[Bug] workflow sandbox does not always restrict usage of urllib3

[millerick]

What are you really trying to do?

We noticed that one of our services was able to use requests to send HTTP requests, while others were not. We eventually tracked it down to a difference in urllib3 between services.

Describe the bug

When urllib3==1.26.19 is installed alongside requests, workflow code is able to avoid the sandbox restrictions and send HTTP requests without the sandbox detecting and raising an exception.

urllib3==2.6.2 is correctly detected by the sandbox and creates an error as expected

temporalio.worker.workflow_sandbox._restrictions.RestrictedWorkflowAccessError: Cannot access http.client.IncompleteRead.__mro_entries__ from inside a workflow. If this is code from a module not used in a workflow or known to only be used deterministically from a workflow, mark the import as pass through.

Minimal Reproduction

Clone https://github.com/millerick/temporal-sandbox-restriction-bug and follow instructions in the README.

Environment/Versions

This is what I was running for the minimal reproduction, but I assume it happens in all cases

• OS and processor: M3 Mac
• Temporal Version: Python SDK 1.21.1

Additional context

n/a

[tconley1428]

The sandbox is best effort, we don't guarantee it will prevent every potential issue. Additionally, importing requests as pass through indicates that you are trying to use it in the workflow and know what you are doing. Note: workflow.unsafe. If you don't pass through the import, it fails as expected. The difference between the two versions likely has to do with when exactly the library tries to do the restricted thing, but I don't have details there.