Make profiler-cli work in sandboxed environments#6003
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #6003 +/- ##
=======================================
Coverage 83.82% 83.82%
=======================================
Files 328 328
Lines 34254 34254
Branches 9572 9479 -93
=======================================
Hits 28712 28712
Misses 5114 5114
Partials 428 428 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
mstange
approved these changes
May 7, 2026
Daemon process is the one that does all the network requests, and it looks like all the sandboxed environments use an environment proxy for allowed/disallowed domains using `HTTP_PROXY/HTTPS_PROXY`. I was a bit suspicious at first thinking that maybe this is not great security-wise, but then learned that this is the deafult behavior pretty much everywhere except for node, and node is considering about turning it on by default. For example, this is the default in curl, python, go, and in popular rust packages like reqwest. The rationale is that, if they have access to your machine, setting this env vars is the least of your concern. For example, see the curl documentation: https://curl.se/docs/tutorial.html#:~:text=SPNEGO%29%2E-,Environment%20Variables
Previously, isProcessRunning used `kill(pid, 0)`, to check daemon is still alive, which returns EPERM in sandboxed environments regardless of whether the process actually exists. This commit replaces this check with a socket connection attempt. A connection failure (either ENOENT or ECONNREFUSED) successfully indicates a dead daemon on all platforms without requiring any signal permission. Also it replaces waitForProcessExit with waitForSocketClose, which polls the same connect probe. Updates validateSession to be async and use the new check, collapsing the separate PID and socket-file-existence checks into a single socket connect attempt.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
There were two things that prevented us from having a working cli in the sandboxed environments:
process.kill(pid, 0);isn't allowed in sandboxed environments, so this can't be used to check if the process is still alive. Instead, I converted thatisProcessRunningtoisDaemonReachableand used the existing sockets to check if the daemon is still listening that socket (for example with ECONNREFUSED).Also please see the individual commit messages.
I tested both on macOS and Linux, and they seem to work (with some additional config depending on what you use for sandboxing)