Skip to content

Gate terminal templates by trusted providers#472

Open
matthewlouisbrockman wants to merge 5 commits into
mainfrom
tighten-security-trusted-templates-en-1159
Open

Gate terminal templates by trusted providers#472
matthewlouisbrockman wants to merge 5 commits into
mainfrom
tighten-security-trusted-templates-en-1159

Conversation

@matthewlouisbrockman

@matthewlouisbrockman matthewlouisbrockman commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

templates need to be trusted

@linear-code

linear-code Bot commented Jun 26, 2026

Copy link
Copy Markdown

EN-1159

@cla-bot cla-bot Bot added the cla-signed label Jun 26, 2026
@cursor

cursor Bot commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown

PR Summary

High Risk
Sandbox creation from arbitrary templates is security-sensitive; gating is client-only while the openTerminal API path is unchanged.

Overview
The trustedTemplateProviders payload flag and client-side review dialog block auto-start for namespaced templates from providers not on the allowlist; /sbx/new skips server-side Sandbox.create when template or command query params are present and sends users to the team terminal page instead.

Trusted-provider enforcement is only in the browser (queueTerminalCommand, restart, dialog). sandbox.openTerminal still accepts any normalized template and can create a sandbox without the confirmation step, so the gate can be bypassed outside the UI.

Reviewed by Cursor Bugbot for commit d4259c5. Bugbot is set up for automated code reviews on this repo. Configure here.

@vercel

vercel Bot commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
web Ready Ready Preview, Comment Jun 26, 2026 4:51am

Request Review

cursor[bot]
cursor Bot reviewed Jun 26, 2026
View reviewed changes
Comment thread src/features/dashboard/terminal/dashboard-terminal.tsx
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 26, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 61f8ce7855

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/features/dashboard/terminal/dashboard-terminal.tsx
ben-fornefeld
ben-fornefeld requested changes Jun 26, 2026
View reviewed changes
Comment thread src/app/sbx/new/route.ts

@ben-fornefeld ben-fornefeld Jun 26, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you are breaking the sbx.new here since it does not create a sandbox anymore.

@matthewlouisbrockman matthewlouisbrockman Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

still works but making it so we only use new terminal if we have a template or a command then

claude[bot]
claude Bot reviewed Jun 26, 2026
View reviewed changes
Comment thread src/features/dashboard/terminal/dashboard-terminal.tsx
cursor[bot]
cursor Bot reviewed Jun 26, 2026
View reviewed changes

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit ecf302a. Configure here.

Comment thread src/features/dashboard/terminal/dashboard-terminal.tsx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments
@cursor cursor[bot] cursor[bot] left review comments
@claude claude[bot] claude[bot] left review comments
@drankou drankou Awaiting requested review from drankou drankou is a code owner
@huv1k huv1k Awaiting requested review from huv1k huv1k is a code owner
@Kraci Kraci Awaiting requested review from Kraci Kraci is a code owner
@ben-fornefeld ben-fornefeld Awaiting requested review from ben-fornefeld ben-fornefeld is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matthewlouisbrockman @ben-fornefeld