Interactive code examples for documentation, education and fun
It's now possible to spin up a container in the before step and use it in subsequent steps. If you do this, don't forget to stop the container in the after step.
The :name in the box property is replaced with the actual container name at runtime.
Here is an example from the Caddy sandbox:
{
"exec": {
"engine": "docker",
"entry": "main.sh",
"before": {
"box": "caddy",
"action": "run",
"detach": true,
"command": ["caddy", "run"]
},
"steps": [
{
"box": ":name",
"action": "exec",
"command": ["sh", "main.sh"]
}
],
"after": {
"box": ":name",
"action": "stop"
}
}
}
⚠️ This is a critical security update. If you host a public-facing Codapi instance, you should upgrade as soon as possible.
This release protects against directory traversal attacks when writing request files.
Special thanks to @shadowscatcher for reporting this issue.
You can define multiple versions of the same box in boxes.json:
{
"alpine": {
"image": "codapi/alpine"
},
"alpine:3.18": {
"image": "codapi/alpine:3.18"
}
}
and pass the version in the request:
{
"sandbox": "sh",
"version": "3.18",
"command": "run",
"files": {
"": "echo hello"
}
}
The default version is latest. It is assumed in both boxes.json and requests unless explicitly stated otherwise.
You can pass binary files in the request using data-url encoding. For example, this request:
{
"sandbox": "sh",
"command": "run",
"files": {
"main.sh": "ls data.bin",
"data.bin": "data:application/octet-stream;base64,MTIz"
}
}
will create the file data.bin on the server with a binary content of 123.
To avoid "permission denied" errors when the host user UID does not match the container user UID (see #6), the temporary directory for the request is now created with 777 permissions.
⚠️ This is a breaking change.
Config files config.json and boxes.json moved to config folder.
Config file commands.json split into multiple files in the config/commands folder. Now there is a separate file for each sandbox — this makes adding new sandboxes and commands much easier.
This is the first public Codapi release. However, it has had several private releases before, and has been battle-tested on codapi.org. So I consider it ready for non-critical production use cases (assuming you install it on a separate machine — this is a must for security reasons).