What's New
⚠️ Breaking Changes
allowed_host_pathsdefaults to deny-all — Previously, when[storage].allowed_host_pathswas empty or unset, the server allowed all host path mounts into sandboxes, creating a sandbox escape vulnerability (closes #750). This release flips the default to deny all host mounts. Users who need the legacy behavior must explicitly setallowed_host_paths = ["/"]as a temporary compatibility measure. Additionally, the server now requires explicit startup confirmation whenapi_keyis unset. (#751)
✨ Features
- Windows Sandbox
- propagate opensandbox.extensions. to Pod annotations — Extensions with the
opensandbox.extensions.prefix are now automatically copied to Kubernetes Pod annotations with theopensandbox.io/extensions.(#772) - GPU resource limits now honored across both runtimes
🐛 Bug Fixes
- Inject X-Forwarded-* headers for proxied HTTP requests — When proxying HTTP requests to a user sandbox via
use_server_proxy, the server now injectsX-Forwarded-Proto,X-Forwarded-Host, andX-Forwarded-Forheaders. Previously, web apps inside the sandbox (VS Code, Jupyter, OAuth callbacks) had no way to determine the original scheme, host, or client IP, causing broken HTTPS redirects and incorrect absolute URL generation. Usessetdefaultsemantics for upstream proxy chain safety. (#777) - Honor
server.eipfor proxied endpoint URLs — Whenuse_server_proxy=true, the server now uses the configuredserver.eipto generate externally reachable proxy endpoints instead of returning internalbase_urladdresses. Falls back to existing behavior wheneipis unset. (#747)
📦 Misc
- bump
execdto v1.0.13 with config template, documentation, and test updates (#763) - chore(deps): bump python-dotenv from 1.2.1 to 1.2.2 in /server (#784)
👥 Contributors
Thanks to these contributors ❤️
- PyPI: opensandbox-server==0.1.12
- Docker Hub: opensandbox/server:v0.1.12
- Aliyun Registry: sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/server:v0.1.12