From 508c594db69695adac7a8ed2efddde66187a045b Mon Sep 17 00:00:00 2001 From: John Myers <9696606+johntmyers@users.noreply.github.com> Date: Wed, 25 Mar 2026 07:44:26 -0700 Subject: [PATCH] fix(sandbox): remove double response relay in passthrough credential path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit relay_passthrough_with_credentials called relay_http_request_with_resolver (which internally relays the upstream response back to the client) and then immediately called relay_response_to_client a second time. The second call blocked forever waiting for a response that would never arrive, deadlocking every CONNECT tunnel after its first request/response pair. This caused npm install (and any HTTP/1.1 keep-alive client) to hang indefinitely when routed through the sandbox proxy without L7 rules. The L7-inspection path (relay_rest) was not affected — it correctly makes a single call to relay_http_request_with_resolver. --- crates/openshell-sandbox/src/l7/relay.rs | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/crates/openshell-sandbox/src/l7/relay.rs b/crates/openshell-sandbox/src/l7/relay.rs index 61828047..940e7f94 100644 --- a/crates/openshell-sandbox/src/l7/relay.rs +++ b/crates/openshell-sandbox/src/l7/relay.rs @@ -275,16 +275,14 @@ where "HTTP_REQUEST", ); - // Forward request with credential rewriting. - let keep_alive = + // Forward request with credential rewriting and relay the response. + // relay_http_request_with_resolver handles both directions: it sends + // the request upstream and reads the response back to the client. + let reusable = crate::l7::rest::relay_http_request_with_resolver(&req, client, upstream, resolver) .await?; - // Relay response back to client. - let reusable = - crate::l7::rest::relay_response_to_client(upstream, client, &req.action).await?; - - if !keep_alive || !reusable { + if !reusable { break; } }