Skip to content

OpenSandbox

vserver/v0.1.13 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 27d Containers & Orchestration
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

ai ai-agent ai-infra kubernetes sandbox

Summary

AI summary

Signed endpoints for secure route access and snapshot lifecycle management were introduced.

Full changelog

What's New

✨ Features

  • Snapshot lifecycle management — create/get/list/delete APIs with async background commit, SQLite metadata store, and startup recovery for unfinished snapshots. Sandbox restore via snapshotId. SDK support across all 5 languages.

    • Docker: image commit/delete/inspect runtime (#764)
    • Kubernetes: SandboxSnapshot CRD with server-side watching (#837)
    • Deletion durability: records persisted as Deleting before runtime cleanup, so interrupted deletes recover via existing startup path instead of leaving stale Ready metadata (#842)

  • OSEP-0011: Signed endpoints for secure route accessGET /sandboxes/{sandboxId}/endpoints/{port}?expires=<unix_seconds> returns SHA256-signed time-limited route tokens. Ingress gateway verifies signature before proxying. SDK support across all 5 languages. (#787)

  • OSEP-0008: Pause/resume with rootfs snapshot (Kubernetes)/pause and /resume endpoints, SandboxSnapshot CRD + controller, nerdctl-based image-committer Job. Supports pausePolicy in pool-based BatchSandbox. (#668)

  • API key env overrideOPENSANDBOX_SERVER_API_KEY env var overrides server.api_key from TOML config. Helm chart updated with env support. (#830)

🐛 Bug Fixes

  • K8s: event loop blocked during sandbox creationtime.sleep in _wait_for_sandbox_ready blocked the asyncio event loop, causing liveness probe timeouts. Replaced with await asyncio.sleep. (#841)

  • Host path validation bypass via symlinks — host paths and allowed prefixes now resolved with os.path.realpath() before validation. Closes #814. (#816)

  • CodeQL static analysis fixes — fixed integer conversion, stack trace exposure, clear-text logging, regex backtracking, JS string escaping, missing workflow permissions. OSSFS temp files now owner-only. (#795)

  • CodeQL false positive documentation — documented suppressions for sandbox-local SQL execution, Docker port probe, and startup-guard logging. (#797)

📦 Misc

  • Docker runtime modularization — split 2698-line docker.py into mixin modules (orchestration, container ops, networking, volumes, runtime). No behavior changes. (#832)

  • Coverage enforcement — CI enforces 80% statement coverage with pytest-cov --cov-fail-under=80. (#828)

👥 Contributors

Thanks to these contributors ❤️

  • @qingyuppp
  • @fengcone
  • @Pangjiping
  • @sauce-git
  • @hittyt
  • @ninan-nn
  • PyPI: opensandbox-server==0.1.13
  • Docker Hub: opensandbox/server:v0.1.13
  • Aliyun Registry: sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/server:v0.1.13

Security Fixes

  • Host path validation now resolves symlinks via os.path.realpath() to prevent bypass (#816)
  • CodeQL static analysis fixes addressing integer conversion, stack trace exposure, clear‑text logging, regex backtracking, JS string escaping, and OSSFS temp file permissions (#795)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track OpenSandbox

Get notified when new releases ship.

Sign up free

About OpenSandbox

Secure, Fast, and Extensible Sandbox runtime for AI agents.

All releases →

Related context

Beta — feedback welcome: [email protected]