Skip to content

fix(sandbox): INS-2464 additional checks #9924

Open
kwburns-kong wants to merge 6 commits into
developfrom
sec/sandbox-dynamic-property
Open

fix(sandbox): INS-2464 additional checks #9924
kwburns-kong wants to merge 6 commits into
developfrom
sec/sandbox-dynamic-property

Conversation

@kwburns-kong
Copy link
Copy Markdown
Contributor

@kwburns-kong kwburns-kong commented May 14, 2026

This PR adds a resolution for INS-2464, increases the existing unit test count and optimizes existing sandbox smoke test.

@kwburns-kong kwburns-kong requested a review from ihexxa May 14, 2026 19:17
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026
edited
Loading

✅ Circular References Report

Generated at: 2026-05-14T21:13:34.312Z
Status: ✅ NO CHANGE

Summary

Metric Base (develop) PR Change
Total Circular References 19 19 0 (0.00%)
Click to view all circular references in PR (19) 
insomnia-inso/src/db/models/types.ts -> insomnia-inso/src/db/types.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts -> insomnia/src/network/cancellation.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts -> insomnia/src/network/cancellation.ts -> insomnia/src/script-executor.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts -> insomnia/src/network/cancellation.ts -> insomnia/src/script-executor.ts -> insomnia/src/scripting/require-interceptor.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts -> insomnia/src/network/concurrency.ts
insomnia/src/network/network.ts -> insomnia/src/common/render.ts
insomnia/src/network/network.ts -> insomnia/src/common/render.ts -> insomnia/src/templating/index.ts -> insomnia/src/plugins/index.ts -> insomnia/src/plugins/context/app.ts -> insomnia/src/templating/types.ts -> insomnia/src/plugins/context/network.ts
insomnia/src/network/network.ts -> insomnia/src/main/network/get-auth-header.ts -> insomnia/src/main/network/o-auth-2/get-token.ts
insomnia/src/plugins/index.ts -> insomnia/src/plugins/context/app.ts -> insomnia/src/templating/types.ts -> insomnia/src/plugins/context/store.ts
insomnia/src/plugins/index.ts -> insomnia/src/plugins/misc.ts
insomnia/src/templating/base-extension-worker.ts -> insomnia/src/templating/worker.ts
insomnia/src/templating/index.ts -> insomnia/src/templating/base-extension.ts
insomnia/src/templating/types.ts -> insomnia/src/plugins/context/network.ts
insomnia/src/templating/types.ts -> insomnia/src/templating/utils.ts
insomnia/src/ui/components/settings/import-export.tsx -> insomnia/src/ui/components/modals/export-requests-modal.tsx
insomnia/src/ui/components/tabs/tab-list.tsx -> insomnia/src/ui/components/tabs/tab.tsx
insomnia/src/ui/components/templating/tag-editor-arg-sub-form.tsx -> insomnia/src/ui/components/templating/external-vault/external-vault-form.tsx
insomnia/src/ui/components/viewers/response-viewer.tsx -> insomnia/src/ui/components/viewers/response-multipart-viewer.tsx
Click to view all circular references in base branch (19) 
insomnia-inso/src/db/models/types.ts -> insomnia-inso/src/db/types.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts -> insomnia/src/network/cancellation.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts -> insomnia/src/network/cancellation.ts -> insomnia/src/script-executor.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts -> insomnia/src/network/cancellation.ts -> insomnia/src/script-executor.ts -> insomnia/src/scripting/require-interceptor.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts -> insomnia/src/network/concurrency.ts
insomnia/src/network/network.ts -> insomnia/src/common/render.ts
insomnia/src/network/network.ts -> insomnia/src/common/render.ts -> insomnia/src/templating/index.ts -> insomnia/src/plugins/index.ts -> insomnia/src/plugins/context/app.ts -> insomnia/src/templating/types.ts -> insomnia/src/plugins/context/network.ts
insomnia/src/network/network.ts -> insomnia/src/main/network/get-auth-header.ts -> insomnia/src/main/network/o-auth-2/get-token.ts
insomnia/src/plugins/index.ts -> insomnia/src/plugins/context/app.ts -> insomnia/src/templating/types.ts -> insomnia/src/plugins/context/store.ts
insomnia/src/plugins/index.ts -> insomnia/src/plugins/misc.ts
insomnia/src/templating/base-extension-worker.ts -> insomnia/src/templating/worker.ts
insomnia/src/templating/index.ts -> insomnia/src/templating/base-extension.ts
insomnia/src/templating/types.ts -> insomnia/src/plugins/context/network.ts
insomnia/src/templating/types.ts -> insomnia/src/templating/utils.ts
insomnia/src/ui/components/settings/import-export.tsx -> insomnia/src/ui/components/modals/export-requests-modal.tsx
insomnia/src/ui/components/tabs/tab-list.tsx -> insomnia/src/ui/components/tabs/tab.tsx
insomnia/src/ui/components/templating/tag-editor-arg-sub-form.tsx -> insomnia/src/ui/components/templating/external-vault/external-vault-form.tsx
insomnia/src/ui/components/viewers/response-viewer.tsx -> insomnia/src/ui/components/viewers/response-multipart-viewer.tsx

Analysis

No Change: This PR does not introduce or remove any circular references.

This report was generated automatically by comparing against the develop branch.

@kwburns-kong kwburns-kong enabled auto-merge (squash) May 14, 2026 21:09
ihexxa
ihexxa reviewed May 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ihexxa ihexxa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was occupied by some other stuff.. but will accelerate to review this.. 🏃

Comment thread packages/insomnia/src/scripting/sandbox.ts
({ names: maskNames, values: maskValues } = alwaysOnPolicy.buildMaskScope(checkSandboxViolations));
}

// Wrap eval so user-supplied source is checked and then evaluated in a scope that inherits the same masked bindings as the outer sandbox.
Copy link
Copy Markdown
Contributor

@ihexxa ihexxa May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will we also cover expressions like const sum = new Function('a', 'b', 'return a + b');, or composition of them?

Comment thread packages/insomnia/src/scripting/sandbox.ts
ihexxa
ihexxa reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ihexxa ihexxa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just several comments and questions.

Comment thread packages/insomnia/src/scripting/sandbox.ts
@@ -106,36 +151,22 @@
};

walk.simple(tree, {
Copy link
Copy Markdown
Contributor

@ihexxa ihexxa May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will it also collect names that blocked ones which alias are assigned after? e.g:

const b = a;            // ← a not yet in blocked → b is missed
const a = globalThis;   // ← a added here
b.require('...');       // ← NOT blocked

Comment thread packages/insomnia/src/scripting/sandbox.ts
Comment thread packages/insomnia/src/scripting/sandbox.ts
}
// We should evenutally drop non-valid JavaScript.
if (!tree) {
// throw new Error();
Copy link
Copy Markdown
Contributor

@ihexxa ihexxa May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could the script be higher version (e,g., ecmaVersion 2025) which works but can't be parsed, then it is returned here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ihexxa ihexxa ihexxa left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kwburns-kong @ihexxa