Skip to content

Fix preview URL parsing for sandbox IDs with hyphens #352

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ghostwriternr merged 2 commits into from
Jan 14, 2026
Merged

Fix preview URL parsing for sandbox IDs with hyphens #352

ghostwriternr merged 2 commits into from
Jan 14, 2026

Conversation

@ghostwriternr
Copy link
Member

@ghostwriternr ghostwriternr commented Jan 13, 2026
edited
Loading

Summary

Fix preview URL parsing for sandbox IDs containing hyphens

PR #329 changed the token regex from {16} to + to support variable-length custom tokens. This made parsing ambiguous when sandbox IDs contain hyphens (UUIDs), causing the wrong sandbox to receive requests.

Breaking change

Tokens can no longer contain hyphens. Existing preview URLs with hyphenated tokens will fail until the port is re-exposed.

Why this wasn't caught

PR CI deploys to workers.dev where preview URL tests are skipped. Main CI runs locally where they execute.

@ghostwriternr
Fix preview URL parsing for sandbox IDs with hyphens
25de71c 
Tokens now use only [a-z0-9_] characters, allowing unambiguous URL parsing
by splitting at the last hyphen. This fixes preview URL routing when sandbox
IDs contain hyphens (like UUIDs).
@changeset-bot
Copy link

changeset-bot bot commented Jan 13, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: fd90b6f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes changesets to release 1 package
Name Type
@cloudflare/sandbox Patch

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

agents-git-bot bot pushed a commit to cloudflare/cloudflare-docs that referenced this pull request Jan 13, 2026
@github-actions
Update sandbox docs for custom port token format changes
7b53869 
- Add custom token documentation to ports API
- Update token format restrictions (no hyphens, only a-z, 0-9, _)
- Add examples showing custom token usage
- Update preview URL format to include token
- Add best practices for using custom tokens

Ref: cloudflare/sandbox-sdk#352
@agents-git-bot agents-git-bot bot mentioned this pull request Jan 13, 2026
Open
@pkg-pr-new
Copy link

pkg-pr-new bot commented Jan 13, 2026
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/cloudflare/sandbox-sdk/@cloudflare/sandbox@352

commit: fd90b6f

@github-actions
Copy link
Contributor

github-actions bot commented Jan 13, 2026
edited
Loading

🐳 Docker Images Published

Default:

FROM cloudflare/sandbox:0.0.0-pr-352-df17cbb

With Python:

FROM cloudflare/sandbox:0.0.0-pr-352-df17cbb-python

With OpenCode:

FROM cloudflare/sandbox:0.0.0-pr-352-df17cbb-opencode

Version: 0.0.0-pr-352-df17cbb

Use the -python variant if you need Python code execution, or -opencode for the variant with OpenCode AI coding agent pre-installed.

📦 Standalone Binary

For arbitrary Dockerfiles:

COPY --from=cloudflare/sandbox:0.0.0-pr-352-df17cbb /container-server/sandbox /sandbox
ENTRYPOINT ["/sandbox"]

Download via GitHub CLI:

gh run download 20994437049 -n sandbox-binary

Extract from Docker:

docker run --rm cloudflare/sandbox:0.0.0-pr-352-df17cbb cat /container-server/sandbox > sandbox && chmod +x sandbox

github-actions[bot]
github-actions bot reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OpenCode Review

This is a solid fix for the UUID parsing issue. The solution is elegant - restricting token characters to make URL parsing unambiguous.

A few observations:

Good:

  • The parsing logic in extractSandboxRoute() is now robust and handles UUID sandbox IDs correctly
  • Token validation is properly updated in both generation and validation functions
  • Test coverage includes the new hyphen rejection case
  • Changeset documentation is updated to reflect the character restriction

Minor suggestions:

  1. Test coverage gap: The current tests don't specifically verify the UUID parsing scenario that triggered this bug. Consider adding a test case with a UUID sandbox ID to ensure it parses correctly.

  2. Edge case validation: The new parsing logic assumes at least one hyphen exists after the port. While the current validation catches this, it might be worth adding a comment explaining why lastIndexOf('-') is safe here.

The fix is architecturally sound and maintains backward compatibility for existing tokens that don't use hyphens. The restriction to [a-z0-9_] is reasonable for URL tokens and eliminates the parsing ambiguity.

Looks good to merge.

@ghostwriternr ghostwriternr merged commit d6f7475 into main Jan 14, 2026
23 of 25 checks passed
@ghostwriternr ghostwriternr deleted the fix/token-hyphen-parsing branch January 14, 2026 13:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ghostwriternr