@cloudflare/sandbox 0.7.1 → 0.7.3

package/Dockerfile

@@ -201,3 +201,33 @@ ENV TYPESCRIPT_POOL_MIN_SIZE=3
 EXPOSE 4096
 
 ENTRYPOINT ["/container-server/sandbox"]
+
+# ============================================================================
+# Stage 5d: Musl image - Alpine-based with musl-linked binary
+# ============================================================================
+FROM alpine:3.21 AS musl
+
+ARG SANDBOX_VERSION=unknown
+
+ENV SANDBOX_VERSION=${SANDBOX_VERSION}
+
+RUN apk add --no-cache bash file git ca-certificates curl libstdc++ libgcc s3fs-fuse fuse
+
+RUN sed -i 's/#user_allow_other/user_allow_other/' /etc/fuse.conf
+
+COPY --from=builder /app/packages/sandbox-container/dist/sandbox-musl /container-server/sandbox
+
+WORKDIR /container-server
+
+COPY --from=builder /app/packages/sandbox-container/dist/runtime/executors/javascript/node_executor.js ./dist/runtime/executors/javascript/
+COPY --from=builder /app/packages/sandbox-container/dist/index.js ./dist/
+
+RUN mkdir -p /workspace
+
+EXPOSE 3000
+
+ENV PYTHON_POOL_MIN_SIZE=0
+ENV JAVASCRIPT_POOL_MIN_SIZE=0
+ENV TYPESCRIPT_POOL_MIN_SIZE=0
+
+ENTRYPOINT ["/container-server/sandbox"]

package/dist/index.js

@@ -2089,13 +2089,16 @@ var SecurityError = class extends Error {
 	}
 };
 /**
-* Validates port numbers for sandbox services
-* Only allows non-system ports to prevent conflicts and security issues
+* Validates port numbers for sandbox services.
+*
+* Rules:
+* - Range: 1024-65535 (privileged ports require root, which containers don't have)
+* - Reserved: 3000 (sandbox control plane)
 */
 function validatePort(port) {
 	if (!Number.isInteger(port)) return false;
 	if (port < 1024 || port > 65535) return false;
-	if ([3e3, 8787].includes(port)) return false;
+	if ([3e3].includes(port)) return false;
 	return true;
 }
 /**
@@ -2564,7 +2567,7 @@ function buildS3fsSource(bucket, prefix) {
 * This file is auto-updated by .github/changeset-version.ts during releases
 * DO NOT EDIT MANUALLY - Changes will be overwritten on the next version bump
 */
-const SDK_VERSION = "0.7.1";
+const SDK_VERSION = "0.7.3";
 
 //#endregion
 //#region src/sandbox.ts
@@ -2581,6 +2584,7 @@ function getSandbox(ns, id, options) {
 	if (options?.containerTimeouts) stub.setContainerTimeouts(options.containerTimeouts);
 	const defaultSessionId = `sandbox-${effectiveId}`;
 	const enhancedMethods = {
+		fetch: (request) => stub.fetch(request),
 		createSession: async (opts) => {
 			return enhanceSession(stub, await stub.createSession(opts));
 		},
@@ -2603,7 +2607,7 @@ function enhanceSession(stub, rpcSession) {
 }
 function connect(stub) {
 	return async (request, port) => {
-		if (!validatePort(port)) throw new SecurityError(`Invalid or restricted port: ${port}. Ports must be in range 1024-65535 and not reserved.`);
+		if (!validatePort(port)) throw new SecurityError(`Invalid port number: ${port}. Must be 1024-65535, excluding 3000 (sandbox control plane).`);
 		const portSwitchedRequest = switchPort(request, port);
 		return await stub.fetch(portSwitchedRequest);
 	};
@@ -3668,6 +3672,7 @@ var Sandbox = class extends Container {
 	* // url: https://8080-sandbox-id-my-token-v1.example.com
 	*/
 	async exposePort(port, options) {
+		if (!validatePort(port)) throw new SecurityError(`Invalid port number: ${port}. Must be 1024-65535, excluding 3000 (sandbox control plane).`);
 		if (options.hostname.endsWith(".workers.dev")) throw new CustomDomainRequiredError({
 			code: ErrorCode.CUSTOM_DOMAIN_REQUIRED,
 			message: `Port exposure requires a custom domain. .workers.dev domains do not support wildcard subdomains required for port proxying.`,
@@ -3695,7 +3700,7 @@ var Sandbox = class extends Container {
 		};
 	}
 	async unexposePort(port) {
-		if (!validatePort(port)) throw new SecurityError(`Invalid port number: ${port}. Must be between 1024-65535 and not reserved.`);
+		if (!validatePort(port)) throw new SecurityError(`Invalid port number: ${port}. Must be 1024-65535, excluding 3000 (sandbox control plane).`);
 		const sessionId = await this.ensureDefaultSession();
 		await this.client.ports.unexposePort(port, sessionId);
 		const tokens = await this.ctx.storage.get("portTokens") || {};
@@ -3735,11 +3740,14 @@ var Sandbox = class extends Container {
 			this.logger.error("Port is exposed but has no token - bug detected", void 0, { port });
 			return false;
 		}
-		if (storedToken.length !== token.length) return false;
 		const encoder = new TextEncoder();
 		const a = encoder.encode(storedToken);
 		const b = encoder.encode(token);
-		return crypto.subtle.timingSafeEqual(a, b);
+		try {
+			return crypto.subtle.timingSafeEqual(a, b);
+		} catch {
+			return false;
+		}
 	}
 	validateCustomToken(token) {
 		if (token.length === 0) throw new SecurityError(`Custom token cannot be empty.`);
@@ -3752,7 +3760,7 @@ var Sandbox = class extends Container {
 		return btoa(String.fromCharCode(...array)).replace(/\+/g, "_").replace(/\//g, "_").replace(/=/g, "").toLowerCase();
 	}
 	constructPreviewUrl(port, sandboxId, hostname, token) {
-		if (!validatePort(port)) throw new SecurityError(`Invalid port number: ${port}. Must be between 1024-65535 and not reserved.`);
+		if (!validatePort(port)) throw new SecurityError(`Invalid port number: ${port}. Must be 1024-65535, excluding 3000 (sandbox control plane).`);
 		const effectiveId = this.sandboxName || sandboxId;
 		const hasUppercase = /[A-Z]/.test(effectiveId);
 		if (!this.normalizeId && hasUppercase) throw new SecurityError(`Preview URLs require lowercase sandbox IDs. Your ID "${effectiveId}" contains uppercase letters.\n\nTo fix this:\n1. Create a new sandbox with: getSandbox(ns, "${effectiveId}", { normalizeId: true })\n2. This will create a sandbox with ID: "${effectiveId.toLowerCase()}"\n\nNote: Due to DNS case-insensitivity, IDs with uppercase letters cannot be used with preview URLs.`);