscape, d as TraceContext, f as Execution, g as filterEnvVars, h as extractRepoName, i as isWSStreamChunk, l as createLogger, m as GitLogger, n as isWSError, o as isProcess, p as ResultImpl, r as isWSResponse, s as isProcessStatus, t as generateRequestId, u as createNoOpLogger, v as partitionEnvVars } from "./dist-BpbdH8ry.js";
-import { t as ErrorCode } from "./errors-BCXUmJUn.js";
+import { _ as getEnvString, a as isExecResult, c as shellEscape, d as TraceContext, f as Execution, g as filterEnvVars, h as extractRepoName, i as isWSStreamChunk, l as createLogger, m as GitLogger, n as isWSError, o as isProcess, p as ResultImpl, r as isWSResponse, s as isProcessStatus, t as generateRequestId, u as createNoOpLogger, v as partitionEnvVars } from "./dist-D9B_6gn_.js";
+import { t as ErrorCode } from "./errors-Bzl0ZNia.js";
 import { Container, getContainer, switchPort } from "@cloudflare/containers";
 
 //#region src/errors/classes.ts
@@ -2089,13 +2089,16 @@ var SecurityError = class extends Error {
 	}
 };
 /**
-* Validates port numbers for sandbox services
-* Only allows non-system ports to prevent conflicts and security issues
+* Validates port numbers for sandbox services.
+*
+* Rules:
+* - Range: 1024-65535 (privileged ports require root, which containers don't have)
+* - Reserved: 3000 (sandbox control plane)
 */
 function validatePort(port) {
 	if (!Number.isInteger(port)) return false;
 	if (port < 1024 || port > 65535) return false;
-	if ([3e3, 8787].includes(port)) return false;
+	if ([3e3].includes(port)) return false;
 	return true;
 }
 /**
@@ -2216,6 +2219,19 @@ var CodeInterpreter = class {
 	}
 };
 
+//#endregion
+//#region src/pty/proxy.ts
+async function proxyTerminal(stub, sessionId, request, options) {
+	if (!sessionId || typeof sessionId !== "string") throw new Error("sessionId is required for terminal access");
+	if (request.headers.get("Upgrade")?.toLowerCase() !== "websocket") throw new Error("terminal() requires a WebSocket upgrade request");
+	const params = new URLSearchParams({ sessionId });
+	if (options?.cols) params.set("cols", String(options.cols));
+	if (options?.rows) params.set("rows", String(options.rows));
+	const ptyUrl = `http://localhost/ws/pty?${params}`;
+	const ptyRequest = new Request(ptyUrl, request);
+	return stub.fetch(switchPort(ptyRequest, 3e3));
+}
+
 //#endregion
 //#region src/request-handler.ts
 async function proxyToSandbox(request, env) {
@@ -2254,15 +2270,18 @@ async function proxyToSandbox(request, env) {
 		let proxyUrl;
 		if (port !== 3e3) proxyUrl = `http://localhost:${port}${path}${url.search}`;
 		else proxyUrl = `http://localhost:3000${path}${url.search}`;
+		const headers = {
+			"X-Original-URL": request.url,
+			"X-Forwarded-Host": url.hostname,
+			"X-Forwarded-Proto": url.protocol.replace(":", ""),
+			"X-Sandbox-Name": sandboxId
+		};
+		request.headers.forEach((value, key) => {
+			headers[key] = value;
+		});
 		const proxyRequest = new Request(proxyUrl, {
 			method: request.method,
-			headers: {
-				...Object.fromEntries(request.headers),
-				"X-Original-URL": request.url,
-				"X-Forwarded-Host": url.hostname,
-				"X-Forwarded-Proto": url.protocol.replace(":", ""),
-				"X-Sandbox-Name": sandboxId
-			},
+			headers,
 			body: request.body,
 			duplex: "half"
 		});
@@ -2548,7 +2567,7 @@ function buildS3fsSource(bucket, prefix) {
 * This file is auto-updated by .github/changeset-version.ts during releases
 * DO NOT EDIT MANUALLY - Changes will be overwritten on the next version bump
 */
-const SDK_VERSION = "0.7.0";
+const SDK_VERSION = "0.7.2";
 
 //#endregion
 //#region src/sandbox.ts
@@ -2563,11 +2582,31 @@ function getSandbox(ns, id, options) {
 	if (options?.sleepAfter !== void 0) stub.setSleepAfter(options.sleepAfter);
 	if (options?.keepAlive !== void 0) stub.setKeepAlive(options.keepAlive);
 	if (options?.containerTimeouts) stub.setContainerTimeouts(options.containerTimeouts);
-	return Object.assign(stub, { wsConnect: connect(stub) });
+	const defaultSessionId = `sandbox-${effectiveId}`;
+	const enhancedMethods = {
+		createSession: async (opts) => {
+			return enhanceSession(stub, await stub.createSession(opts));
+		},
+		getSession: async (sessionId) => {
+			return enhanceSession(stub, await stub.getSession(sessionId));
+		},
+		terminal: (request, opts) => proxyTerminal(stub, defaultSessionId, request, opts),
+		wsConnect: connect(stub)
+	};
+	return new Proxy(stub, { get(target, prop) {
+		if (typeof prop === "string" && prop in enhancedMethods) return enhancedMethods[prop];
+		return target[prop];
+	} });
+}
+function enhanceSession(stub, rpcSession) {
+	return {
+		...rpcSession,
+		terminal: (request, opts) => proxyTerminal(stub, rpcSession.id, request, opts)
+	};
 }
 function connect(stub) {
 	return async (request, port) => {
-		if (!validatePort(port)) throw new SecurityError(`Invalid or restricted port: ${port}. Ports must be in range 1024-65535 and not reserved.`);
+		if (!validatePort(port)) throw new SecurityError(`Invalid port number: ${port}. Must be 1024-65535, excluding 3000 (sandbox control plane).`);
 		const portSwitchedRequest = switchPort(request, port);
 		return await stub.fetch(portSwitchedRequest);
 	};
@@ -3632,6 +3671,7 @@ var Sandbox = class extends Container {
 	* // url: https://8080-sandbox-id-my-token-v1.example.com
 	*/
 	async exposePort(port, options) {
+		if (!validatePort(port)) throw new SecurityError(`Invalid port number: ${port}. Must be 1024-65535, excluding 3000 (sandbox control plane).`);
 		if (options.hostname.endsWith(".workers.dev")) throw new CustomDomainRequiredError({
 			code: ErrorCode.CUSTOM_DOMAIN_REQUIRED,
 			message: `Port exposure requires a custom domain. .workers.dev domains do not support wildcard subdomains required for port proxying.`,
@@ -3659,7 +3699,7 @@ var Sandbox = class extends Container {
 		};
 	}
 	async unexposePort(port) {
-		if (!validatePort(port)) throw new SecurityError(`Invalid port number: ${port}. Must be between 1024-65535 and not reserved.`);
+		if (!validatePort(port)) throw new SecurityError(`Invalid port number: ${port}. Must be 1024-65535, excluding 3000 (sandbox control plane).`);
 		const sessionId = await this.ensureDefaultSession();
 		await this.client.ports.unexposePort(port, sessionId);
 		const tokens = await this.ctx.storage.get("portTokens") || {};
@@ -3699,11 +3739,14 @@ var Sandbox = class extends Container {
 			this.logger.error("Port is exposed but has no token - bug detected", void 0, { port });
 			return false;
 		}
-		if (storedToken.length !== token.length) return false;
 		const encoder = new TextEncoder();
 		const a = encoder.encode(storedToken);
 		const b = encoder.encode(token);
-		return crypto.subtle.timingSafeEqual(a, b);
+		try {
+			return crypto.subtle.timingSafeEqual(a, b);
+		} catch {
+			return false;
+		}
 	}
 	validateCustomToken(token) {
 		if (token.length === 0) throw new SecurityError(`Custom token cannot be empty.`);
@@ -3716,7 +3759,7 @@ var Sandbox = class extends Container {
 		return btoa(String.fromCharCode(...array)).replace(/\+/g, "_").replace(/\//g, "_").replace(/=/g, "").toLowerCase();
 	}
 	constructPreviewUrl(port, sandboxId, hostname, token) {
-		if (!validatePort(port)) throw new SecurityError(`Invalid port number: ${port}. Must be between 1024-65535 and not reserved.`);
+		if (!validatePort(port)) throw new SecurityError(`Invalid port number: ${port}. Must be 1024-65535, excluding 3000 (sandbox control plane).`);
 		const effectiveId = this.sandboxName || sandboxId;
 		const hasUppercase = /[A-Z]/.test(effectiveId);
 		if (!this.normalizeId && hasUppercase) throw new SecurityError(`Preview URLs require lowercase sandbox IDs. Your ID "${effectiveId}" contains uppercase letters.\n\nTo fix this:\n1. Create a new sandbox with: getSandbox(ns, "${effectiveId}", { normalizeId: true })\n2. This will create a sandbox with ID: "${effectiveId.toLowerCase()}"\n\nNote: Due to DNS case-insensitivity, IDs with uppercase letters cannot be used with preview URLs.`);
@@ -3790,13 +3833,10 @@ var Sandbox = class extends Container {
 			timestamp: response.timestamp
 		};
 	}
-	/**
-	* Internal helper to create ExecutionSession wrapper for a given sessionId
-	* Used by both createSession and getSession
-	*/
 	getSessionWrapper(sessionId) {
 		return {
 			id: sessionId,
+			terminal: null,
 			exec: (command, options) => this.execWithSession(command, sessionId, options),
 			execStream: (command, options) => this.execStreamWithSession(command, sessionId, options),
 			startProcess: (command, options) => this.startProcess(command, options, sessionId),
@@ -3995,5 +4035,5 @@ async function collectFile(stream) {
 }
 
 //#endregion
-export { BucketMountError, CodeInterpreter, CommandClient, FileClient, GitClient, InvalidMountConfigError, MissingCredentialsError, PortClient, ProcessClient, ProcessExitedBeforeReadyError, ProcessReadyTimeoutError, S3FSMountError, Sandbox, SandboxClient, UtilityClient, asyncIterableToSSEStream, collectFile, getSandbox, isExecResult, isProcess, isProcessStatus, parseSSEStream, proxyToSandbox, responseToAsyncIterable, streamFile };
+export { BucketMountError, CodeInterpreter, CommandClient, FileClient, GitClient, InvalidMountConfigError, MissingCredentialsError, PortClient, ProcessClient, ProcessExitedBeforeReadyError, ProcessReadyTimeoutError, S3FSMountError, Sandbox, SandboxClient, UtilityClient, asyncIterableToSSEStream, collectFile, getSandbox, isExecResult, isProcess, isProcessStatus, parseSSEStream, proxyTerminal, proxyToSandbox, responseToAsyncIterable, streamFile };
 //# sourceMappingURL=index.js.map