the universal sandbox runtime for agents and humans.
pocketenv.io
sandbox
openclaw
agent
claude-code
vercel-sandbox
deno-sandbox
cloudflare-sandbox
atproto
sprites
daytona
Enforce minimum port 1024
Disallow privileged ports by updating schemas, pkl defs, server
handlers,
and UI validation. Applied to API lexicons, cf-sandbox endpoints, and
ExposePortModal.
+19
-19
+1
-1
apps/api/lexicons/port/defs.json
+1
-1
apps/api/lexicons/port/defs.json
+2
-2
apps/api/lexicons/sandbox/defs.json
+2
-2
apps/api/lexicons/sandbox/defs.json
···
65
65
"items": {
66
66
"type": "integer",
67
67
"maximum": 65535,
68
-
"minimum": 1
68
+
"minimum": 1024
69
69
},
70
70
"maxLength": 100
71
71
},
···
158
158
"items": {
159
159
"type": "integer",
160
160
"maximum": 65535,
161
-
"minimum": 1
161
+
"minimum": 1024
162
162
},
163
163
"maxLength": 100
164
164
},
+1
-1
apps/api/lexicons/sandbox/exposePort.json
+1
-1
apps/api/lexicons/sandbox/exposePort.json
+1
-1
apps/api/lexicons/sandbox/unexposePort.json
+1
-1
apps/api/lexicons/sandbox/unexposePort.json
+1
-1
apps/api/pkl/defs/port/defs.pkl
+1
-1
apps/api/pkl/defs/port/defs.pkl
+2
-2
apps/api/pkl/defs/sandbox/defs.pkl
+2
-2
apps/api/pkl/defs/sandbox/defs.pkl
···
65
65
type = "array"
66
66
items = new IntegerType {
67
67
type = "integer"
68
-
minimum = 1
68
+
minimum = 1024
69
69
maximum = 65535
70
70
}
71
71
maxLength = 100
···
159
159
type = "array"
160
160
items = new IntegerType {
161
161
type = "integer"
162
-
minimum = 1
162
+
minimum = 1024
163
163
maximum = 65535
164
164
}
165
165
maxLength = 100
+1
-1
apps/api/pkl/defs/sandbox/exposePort.pkl
+1
-1
apps/api/pkl/defs/sandbox/exposePort.pkl
+1
-1
apps/api/pkl/defs/sandbox/unexposePort.pkl
+1
-1
apps/api/pkl/defs/sandbox/unexposePort.pkl
+5
-5
apps/api/src/lexicon/lexicons.ts
+5
-5
apps/api/src/lexicon/lexicons.ts
···
425
425
type: "integer",
426
426
description: "The port number.",
427
427
maximum: 65535,
428
-
minimum: 1,
428
+
minimum: 1024,
429
429
},
430
430
description: {
431
431
type: "string",
···
663
663
items: {
664
664
type: "integer",
665
665
maximum: 65535,
666
-
minimum: 1,
666
+
minimum: 1024,
667
667
},
668
668
maxLength: 100,
669
669
},
···
761
761
items: {
762
762
type: "integer",
763
763
maximum: 65535,
764
-
minimum: 1,
764
+
minimum: 1024,
765
765
},
766
766
maxLength: 100,
767
767
},
···
1070
1070
type: "integer",
1071
1071
description: "The port number to expose.",
1072
1072
maximum: 65535,
1073
-
minimum: 1,
1073
+
minimum: 1024,
1074
1074
},
1075
1075
description: {
1076
1076
type: "string",
···
1667
1667
type: "integer",
1668
1668
description: "The port number to unexpose.",
1669
1669
maximum: 65535,
1670
-
minimum: 1,
1670
+
minimum: 1024,
1671
1671
},
1672
1672
},
1673
1673
},
+2
-2
apps/cf-sandbox/src/index.ts
+2
-2
apps/cf-sandbox/src/index.ts
···
736
736
737
737
const { port } = await c.req.json<{ port: number }>();
738
738
739
-
if (!port || port <= 0 || port > 65535) {
739
+
if (!port || port < 1024 || port > 65535) {
740
740
return c.json({ error: "Invalid port number" }, 400);
741
741
}
742
742
···
777
777
778
778
const port = parseInt(c.req.query("port") || "0", 10);
779
779
780
-
if (!port || port <= 0 || port > 65535) {
780
+
if (!port || port <= 1024 || port > 65535) {
781
781
return c.json({ error: "Invalid port number" }, 400);
782
782
}
783
783