fix(sandbox): remove double response relay in passthrough credential path#610
Merged
johntmyers merged 1 commit intomainfrom Mar 25, 2026
Merged
Conversation
…path relay_passthrough_with_credentials called relay_http_request_with_resolver (which internally relays the upstream response back to the client) and then immediately called relay_response_to_client a second time. The second call blocked forever waiting for a response that would never arrive, deadlocking every CONNECT tunnel after its first request/response pair. This caused npm install (and any HTTP/1.1 keep-alive client) to hang indefinitely when routed through the sandbox proxy without L7 rules. The L7-inspection path (relay_rest) was not affected — it correctly makes a single call to relay_http_request_with_resolver.
drew
approved these changes
Mar 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
relay_passthrough_with_credentialsthat caused all HTTP/1.1 keep-alive clients (e.g.npm install) to hang indefinitely when proxied through the sandbox without L7 rules configured.Related Issue
None — discovered during live debugging of
npm installhanging inside a sandbox.Changes
relay_passthrough_with_credentialscalledrelay_http_request_with_resolver(which internally relays the upstream response back to the client viarelay_responseatrest.rs:194) and then immediately calledrelay_response_to_clienta second time. The second call blocked forever waiting for a response that would never arrive because the upstream was waiting for the next request — deadlocking every CONNECT tunnel after its first request/response pair.The fix removes the duplicate
relay_response_to_clientcall and uses the reusable flag already returned byrelay_http_request_with_resolver. This matches howrelay_rest(the L7-inspection path) already works correctly.The now-unused
relay_response_to_clientfunction becomes dead code (confirmed by compiler warning).Testing
cargo test -p openshell-sandbox --lib l7)npm install -g openclaw@latestcompletes successfully in a sandbox after the fixrelay_response_to_clientis now unused, proving it was only called from the buggy siteChecklist