feat: add core Sandbox interface (base/local/shell/remote/tools)

Author: gsird

strands-ts/eslint.config.js

@@ -53,6 +53,12 @@ function sdkRules(options) {
       globals: {
         console: 'readonly',
         process: 'readonly',
+        setTimeout: 'readonly',
+        clearTimeout: 'readonly',
+        setInterval: 'readonly',
+        clearInterval: 'readonly',
+        atob: 'readonly',
+        btoa: 'readonly',
       },
     },
     plugins: {

strands-ts/src/agent/agent.ts

@@ -8,6 +8,8 @@ import {
   type LocalAgent,
   type localAgentSymbol,
 } from '../types/agent.js'
+import type { Sandbox } from '../sandbox/base.js'
+import { LocalSandbox } from '../sandbox/local.js'
 import { BedrockModel } from '../models/bedrock.js'
 import {
   contentBlockFromData,
@@ -194,6 +196,12 @@ export type AgentConfig = {
    * Defaults to `'concurrent'`. See {@link ToolExecutorStrategy} for details.
    */
   toolExecutor?: ToolExecutorStrategy
+  /**
+   * Sandbox for tool code execution and filesystem access.
+   * Defaults to {@link LocalSandbox} (native local execution).
+   * Pass {@link NullSandbox} to explicitly disable sandbox functionality.
+   */
+  sandbox?: Sandbox
 }
 
 /** Default name assigned to agents when none is provided. */
@@ -233,6 +241,11 @@ export class Agent implements LocalAgent, InvokableAgent {
    */
   public model: Model
 
+  /**
+   * Sandbox for tool code execution and filesystem access.
+   */
+  public readonly sandbox: Sandbox
+
   /**
    * The system prompt to pass to the model provider.
    */
@@ -351,6 +364,8 @@ export class Agent implements LocalAgent, InvokableAgent {
 
     this._toolExecutor = config?.toolExecutor ?? 'concurrent'
 
+    this.sandbox = config?.sandbox ?? new LocalSandbox()
+
     this._initialized = false
   }
 

strands-ts/src/index.ts

@@ -257,6 +257,22 @@ export { AgentTrace } from './telemetry/tracer.js'
 // Local Metrics
 export { AgentMetrics } from './telemetry/meter.js'
 
+// Sandbox
+export { Sandbox, type ExecuteOptions } from './sandbox/base.js'
+export { LocalSandbox, type LocalSandboxOptions } from './sandbox/local.js'
+export { ShellSandbox } from './sandbox/shell.js'
+export { RemoteSandbox, type RemoteSandboxOptions } from './sandbox/remote.js'
+export { DockerSandbox, type DockerSandboxOptions } from './sandbox/docker.js'
+export { NullSandbox } from './sandbox/null.js'
+export type {
+  StreamType,
+  StreamChunk,
+  FileInfo,
+  OutputFile,
+  ExecutionResult,
+  SandboxSnapshot,
+} from './sandbox/types.js'
+
 // Multi-agent orchestration
 export { Graph } from './multiagent/index.js'
 export { Swarm } from './multiagent/index.js'

strands-ts/src/sandbox/__tests__/adversarial.test.node.ts

@@ -0,0 +1,156 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest'
+import { LocalSandbox } from '../local.js'
+import { execSync } from 'child_process'
+
+const TEST_DIR = '/tmp/strands-test-adversarial'
+
+describe.skipIf(process.platform === 'win32')('Sandbox adversarial tests', () => {
+  let sandbox: LocalSandbox
+
+  beforeEach(() => {
+    execSync(`rm -rf ${TEST_DIR} && mkdir -p ${TEST_DIR}`)
+    sandbox = new LocalSandbox({ workingDir: TEST_DIR })
+  })
+
+  afterEach(() => {
+    execSync(`rm -rf ${TEST_DIR}`)
+  })
+
+  describe('path traversal', () => {
+    it('LocalSandbox does NOT enforce path confinement (documented behavior)', async () => {
+      await sandbox.writeText('/tmp/strands-test-adversarial-outside.txt', 'escaped')
+      const text = await sandbox.readText('/tmp/strands-test-adversarial-outside.txt')
+      expect(text).toBe('escaped')
+      execSync('rm -f /tmp/strands-test-adversarial-outside.txt')
+    })
+
+    it('relative path with .. resolves against workingDir', async () => {
+      await sandbox.writeText('subdir/file.txt', 'inner')
+      const text = await sandbox.readText('subdir/../subdir/file.txt')
+      expect(text).toBe('inner')
+    })
+  })
+
+  describe('command injection', () => {
+    it('language parameter rejects path traversal', async () => {
+      await expect(sandbox.executeCode('x', '../../../bin/sh')).rejects.toThrow('unsafe characters')
+    })
+
+    it('language parameter rejects shell metacharacters', async () => {
+      await expect(sandbox.executeCode('x', 'python;rm -rf /')).rejects.toThrow('unsafe characters')
+    })
+
+    it('language parameter rejects spaces', async () => {
+      await expect(sandbox.executeCode('x', 'python -c')).rejects.toThrow('unsafe characters')
+    })
+
+    it('language parameter allows valid interpreters', async () => {
+      const result = await sandbox.executeCode('print("safe")', 'python3')
+      expect(result.exitCode).toBe(0)
+    })
+
+    it('language parameter allows dots and hyphens', async () => {
+      const result = await sandbox.executeCode('x', 'fake-lang.99')
+      expect(result.exitCode).toBe(127)
+    })
+  })
+
+  describe('binary and edge-case content', () => {
+    it('handles null bytes in files', async () => {
+      const content = new Uint8Array([0, 0, 0, 65, 0, 66, 0])
+      await sandbox.write('nulls.bin', content)
+      const read = await sandbox.read('nulls.bin')
+      expect(Array.from(read)).toStrictEqual(Array.from(content))
+    })
+
+    it('handles all 256 byte values', async () => {
+      const content = new Uint8Array(256)
+      for (let i = 0; i < 256; i++) content[i] = i
+      await sandbox.write('all-bytes.bin', content)
+      const read = await sandbox.read('all-bytes.bin')
+      expect(Array.from(read)).toStrictEqual(Array.from(content))
+    })
+
+    it('handles empty file', async () => {
+      await sandbox.write('empty.txt', new Uint8Array(0))
+      const read = await sandbox.read('empty.txt')
+      expect(read.length).toBe(0)
+    })
+
+    it('handles file with only newlines', async () => {
+      await sandbox.writeText('newlines.txt', '\n\n\n')
+      const text = await sandbox.readText('newlines.txt')
+      expect(text).toBe('\n\n\n')
+    })
+
+    it('handles unicode content', async () => {
+      const content = '日本語テスト 🚀 émojis Ñ'
+      await sandbox.writeText('unicode.txt', content)
+      const text = await sandbox.readText('unicode.txt')
+      expect(text).toBe(content)
+    })
+
+    it('handles shell metacharacters in file content', async () => {
+      const content = '$(rm -rf /) `whoami` && || ; | > < $HOME'
+      await sandbox.writeText('meta.txt', content)
+      const text = await sandbox.readText('meta.txt')
+      expect(text).toBe(content)
+    })
+  })
+
+  describe('concurrent execution', () => {
+    it('handles multiple concurrent commands', async () => {
+      const results = await Promise.all([
+        sandbox.execute('echo one'),
+        sandbox.execute('echo two'),
+        sandbox.execute('echo three'),
+      ])
+      expect(results.map((r) => r.stdout.trim()).sort()).toStrictEqual(['one', 'three', 'two'])
+    })
+
+    it('handles concurrent file writes to different files', async () => {
+      await Promise.all([
+        sandbox.writeText('a.txt', 'aaa'),
+        sandbox.writeText('b.txt', 'bbb'),
+        sandbox.writeText('c.txt', 'ccc'),
+      ])
+      const [a, b, c] = await Promise.all([
+        sandbox.readText('a.txt'),
+        sandbox.readText('b.txt'),
+        sandbox.readText('c.txt'),
+      ])
+      expect(a).toBe('aaa')
+      expect(b).toBe('bbb')
+      expect(c).toBe('ccc')
+    })
+
+    it('two sandbox instances with different workingDirs are isolated', async () => {
+      const sandbox2 = new LocalSandbox({ workingDir: `${TEST_DIR}-2` })
+      await sandbox.writeText('shared-name.txt', 'from sandbox 1')
+      await sandbox2.writeText('shared-name.txt', 'from sandbox 2')
+
+      const text1 = await sandbox.readText('shared-name.txt')
+      const text2 = await sandbox2.readText('shared-name.txt')
+
+      expect(text1).toBe('from sandbox 1')
+      expect(text2).toBe('from sandbox 2')
+
+      execSync(`rm -rf ${TEST_DIR}-2`)
+    })
+  })
+
+  describe('timeout behavior', () => {
+    it('kills process on timeout', async () => {
+      const start = Date.now()
+      await expect(sandbox.execute('sleep 60', { timeout: 0.2 })).rejects.toThrow('timed out')
+      const elapsed = Date.now() - start
+      expect(elapsed).toBeLessThan(2000)
+    })
+
+    it('does not timeout fast commands', async () => {
+      const result = await sandbox.execute('echo fast', { timeout: 5 })
+      expect(result.exitCode).toBe(0)
+      expect(result.stdout).toBe('fast\n')
+    })
+  })
+})