Problem
The AIO sandbox provider derives deterministic sandbox IDs from only the first 8 hex characters of a SHA-256 hash of thread_id. That gives roughly 32 bits of namespace. Collisions are plausible at scale and can cause one thread to reuse or collide with another thread's sandbox identity.
Impact
A collision can attach a run to the wrong persistent sandbox, mixing files, process state, or credentials between threads.
Suggested Fix
Use a much longer stable identifier, such as 128+ bits from the hash, a namespace UUID, or HMAC-based ID. Store and verify original thread metadata before reusing an existing sandbox.
Tests
- Unit test that generated IDs include sufficient entropy/length.
- Reuse path verifies sandbox metadata matches the requested thread before attaching.
References
backend/packages/harness/deerflow/community/aio_sandbox/aio_sandbox_provider.py:238backend/packages/harness/deerflow/community/aio_sandbox/aio_sandbox_provider.py:461
Problem
The AIO sandbox provider derives deterministic sandbox IDs from only the first 8 hex characters of a SHA-256 hash of
thread_id. That gives roughly 32 bits of namespace. Collisions are plausible at scale and can cause one thread to reuse or collide with another thread's sandbox identity.Impact
A collision can attach a run to the wrong persistent sandbox, mixing files, process state, or credentials between threads.
Suggested Fix
Use a much longer stable identifier, such as 128+ bits from the hash, a namespace UUID, or HMAC-based ID. Store and verify original thread metadata before reusing an existing sandbox.
Tests
References
backend/packages/harness/deerflow/community/aio_sandbox/aio_sandbox_provider.py:238backend/packages/harness/deerflow/community/aio_sandbox/aio_sandbox_provider.py:461