fix: file download path encoding and host volume validation errors

- Fix file download path encoding: use quote(path, safe='/') to properly
  encode spaces and non-ASCII characters while preserving path separators
  in both sync and async filesystem adapters.

- Fix host volume directory handling: auto-create missing host bind-mount
  directories with os.makedirs, return HTTP 500 with HOST_PATH_CREATE_FAILED
  error code on failure. Improve error message to use generic wording and
  avoid leaking raw OS error details to clients.

- Fix endpoint proxy query string: preserve original query parameters when
  proxying requests to sandbox endpoints.

Author: RonaldJEN

sdks/sandbox/python/src/opensandbox/adapters/filesystem_adapter.py

@@ -476,15 +476,15 @@ def _build_download_request(
         Returns:
             Dictionary containing URL, parameters, and headers for the request
         """
-        url = self._get_execd_url(self.FILESYSTEM_DOWNLOAD_PATH)
-        params = {"path": path}
+        encoded_path = quote(path, safe="/")
+        url = f"{self._get_execd_url(self.FILESYSTEM_DOWNLOAD_PATH)}?path={encoded_path}"
         headers: dict[str, str] = {}
 
         if range_header:
             headers["Range"] = range_header
 
         return {
             "url": url,
-            "params": params,
+            "params": {},
             "headers": headers,
         }

sdks/sandbox/python/src/opensandbox/sync/adapters/filesystem_adapter.py

@@ -87,12 +87,12 @@ def _get_execd_url(self, path: str) -> str:
         return f"{self.connection_config.protocol}://{self.execd_endpoint.endpoint}{path}"
 
     def _build_download_request(self, path: str, range_header: str | None = None) -> _DownloadRequest:
-        url = self._get_execd_url(self.FILESYSTEM_DOWNLOAD_PATH)
-        params = {"path": path}
+        encoded_path = quote(path, safe="/")
+        url = f"{self._get_execd_url(self.FILESYSTEM_DOWNLOAD_PATH)}?path={encoded_path}"
         headers: dict[str, str] = {}
         if range_header:
             headers["Range"] = range_header
-        return {"url": url, "params": params, "headers": headers}
+        return {"url": url, "params": {}, "headers": headers}
 
     def read_file(
         self,

server/src/api/lifecycle.py

@@ -431,9 +431,11 @@ async def proxy_sandbox_endpoint_request(request: Request, sandbox_id: str, port
 
     target_host = endpoint.endpoint
     query_string = request.url.query
-    target_url = f"http://{target_host}/{full_path}"
-    if query_string:
-        target_url = f"{target_url}?{query_string}"
+    target_url = (
+        f"http://{target_host}/{full_path}?{query_string}"
+        if query_string
+        else f"http://{target_host}/{full_path}"
+    )
 
     client: httpx.AsyncClient = request.app.state.http_client
 

server/src/services/constants.py

@@ -69,6 +69,7 @@ class SandboxErrorCodes:
     INVALID_PVC_NAME = "VOLUME::INVALID_PVC_NAME"
     UNSUPPORTED_VOLUME_BACKEND = "VOLUME::UNSUPPORTED_BACKEND"
     HOST_PATH_NOT_FOUND = "VOLUME::HOST_PATH_NOT_FOUND"
+    HOST_PATH_CREATE_FAILED = "VOLUME::HOST_PATH_CREATE_FAILED"
     PVC_VOLUME_NOT_FOUND = "VOLUME::PVC_NOT_FOUND"
     PVC_VOLUME_INSPECT_FAILED = "VOLUME::PVC_INSPECT_FAILED"
     PVC_SUBPATH_UNSUPPORTED_DRIVER = "VOLUME::PVC_SUBPATH_UNSUPPORTED_DRIVER"

server/src/services/docker.py

@@ -976,14 +976,15 @@ def _validate_host_volume(volume, allowed_prefixes: Optional[list[str]]) -> None
         Docker-specific validation for host bind mount volumes.
 
         Validates that the resolved host path (host.path + optional subPath)
-        exists on the filesystem and remains within allowed prefixes.
+        remains within allowed prefixes, then ensures the directory exists on
+        the filesystem — creating it automatically if it does not.
 
         Args:
             volume: Volume with host backend.
             allowed_prefixes: Optional allowlist of host path prefixes.
 
         Raises:
-            HTTPException: When the resolved path is invalid or missing.
+            HTTPException: When the resolved path is invalid or cannot be created.
         """
         resolved_path = volume.host.path
         if volume.sub_path:
@@ -996,14 +997,16 @@ def _validate_host_volume(volume, allowed_prefixes: Optional[list[str]]) -> None
         if allowed_prefixes and resolved_path != volume.host.path:
             ensure_valid_host_path(resolved_path, allowed_prefixes)
 
-        if not os.path.exists(resolved_path):
+        try:
+            os.makedirs(resolved_path, exist_ok=True)
+        except OSError as e:
             raise HTTPException(
-                status_code=status.HTTP_400_BAD_REQUEST,
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
                 detail={
-                    "code": SandboxErrorCodes.HOST_PATH_NOT_FOUND,
+                    "code": SandboxErrorCodes.HOST_PATH_CREATE_FAILED,
                     "message": (
-                        f"Volume '{volume.name}': resolved host path '{resolved_path}' "
-                        "does not exist. Host paths must exist before sandbox creation."
+                        f"Volume '{volume.name}': could not ensure host path "
+                        f"directory exists at '{resolved_path}': {type(e).__name__}"
                     ),
                 },
             )