@sysid/sandbox-runtime-improved 0.0.49-sysid.2 → 0.0.51-sysid.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -4
- package/dist/cli.js +10 -4
- package/dist/cli.js.map +1 -1
- package/dist/index.d.ts +1 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js.map +1 -1
- package/dist/sandbox/http-proxy.d.ts +21 -1
- package/dist/sandbox/http-proxy.d.ts.map +1 -1
- package/dist/sandbox/http-proxy.js +27 -2
- package/dist/sandbox/http-proxy.js.map +1 -1
- package/dist/sandbox/linux-sandbox-utils.d.ts +18 -3
- package/dist/sandbox/linux-sandbox-utils.d.ts.map +1 -1
- package/dist/sandbox/linux-sandbox-utils.js +49 -18
- package/dist/sandbox/linux-sandbox-utils.js.map +1 -1
- package/dist/sandbox/macos-sandbox-utils.d.ts +2 -0
- package/dist/sandbox/macos-sandbox-utils.d.ts.map +1 -1
- package/dist/sandbox/macos-sandbox-utils.js +37 -20
- package/dist/sandbox/macos-sandbox-utils.js.map +1 -1
- package/dist/sandbox/mitm-ca.d.ts +47 -0
- package/dist/sandbox/mitm-ca.d.ts.map +1 -0
- package/dist/sandbox/mitm-ca.js +153 -0
- package/dist/sandbox/mitm-ca.js.map +1 -0
- package/dist/sandbox/mitm-leaf.d.ts +28 -0
- package/dist/sandbox/mitm-leaf.d.ts.map +1 -0
- package/dist/sandbox/mitm-leaf.js +94 -0
- package/dist/sandbox/mitm-leaf.js.map +1 -0
- package/dist/sandbox/request-filter.d.ts +46 -0
- package/dist/sandbox/request-filter.d.ts.map +1 -0
- package/dist/sandbox/request-filter.js +106 -0
- package/dist/sandbox/request-filter.js.map +1 -0
- package/dist/sandbox/sandbox-config.d.ts +71 -0
- package/dist/sandbox/sandbox-config.d.ts.map +1 -1
- package/dist/sandbox/sandbox-config.js +55 -0
- package/dist/sandbox/sandbox-config.js.map +1 -1
- package/dist/sandbox/sandbox-manager.d.ts +2 -0
- package/dist/sandbox/sandbox-manager.d.ts.map +1 -1
- package/dist/sandbox/sandbox-manager.js +161 -101
- package/dist/sandbox/sandbox-manager.js.map +1 -1
- package/dist/sandbox/sandbox-utils.d.ts +6 -1
- package/dist/sandbox/sandbox-utils.d.ts.map +1 -1
- package/dist/sandbox/sandbox-utils.js +34 -6
- package/dist/sandbox/sandbox-utils.js.map +1 -1
- package/dist/sandbox/socks-proxy.d.ts.map +1 -1
- package/dist/sandbox/socks-proxy.js +26 -9
- package/dist/sandbox/socks-proxy.js.map +1 -1
- package/dist/sandbox/tls-terminate-proxy.d.ts +41 -0
- package/dist/sandbox/tls-terminate-proxy.d.ts.map +1 -0
- package/dist/sandbox/tls-terminate-proxy.js +167 -0
- package/dist/sandbox/tls-terminate-proxy.js.map +1 -0
- package/package.json +7 -5
|
@@ -80,15 +80,27 @@ export function createSocksProxyServer(options) {
|
|
|
80
80
|
}
|
|
81
81
|
});
|
|
82
82
|
});
|
|
83
|
+
// Track every accepted client socket so close() can tear them down
|
|
84
|
+
// immediately. `net.Server.close()`'s callback waits for all open
|
|
85
|
+
// connections to finish, and a SOCKS connection mid-`dialDirect()` (30s
|
|
86
|
+
// timeout) or mid-relay holds the server open indefinitely. During
|
|
87
|
+
// SandboxManager.reset() that turns into a hang that can outlive bun's
|
|
88
|
+
// 5s test/hook timeout, so we destroy connections rather than drain them.
|
|
89
|
+
const internalServer = socksServer
|
|
90
|
+
?.server;
|
|
91
|
+
const openSockets = new Set();
|
|
92
|
+
internalServer?.on('connection', (socket) => {
|
|
93
|
+
openSockets.add(socket);
|
|
94
|
+
socket.once('close', () => openSockets.delete(socket));
|
|
95
|
+
});
|
|
83
96
|
return {
|
|
84
97
|
server: socksServer,
|
|
85
98
|
getPort() {
|
|
86
99
|
// Access the internal server to get the port
|
|
87
100
|
// We need to use type assertion here as the server property is private
|
|
88
101
|
try {
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
const address = serverInternal.address();
|
|
102
|
+
if (internalServer && typeof internalServer?.address === 'function') {
|
|
103
|
+
const address = internalServer.address();
|
|
92
104
|
if (address && typeof address === 'object' && 'port' in address) {
|
|
93
105
|
return address.port;
|
|
94
106
|
}
|
|
@@ -102,10 +114,9 @@ export function createSocksProxyServer(options) {
|
|
|
102
114
|
},
|
|
103
115
|
listen(port, hostname) {
|
|
104
116
|
return new Promise((resolve, reject) => {
|
|
105
|
-
|
|
106
|
-
serverInternal?.once('error', reject);
|
|
117
|
+
internalServer?.once('error', reject);
|
|
107
118
|
const listeningCallback = () => {
|
|
108
|
-
|
|
119
|
+
internalServer?.removeListener('error', reject);
|
|
109
120
|
const actualPort = this.getPort();
|
|
110
121
|
if (actualPort) {
|
|
111
122
|
logForDebugging(`SOCKS proxy listening on ${hostname}:${actualPort}`);
|
|
@@ -135,14 +146,20 @@ export function createSocksProxyServer(options) {
|
|
|
135
146
|
}
|
|
136
147
|
resolve();
|
|
137
148
|
});
|
|
149
|
+
// Forcibly drop any sockets still open. close() above stopped the
|
|
150
|
+
// listener; the callback won't fire until these drain on their own,
|
|
151
|
+
// and a stuck upstream dial means they may never drain.
|
|
152
|
+
for (const socket of openSockets) {
|
|
153
|
+
socket.destroy();
|
|
154
|
+
}
|
|
155
|
+
openSockets.clear();
|
|
138
156
|
});
|
|
139
157
|
},
|
|
140
158
|
unref() {
|
|
141
159
|
// Access the internal server to call unref
|
|
142
160
|
try {
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
serverInternal.unref();
|
|
161
|
+
if (internalServer && typeof internalServer?.unref === 'function') {
|
|
162
|
+
internalServer.unref();
|
|
146
163
|
}
|
|
147
164
|
}
|
|
148
165
|
catch (error) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"socks-proxy.js","sourceRoot":"","sources":["../../src/sandbox/socks-proxy.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAEnD,OAAO,EACL,qBAAqB,EACrB,UAAU,EACV,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAA;AAqB1B,MAAM,UAAU,sBAAsB,CACpC,OAAgC;IAEhC,MAAM,WAAW,GAAG,YAAY,EAAE,CAAA;IAElC,WAAW,CAAC,mBAAmB,CAAC,KAAK,EAAC,IAAI,EAAC,EAAE;QAC3C,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAA;YACjC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAA;YAE1B,mEAAmE;YACnE,oEAAoE;YACpE,qEAAqE;YACrE,0DAA0D;YAC1D,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC3B,eAAe,CACb,mCAAmC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,EAC7D,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;gBACD,OAAO,KAAK,CAAA;YACd,CAAC;YAED,eAAe,CAAC,yBAAyB,QAAQ,IAAI,IAAI,EAAE,CAAC,CAAA;YAE5D,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;YAEpD,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,eAAe,CAAC,yBAAyB,QAAQ,IAAI,IAAI,EAAE,EAAE;oBAC3D,KAAK,EAAE,OAAO;iBACf,CAAC,CAAA;gBACF,OAAO,KAAK,CAAA;YACd,CAAC;YAED,eAAe,CAAC,yBAAyB,QAAQ,IAAI,IAAI,EAAE,CAAC,CAAA;YAC5D,OAAO,IAAI,CAAA;QACb,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,eAAe,CAAC,gCAAgC,KAAK,EAAE,EAAE;gBACvD,KAAK,EAAE,OAAO;aACf,CAAC,CAAA;YACF,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,2EAA2E;IAC3E,yEAAyE;IACzE,2DAA2D;IAC3D,WAAW,CAAC,oBAAoB,CAAC,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE;QACpD,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAA;QAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAA;QAE1B,wEAAwE;QACxE,IAAI,UAAU,GAAG,KAAK,CAAA;QACtB,IAAI,WAA+B,CAAA;QACnC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE;YAC7B,UAAU,GAAG,IAAI,CAAA;YACjB,WAAW,EAAE,OAAO,EAAE,CAAA;QACxB,CAAC,CAAC,CAAA;QACF,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,WAAW,EAAE,OAAO,EAAE,CAAC,CAAA;QAErD,iEAAiE;QACjE,0EAA0E;QAC1E,MAAM,SAAS,GACb,OAAO,CAAC,WAAW,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,WAAW,EAAE,IAAI,CAAC;YACxE,CAAC,CAAC,oBAAoB,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;YAC9D,CAAC,CAAC,SAAS,CAAA;QAEf,MAAM,IAAI,GAAG,SAAS;YACpB,CAAC,CAAC,qBAAqB,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,CAAC;YAC9C,CAAC,CAAC,UAAU,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;QAE1B,IAAI;aACD,IAAI,CAAC,QAAQ,CAAC,EAAE;YACf,WAAW,GAAG,QAAQ,CAAA;YACtB,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAA;YACjD,IAAI,UAAU,EAAE,CAAC;gBACf,QAAQ,CAAC,OAAO,EAAE,CAAA;gBAClB,OAAM;YACR,CAAC;YACD,UAAU,CAAC,iBAAiB,CAAC,CAAA;YAC7B,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;YAC1B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;YAC1B,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAA;QACnD,CAAC,CAAC;aACD,KAAK,CAAC,GAAG,CAAC,EAAE;YACX,eAAe,CACb,oBAAoB,IAAI,IAAI,IAAI,YAAa,GAAa,CAAC,OAAO,EAAE,EACpE,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;YACD,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,IAAI,CAAC;oBACH,UAAU,CAAC,kBAAkB,CAAC,CAAA;gBAChC,CAAC;gBAAC,MAAM,CAAC;oBACP,yDAAyD;gBAC3D,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAA;IACN,CAAC,CAAC,CAAA;IAEF,OAAO;QACL,MAAM,EAAE,WAAW;QACnB,OAAO;YACL,6CAA6C;YAC7C,uEAAuE;YACvE,IAAI,CAAC;gBACH,
|
|
1
|
+
{"version":3,"file":"socks-proxy.js","sourceRoot":"","sources":["../../src/sandbox/socks-proxy.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAEnD,OAAO,EACL,qBAAqB,EACrB,UAAU,EACV,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAA;AAqB1B,MAAM,UAAU,sBAAsB,CACpC,OAAgC;IAEhC,MAAM,WAAW,GAAG,YAAY,EAAE,CAAA;IAElC,WAAW,CAAC,mBAAmB,CAAC,KAAK,EAAC,IAAI,EAAC,EAAE;QAC3C,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAA;YACjC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAA;YAE1B,mEAAmE;YACnE,oEAAoE;YACpE,qEAAqE;YACrE,0DAA0D;YAC1D,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC3B,eAAe,CACb,mCAAmC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,EAC7D,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;gBACD,OAAO,KAAK,CAAA;YACd,CAAC;YAED,eAAe,CAAC,yBAAyB,QAAQ,IAAI,IAAI,EAAE,CAAC,CAAA;YAE5D,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;YAEpD,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,eAAe,CAAC,yBAAyB,QAAQ,IAAI,IAAI,EAAE,EAAE;oBAC3D,KAAK,EAAE,OAAO;iBACf,CAAC,CAAA;gBACF,OAAO,KAAK,CAAA;YACd,CAAC;YAED,eAAe,CAAC,yBAAyB,QAAQ,IAAI,IAAI,EAAE,CAAC,CAAA;YAC5D,OAAO,IAAI,CAAA;QACb,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,eAAe,CAAC,gCAAgC,KAAK,EAAE,EAAE;gBACvD,KAAK,EAAE,OAAO;aACf,CAAC,CAAA;YACF,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,2EAA2E;IAC3E,yEAAyE;IACzE,2DAA2D;IAC3D,WAAW,CAAC,oBAAoB,CAAC,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE;QACpD,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAA;QAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAA;QAE1B,wEAAwE;QACxE,IAAI,UAAU,GAAG,KAAK,CAAA;QACtB,IAAI,WAA+B,CAAA;QACnC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE;YAC7B,UAAU,GAAG,IAAI,CAAA;YACjB,WAAW,EAAE,OAAO,EAAE,CAAA;QACxB,CAAC,CAAC,CAAA;QACF,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,WAAW,EAAE,OAAO,EAAE,CAAC,CAAA;QAErD,iEAAiE;QACjE,0EAA0E;QAC1E,MAAM,SAAS,GACb,OAAO,CAAC,WAAW,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,WAAW,EAAE,IAAI,CAAC;YACxE,CAAC,CAAC,oBAAoB,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;YAC9D,CAAC,CAAC,SAAS,CAAA;QAEf,MAAM,IAAI,GAAG,SAAS;YACpB,CAAC,CAAC,qBAAqB,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,CAAC;YAC9C,CAAC,CAAC,UAAU,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;QAE1B,IAAI;aACD,IAAI,CAAC,QAAQ,CAAC,EAAE;YACf,WAAW,GAAG,QAAQ,CAAA;YACtB,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAA;YACjD,IAAI,UAAU,EAAE,CAAC;gBACf,QAAQ,CAAC,OAAO,EAAE,CAAA;gBAClB,OAAM;YACR,CAAC;YACD,UAAU,CAAC,iBAAiB,CAAC,CAAA;YAC7B,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;YAC1B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;YAC1B,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAA;QACnD,CAAC,CAAC;aACD,KAAK,CAAC,GAAG,CAAC,EAAE;YACX,eAAe,CACb,oBAAoB,IAAI,IAAI,IAAI,YAAa,GAAa,CAAC,OAAO,EAAE,EACpE,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;YACD,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,IAAI,CAAC;oBACH,UAAU,CAAC,kBAAkB,CAAC,CAAA;gBAChC,CAAC;gBAAC,MAAM,CAAC;oBACP,yDAAyD;gBAC3D,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAA;IACN,CAAC,CAAC,CAAA;IAEF,mEAAmE;IACnE,kEAAkE;IAClE,wEAAwE;IACxE,mEAAmE;IACnE,uEAAuE;IACvE,0EAA0E;IAC1E,MAAM,cAAc,GAAI,WAAiD;QACvE,EAAE,MAAM,CAAA;IACV,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAA;IACrC,cAAc,EAAE,EAAE,CAAC,YAAY,EAAE,CAAC,MAAc,EAAE,EAAE;QAClD,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACvB,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAA;IACxD,CAAC,CAAC,CAAA;IAEF,OAAO;QACL,MAAM,EAAE,WAAW;QACnB,OAAO;YACL,6CAA6C;YAC7C,uEAAuE;YACvE,IAAI,CAAC;gBACH,IAAI,cAAc,IAAI,OAAO,cAAc,EAAE,OAAO,KAAK,UAAU,EAAE,CAAC;oBACpE,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,EAAE,CAAA;oBACxC,IAAI,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,MAAM,IAAI,OAAO,EAAE,CAAC;wBAChE,OAAO,OAAO,CAAC,IAAI,CAAA;oBACrB,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,8DAA8D;gBAC9D,eAAe,CAAC,uBAAuB,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAA;YACrE,CAAC;YACD,OAAO,SAAS,CAAA;QAClB,CAAC;QACD,MAAM,CAAC,IAAY,EAAE,QAAgB;YACnC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBACrC,cAAc,EAAE,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;gBACrC,MAAM,iBAAiB,GAAG,GAAS,EAAE;oBACnC,cAAc,EAAE,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;oBAC/C,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,CAAA;oBACjC,IAAI,UAAU,EAAE,CAAC;wBACf,eAAe,CACb,4BAA4B,QAAQ,IAAI,UAAU,EAAE,CACrD,CAAA;wBACD,OAAO,CAAC,UAAU,CAAC,CAAA;oBACrB,CAAC;yBAAM,CAAC;wBACN,MAAM,CAAC,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC,CAAA;oBAC5D,CAAC;gBACH,CAAC,CAAA;gBACD,WAAW,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE,iBAAiB,CAAC,CAAA;YACvD,CAAC,CAAC,CAAA;QACJ,CAAC;QACD,KAAK,CAAC,KAAK;YACT,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBACrC,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;oBACxB,IAAI,KAAK,EAAE,CAAC;wBACV,iEAAiE;wBACjE,mDAAmD;wBACnD,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,CAAA;wBACvD,MAAM,eAAe,GACnB,YAAY,CAAC,QAAQ,CAAC,aAAa,CAAC;4BACpC,YAAY,CAAC,QAAQ,CAAC,gBAAgB,CAAC;4BACvC,YAAY,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAA;wBAExC,IAAI,CAAC,eAAe,EAAE,CAAC;4BACrB,MAAM,CAAC,KAAK,CAAC,CAAA;4BACb,OAAM;wBACR,CAAC;oBACH,CAAC;oBACD,OAAO,EAAE,CAAA;gBACX,CAAC,CAAC,CAAA;gBACF,kEAAkE;gBAClE,oEAAoE;gBACpE,wDAAwD;gBACxD,KAAK,MAAM,MAAM,IAAI,WAAW,EAAE,CAAC;oBACjC,MAAM,CAAC,OAAO,EAAE,CAAA;gBAClB,CAAC;gBACD,WAAW,CAAC,KAAK,EAAE,CAAA;YACrB,CAAC,CAAC,CAAA;QACJ,CAAC;QACD,KAAK;YACH,2CAA2C;YAC3C,IAAI,CAAC;gBACH,IAAI,cAAc,IAAI,OAAO,cAAc,EAAE,KAAK,KAAK,UAAU,EAAE,CAAC;oBAClE,cAAc,CAAC,KAAK,EAAE,CAAA;gBACxB,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,eAAe,CAAC,wBAAwB,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAA;YACtE,CAAC;QACH,CAAC;KACF,CAAA;AACH,CAAC"}
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* In-process TLS termination for HTTPS traffic through the forward proxy.
|
|
3
|
+
*
|
|
4
|
+
* When a MitmCA is configured, the forward proxy hands CONNECT requests here
|
|
5
|
+
* instead of opening an opaque byte tunnel. We terminate the client's TLS
|
|
6
|
+
* with a per-host leaf cert (see mitm-leaf.ts), parse the decrypted stream
|
|
7
|
+
* as HTTP/1.1, and re-issue each request upstream over a real TLS
|
|
8
|
+
* connection. The optional `filterRequest` callback runs on each parsed
|
|
9
|
+
* request before it is forwarded.
|
|
10
|
+
*/
|
|
11
|
+
import type { Duplex } from 'node:stream';
|
|
12
|
+
import type { MitmCA } from './mitm-ca.js';
|
|
13
|
+
import { type FilterRequestCallback } from './request-filter.js';
|
|
14
|
+
export type TerminateTarget = {
|
|
15
|
+
hostname: string;
|
|
16
|
+
port: number;
|
|
17
|
+
/**
|
|
18
|
+
* Additional trusted CA(s) for the proxy's outbound TLS leg. Unset → system
|
|
19
|
+
* roots + NODE_EXTRA_CA_CERTS. Primarily a test seam (NODE_EXTRA_CA_CERTS
|
|
20
|
+
* is read at process start, so tests can't set it from inside the suite).
|
|
21
|
+
*/
|
|
22
|
+
upstreamCA?: string | Buffer | Array<string | Buffer>;
|
|
23
|
+
};
|
|
24
|
+
/**
|
|
25
|
+
* Terminate the client's TLS on `socket`, parse the decrypted HTTP/1.1
|
|
26
|
+
* stream, and forward each request to `target` over a fresh upstream TLS
|
|
27
|
+
* connection.
|
|
28
|
+
*
|
|
29
|
+
* Preconditions: the caller has already validated `target` against the
|
|
30
|
+
* domain allowlist; this function does not re-check it.
|
|
31
|
+
*
|
|
32
|
+
* Implementation: we stand up a short-lived https.Server on a unix socket
|
|
33
|
+
* and pipe the client socket through it. The Node-idiomatic alternative —
|
|
34
|
+
* feeding the raw socket to a non-listening server via
|
|
35
|
+
* `emit('connection', socket)` — is not implemented by Bun's https.Server,
|
|
36
|
+
* and SRT runs under both runtimes. A per-connection server lets the
|
|
37
|
+
* request handler close over `target` (which carries the originally-
|
|
38
|
+
* requested host:port) without socket-keyed lookups.
|
|
39
|
+
*/
|
|
40
|
+
export declare function terminateAndForward(ca: MitmCA, filterRequest: FilterRequestCallback | undefined, socket: Duplex, head: Buffer, target: TerminateTarget): void;
|
|
41
|
+
//# sourceMappingURL=tls-terminate-proxy.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tls-terminate-proxy.d.ts","sourceRoot":"","sources":["../../src/sandbox/tls-terminate-proxy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAWH,OAAO,KAAK,EAAE,MAAM,EAAY,MAAM,aAAa,CAAA;AAEnD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAEL,KAAK,qBAAqB,EAC3B,MAAM,qBAAqB,CAAA;AAI5B,MAAM,MAAM,eAAe,GAAG;IAC5B,QAAQ,EAAE,MAAM,CAAA;IAChB,IAAI,EAAE,MAAM,CAAA;IACZ;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC,CAAA;CACtD,CAAA;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,mBAAmB,CACjC,EAAE,EAAE,MAAM,EACV,aAAa,EAAE,qBAAqB,GAAG,SAAS,EAChD,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,eAAe,GACtB,IAAI,CA0EN"}
|
|
@@ -0,0 +1,167 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* In-process TLS termination for HTTPS traffic through the forward proxy.
|
|
3
|
+
*
|
|
4
|
+
* When a MitmCA is configured, the forward proxy hands CONNECT requests here
|
|
5
|
+
* instead of opening an opaque byte tunnel. We terminate the client's TLS
|
|
6
|
+
* with a per-host leaf cert (see mitm-leaf.ts), parse the decrypted stream
|
|
7
|
+
* as HTTP/1.1, and re-issue each request upstream over a real TLS
|
|
8
|
+
* connection. The optional `filterRequest` callback runs on each parsed
|
|
9
|
+
* request before it is forwarded.
|
|
10
|
+
*/
|
|
11
|
+
import { createServer as createHttpsServer, request as httpsRequest, } from 'node:https';
|
|
12
|
+
import { connect, isIP } from 'node:net';
|
|
13
|
+
import { unlink } from 'node:fs';
|
|
14
|
+
import { tmpdir } from 'node:os';
|
|
15
|
+
import { join } from 'node:path';
|
|
16
|
+
import { logForDebugging } from '../utils/debug.js';
|
|
17
|
+
import { decideAndRespond, } from './request-filter.js';
|
|
18
|
+
import { mintLeafCert, secureContextFor } from './mitm-leaf.js';
|
|
19
|
+
import { stripHopByHop } from './parent-proxy.js';
|
|
20
|
+
/**
|
|
21
|
+
* Terminate the client's TLS on `socket`, parse the decrypted HTTP/1.1
|
|
22
|
+
* stream, and forward each request to `target` over a fresh upstream TLS
|
|
23
|
+
* connection.
|
|
24
|
+
*
|
|
25
|
+
* Preconditions: the caller has already validated `target` against the
|
|
26
|
+
* domain allowlist; this function does not re-check it.
|
|
27
|
+
*
|
|
28
|
+
* Implementation: we stand up a short-lived https.Server on a unix socket
|
|
29
|
+
* and pipe the client socket through it. The Node-idiomatic alternative —
|
|
30
|
+
* feeding the raw socket to a non-listening server via
|
|
31
|
+
* `emit('connection', socket)` — is not implemented by Bun's https.Server,
|
|
32
|
+
* and SRT runs under both runtimes. A per-connection server lets the
|
|
33
|
+
* request handler close over `target` (which carries the originally-
|
|
34
|
+
* requested host:port) without socket-keyed lookups.
|
|
35
|
+
*/
|
|
36
|
+
export function terminateAndForward(ca, filterRequest, socket, head, target) {
|
|
37
|
+
// ALPN advertises HTTP/1.1 only — terminating HTTP/2 would require a frame
|
|
38
|
+
// parser; clients negotiate down. The base secureContext covers clients
|
|
39
|
+
// that don't send SNI; SNICallback covers everyone else.
|
|
40
|
+
const baseLeaf = mintLeafCert(ca, target.hostname);
|
|
41
|
+
const inner = createHttpsServer({
|
|
42
|
+
ALPNProtocols: ['http/1.1'],
|
|
43
|
+
cert: baseLeaf.certPem,
|
|
44
|
+
key: baseLeaf.keyPem,
|
|
45
|
+
SNICallback: (servername, cb) => {
|
|
46
|
+
try {
|
|
47
|
+
cb(null, secureContextFor(ca, servername || target.hostname));
|
|
48
|
+
}
|
|
49
|
+
catch (err) {
|
|
50
|
+
cb(err);
|
|
51
|
+
}
|
|
52
|
+
},
|
|
53
|
+
});
|
|
54
|
+
inner.on('request', (req, res) => {
|
|
55
|
+
void forwardUpstream(filterRequest, req, res, target);
|
|
56
|
+
});
|
|
57
|
+
inner.on('tlsClientError', (err, sock) => {
|
|
58
|
+
logForDebugging(`[tls-terminate] client TLS error for ${target.hostname}: ${err.message}`, { level: 'error' });
|
|
59
|
+
sock.destroy();
|
|
60
|
+
});
|
|
61
|
+
inner.on('upgrade', (_req, sock) => {
|
|
62
|
+
// WebSocket / non-HTTP over TLS — out of scope for now.
|
|
63
|
+
logForDebugging('[tls-terminate] upgrade request refused', {
|
|
64
|
+
level: 'warn',
|
|
65
|
+
});
|
|
66
|
+
sock.destroy();
|
|
67
|
+
});
|
|
68
|
+
const sockPath = innerSocketPath();
|
|
69
|
+
const cleanup = () => {
|
|
70
|
+
inner.close();
|
|
71
|
+
unlink(sockPath, () => { });
|
|
72
|
+
};
|
|
73
|
+
inner.on('error', err => {
|
|
74
|
+
logForDebugging(`[tls-terminate] inner server listen failed: ${err.message}`, { level: 'error' });
|
|
75
|
+
socket.destroy();
|
|
76
|
+
cleanup();
|
|
77
|
+
});
|
|
78
|
+
inner.listen(sockPath, () => {
|
|
79
|
+
const loop = connect({ path: sockPath });
|
|
80
|
+
loop.on('error', err => {
|
|
81
|
+
logForDebugging(`[tls-terminate] inner loopback failed: ${err.message}`, {
|
|
82
|
+
level: 'error',
|
|
83
|
+
});
|
|
84
|
+
socket.destroy();
|
|
85
|
+
cleanup();
|
|
86
|
+
});
|
|
87
|
+
loop.once('connect', () => {
|
|
88
|
+
socket.write('HTTP/1.1 200 Connection Established\r\n\r\n');
|
|
89
|
+
// Any bytes the client sent in the same packet as the CONNECT are the
|
|
90
|
+
// start of its ClientHello — forward them first.
|
|
91
|
+
if (head.length)
|
|
92
|
+
loop.write(head);
|
|
93
|
+
socket.pipe(loop);
|
|
94
|
+
loop.pipe(socket);
|
|
95
|
+
});
|
|
96
|
+
socket.on('error', () => loop.destroy());
|
|
97
|
+
socket.once('close', () => {
|
|
98
|
+
loop.destroy();
|
|
99
|
+
cleanup();
|
|
100
|
+
});
|
|
101
|
+
loop.once('close', () => socket.destroy());
|
|
102
|
+
});
|
|
103
|
+
inner.unref();
|
|
104
|
+
}
|
|
105
|
+
async function forwardUpstream(filterRequest, req, res, target) {
|
|
106
|
+
let body = req;
|
|
107
|
+
if (filterRequest) {
|
|
108
|
+
const ac = new AbortController();
|
|
109
|
+
res.once('close', () => ac.abort());
|
|
110
|
+
const host = req.headers.host ??
|
|
111
|
+
(target.port === 443
|
|
112
|
+
? target.hostname
|
|
113
|
+
: `${target.hostname}:${target.port}`);
|
|
114
|
+
const out = await decideAndRespond(filterRequest, req, res, `https://${host}${req.url ?? '/'}`, ac.signal);
|
|
115
|
+
if (out === null)
|
|
116
|
+
return;
|
|
117
|
+
body = out;
|
|
118
|
+
}
|
|
119
|
+
// Bun's https.request verifies the upstream cert against headers.host
|
|
120
|
+
// verbatim (including ":port"), which never matches a SAN. Drop the host
|
|
121
|
+
// header and let the runtime derive it from {host, port} — same wire value,
|
|
122
|
+
// correct verification under both Node and Bun.
|
|
123
|
+
const fwdHeaders = stripHopByHop(req.headers);
|
|
124
|
+
delete fwdHeaders.host;
|
|
125
|
+
// TODO(terminating-tls): honour parentProxy for the upstream leg.
|
|
126
|
+
const upstream = httpsRequest({
|
|
127
|
+
host: target.hostname,
|
|
128
|
+
port: target.port,
|
|
129
|
+
path: req.url,
|
|
130
|
+
method: req.method,
|
|
131
|
+
headers: fwdHeaders,
|
|
132
|
+
// We're a TLS-terminating proxy, not a trust boundary for the upstream
|
|
133
|
+
// server's identity — let the runtime do normal verification against
|
|
134
|
+
// system roots (and NODE_EXTRA_CA_CERTS). servername must match the
|
|
135
|
+
// host the client intended; SNI cannot carry an IP literal, and Bun's
|
|
136
|
+
// https.request treats `servername: undefined` differently from
|
|
137
|
+
// omitting the key, so spread conditionally.
|
|
138
|
+
...(isIP(target.hostname) ? {} : { servername: target.hostname }),
|
|
139
|
+
...(target.upstreamCA ? { ca: target.upstreamCA } : {}),
|
|
140
|
+
// No global agent: a proxy's outbound leg shouldn't share a connection
|
|
141
|
+
// pool keyed on the proxy process. Also works around a Bun quirk where
|
|
142
|
+
// the first request's `ca:` value is cached on the global agent and
|
|
143
|
+
// subsequent calls with a different `ca:` are silently ignored.
|
|
144
|
+
agent: false,
|
|
145
|
+
}, upRes => {
|
|
146
|
+
res.writeHead(upRes.statusCode ?? 502, stripHopByHop(upRes.headers));
|
|
147
|
+
upRes.pipe(res);
|
|
148
|
+
});
|
|
149
|
+
upstream.on('error', err => {
|
|
150
|
+
logForDebugging(`[tls-terminate] upstream ${target.hostname}:${target.port} failed: ${err.message}`, { level: 'error' });
|
|
151
|
+
if (!res.headersSent) {
|
|
152
|
+
res.writeHead(502, { 'Content-Type': 'text/plain' });
|
|
153
|
+
res.end('Bad Gateway');
|
|
154
|
+
}
|
|
155
|
+
else {
|
|
156
|
+
res.destroy();
|
|
157
|
+
}
|
|
158
|
+
});
|
|
159
|
+
res.on('close', () => upstream.destroy());
|
|
160
|
+
body.pipe(upstream);
|
|
161
|
+
}
|
|
162
|
+
let sockSeq = 0;
|
|
163
|
+
function innerSocketPath() {
|
|
164
|
+
// Keep it short — macOS sun_path is 104 bytes.
|
|
165
|
+
return join(tmpdir(), `srt-tt-${process.pid}-${(sockSeq++).toString(36)}.sock`);
|
|
166
|
+
}
|
|
167
|
+
//# sourceMappingURL=tls-terminate-proxy.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tls-terminate-proxy.js","sourceRoot":"","sources":["../../src/sandbox/tls-terminate-proxy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,YAAY,IAAI,iBAAiB,EACjC,OAAO,IAAI,YAAY,GACxB,MAAM,YAAY,CAAA;AAEnB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,UAAU,CAAA;AACxC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAEhC,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAEnD,OAAO,EACL,gBAAgB,GAEjB,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAajD;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,mBAAmB,CACjC,EAAU,EACV,aAAgD,EAChD,MAAc,EACd,IAAY,EACZ,MAAuB;IAEvB,2EAA2E;IAC3E,wEAAwE;IACxE,yDAAyD;IACzD,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAA;IAClD,MAAM,KAAK,GAAG,iBAAiB,CAAC;QAC9B,aAAa,EAAE,CAAC,UAAU,CAAC;QAC3B,IAAI,EAAE,QAAQ,CAAC,OAAO;QACtB,GAAG,EAAE,QAAQ,CAAC,MAAM;QACpB,WAAW,EAAE,CAAC,UAAU,EAAE,EAAE,EAAE,EAAE;YAC9B,IAAI,CAAC;gBACH,EAAE,CAAC,IAAI,EAAE,gBAAgB,CAAC,EAAE,EAAE,UAAU,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAA;YAC/D,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,EAAE,CAAC,GAAY,CAAC,CAAA;YAClB,CAAC;QACH,CAAC;KACF,CAAC,CAAA;IAEF,KAAK,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC/B,KAAK,eAAe,CAAC,aAAa,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAAA;IACvD,CAAC,CAAC,CAAA;IACF,KAAK,CAAC,EAAE,CAAC,gBAAgB,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE;QACvC,eAAe,CACb,wCAAwC,MAAM,CAAC,QAAQ,KAAK,GAAG,CAAC,OAAO,EAAE,EACzE,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACD,IAAI,CAAC,OAAO,EAAE,CAAA;IAChB,CAAC,CAAC,CAAA;IACF,KAAK,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE;QACjC,wDAAwD;QACxD,eAAe,CAAC,yCAAyC,EAAE;YACzD,KAAK,EAAE,MAAM;SACd,CAAC,CAAA;QACF,IAAI,CAAC,OAAO,EAAE,CAAA;IAChB,CAAC,CAAC,CAAA;IAEF,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAA;IAClC,MAAM,OAAO,GAAG,GAAG,EAAE;QACnB,KAAK,CAAC,KAAK,EAAE,CAAA;QACb,MAAM,CAAC,QAAQ,EAAE,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA;IAC5B,CAAC,CAAA;IACD,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;QACtB,eAAe,CACb,+CAA+C,GAAG,CAAC,OAAO,EAAE,EAC5D,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACD,MAAM,CAAC,OAAO,EAAE,CAAA;QAChB,OAAO,EAAE,CAAA;IACX,CAAC,CAAC,CAAA;IACF,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,GAAG,EAAE;QAC1B,MAAM,IAAI,GAAG,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAA;QACxC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;YACrB,eAAe,CAAC,0CAA0C,GAAG,CAAC,OAAO,EAAE,EAAE;gBACvE,KAAK,EAAE,OAAO;aACf,CAAC,CAAA;YACF,MAAM,CAAC,OAAO,EAAE,CAAA;YAChB,OAAO,EAAE,CAAA;QACX,CAAC,CAAC,CAAA;QACF,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE;YACxB,MAAM,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAA;YAC3D,sEAAsE;YACtE,iDAAiD;YACjD,IAAI,IAAI,CAAC,MAAM;gBAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YACjC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YACjB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QACnB,CAAC,CAAC,CAAA;QACF,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAA;QACxC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE;YACxB,IAAI,CAAC,OAAO,EAAE,CAAA;YACd,OAAO,EAAE,CAAA;QACX,CAAC,CAAC,CAAA;QACF,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAA;IAC5C,CAAC,CAAC,CAAA;IACF,KAAK,CAAC,KAAK,EAAE,CAAA;AACf,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,aAAgD,EAChD,GAAoB,EACpB,GAAmB,EACnB,MAAuB;IAEvB,IAAI,IAAI,GAAa,GAAG,CAAA;IACxB,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,EAAE,GAAG,IAAI,eAAe,EAAE,CAAA;QAChC,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC,CAAA;QACnC,MAAM,IAAI,GACR,GAAG,CAAC,OAAO,CAAC,IAAI;YAChB,CAAC,MAAM,CAAC,IAAI,KAAK,GAAG;gBAClB,CAAC,CAAC,MAAM,CAAC,QAAQ;gBACjB,CAAC,CAAC,GAAG,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC,CAAA;QAC1C,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAChC,aAAa,EACb,GAAG,EACH,GAAG,EACH,WAAW,IAAI,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,EAClC,EAAE,CAAC,MAAM,CACV,CAAA;QACD,IAAI,GAAG,KAAK,IAAI;YAAE,OAAM;QACxB,IAAI,GAAG,GAAG,CAAA;IACZ,CAAC;IAED,sEAAsE;IACtE,yEAAyE;IACzE,4EAA4E;IAC5E,gDAAgD;IAChD,MAAM,UAAU,GAAG,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;IAC7C,OAAO,UAAU,CAAC,IAAI,CAAA;IAEtB,kEAAkE;IAClE,MAAM,QAAQ,GAAG,YAAY,CAC3B;QACE,IAAI,EAAE,MAAM,CAAC,QAAQ;QACrB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,IAAI,EAAE,GAAG,CAAC,GAAG;QACb,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,OAAO,EAAE,UAAU;QACnB,uEAAuE;QACvE,qEAAqE;QACrE,oEAAoE;QACpE,sEAAsE;QACtE,gEAAgE;QAChE,6CAA6C;QAC7C,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC;QACjE,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvD,uEAAuE;QACvE,uEAAuE;QACvE,oEAAoE;QACpE,gEAAgE;QAChE,KAAK,EAAE,KAAK;KACb,EACD,KAAK,CAAC,EAAE;QACN,GAAG,CAAC,SAAS,CAAC,KAAK,CAAC,UAAU,IAAI,GAAG,EAAE,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAA;QACpE,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACjB,CAAC,CACF,CAAA;IAED,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;QACzB,eAAe,CACb,4BAA4B,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,IAAI,YAAY,GAAG,CAAC,OAAO,EAAE,EACnF,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACD,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;YACrB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAA;YACpD,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;QACxB,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,OAAO,EAAE,CAAA;QACf,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAA;IACzC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;AACrB,CAAC;AAED,IAAI,OAAO,GAAG,CAAC,CAAA;AACf,SAAS,eAAe;IACtB,+CAA+C;IAC/C,OAAO,IAAI,CACT,MAAM,EAAE,EACR,UAAU,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,OAAO,CACzD,CAAA;AACH,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@sysid/sandbox-runtime-improved",
|
|
3
|
-
"version": "0.0.
|
|
3
|
+
"version": "0.0.51-sysid.1",
|
|
4
4
|
"description": "Improved Anthropic Sandbox Runtime (ASRT) - A general-purpose tool for wrapping security boundaries around arbitrary processes (sysid fork with several improvements and bug fixes)",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./dist/index.js",
|
|
@@ -26,6 +26,7 @@
|
|
|
26
26
|
"dependencies": {
|
|
27
27
|
"@pondwader/socks5-server": "^1.0.10",
|
|
28
28
|
"commander": "^12.1.0",
|
|
29
|
+
"node-forge": "^1.4.0",
|
|
29
30
|
"shell-quote": "^1.8.3",
|
|
30
31
|
"zod": "^3.24.1"
|
|
31
32
|
},
|
|
@@ -33,6 +34,7 @@
|
|
|
33
34
|
"@eslint/js": "^9.14.0",
|
|
34
35
|
"@types/bun": "^1.3.2",
|
|
35
36
|
"@types/node": "^18",
|
|
37
|
+
"@types/node-forge": "^1.3.14",
|
|
36
38
|
"@types/shell-quote": "^1.7.5",
|
|
37
39
|
"eslint": "^9.14.0",
|
|
38
40
|
"eslint-config-prettier": "^8.10.0",
|
|
@@ -64,16 +66,16 @@
|
|
|
64
66
|
"network-filtering",
|
|
65
67
|
"filesystem-restrictions"
|
|
66
68
|
],
|
|
67
|
-
"author": "
|
|
69
|
+
"author": "Anthropic PBC",
|
|
68
70
|
"license": "Apache-2.0",
|
|
69
71
|
"repository": {
|
|
70
72
|
"type": "git",
|
|
71
|
-
"url": "git+https://github.com/
|
|
73
|
+
"url": "git+https://github.com/anthropic-experimental/sandbox-runtime.git"
|
|
72
74
|
},
|
|
73
75
|
"bugs": {
|
|
74
|
-
"url": "https://github.com/
|
|
76
|
+
"url": "https://github.com/anthropic-experimental/sandbox-runtime/issues"
|
|
75
77
|
},
|
|
76
|
-
"homepage": "https://github.com/
|
|
78
|
+
"homepage": "https://github.com/anthropic-experimental/sandbox-runtime#readme",
|
|
77
79
|
"lint-staged": {
|
|
78
80
|
"*.ts": [
|
|
79
81
|
"eslint --fix --cache --cache-location=node_modules/.cache/.eslintcache",
|