Skip to content

fix(server): skip auth for proxy-to-sandbox paths; strict path matching#250

Open
Pangjiping wants to merge 1 commit intoalibaba:mainfrom
Pangjiping:fix/server/proxy
Open

fix(server): skip auth for proxy-to-sandbox paths; strict path matching#250
Pangjiping wants to merge 1 commit intoalibaba:mainfrom
Pangjiping:fix/server/proxy

Conversation

@Pangjiping
Copy link
Collaborator

@Pangjiping Pangjiping commented Feb 26, 2026

Summary

  • Do not validate OPEN-SANDBOX-API-KEY when request is proxied to sandbox
    (/sandboxes/{id}/proxy/... or /v1/sandboxes/{id}/proxy/...).
  • Use strict regex for exempt path to avoid false positives
    (e.g. /proxy/sandboxes/... no longer exempt).
  • Reject paths containing '..' to prevent path traversal auth bypass.
  • Add _is_proxy_path() and tests for exemption and security cases.

Testing

  • Not run (explain why)
  • Unit tests
  • Integration tests
  • e2e / manual verification

Breaking Changes

  • None
  • Yes (describe impact and migration path)

Checklist

@Pangjiping Pangjiping added the bug Something isn't working label Feb 26, 2026
@Pangjiping Pangjiping mentioned this pull request Feb 26, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hittyt hittyt Awaiting requested review from hittyt hittyt is a code owner

@jwx0925 jwx0925 Awaiting requested review from jwx0925 jwx0925 is a code owner

@Generalwin Generalwin Awaiting requested review from Generalwin Generalwin is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@hittyt hittyt

@ninan-nn ninan-nn

Labels

bug Something isn't working component/server

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: HealthAdapter missing authentication headers when use_server_proxy=True, causing health check to always fail with 401

3 participants

@Pangjiping @hittyt @ninan-nn