feature: add sandbox e2e test#7236
Conversation
|
🧪 Flashlight Performance Report (AWS Device Farm) 🔀 Commit: b987ccd
|
janicduplessis
changed the title
janicduplessis
force-pushed
the
@janic/sandbox-e2e-test
branch
from
0dae5cc to
0229901
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
janicduplessis
force-pushed
the
@janic/sandbox-e2e-test
branch
from
fc2334e to
8b4179e
Compare
janicduplessis
force-pushed
the
@janic/sandbox-e2e-test
branch
from
8b4179e to
f09d25e
Compare
janicduplessis
force-pushed
the
@janic/use-webview-fork
branch
from
a2d60cb to
4b5666e
Compare
janicduplessis
force-pushed
the
@janic/sandbox-e2e-test
branch
from
f09d25e to
186c343
Compare
Adds automated Maestro tests that verify the sandbox correctly blocks unauthorized HTTP and WebSocket connections while allowing approved domains. Moves TestDeeplinkHandler to features/e2e/ domain structure.
- Native module test: verifies NativeModules proxy blocks access from non-whitelisted files - WebView initial load test: loads blocked URL directly, asserts onError - WebView JS navigation test: loads allowed page, attempts JS navigation to blocked URL, verifies URL didn't change via postMessage - Simplified Maestro assertions to just check overall pass/fail
Points rainbow-scripts postinstall at the @janic/emit-close-on-blocked-ws branch of react-native-sandbox until those fixes are merged.
Security layer removed, native module test no longer applicable.
janicduplessis
force-pushed
the
@janic/sandbox-e2e-test
branch
from
db47c29 to
d65dabe
Compare
…-test # Conflicts: # src/App.tsx
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 13a7026. Configure here.
| setWebViewDone(true); | ||
| }); | ||
| const syncResults = await runSandboxTests(); | ||
| setResults(syncResults); |
There was a problem hiding this comment.
Direct state set can overwrite webview test results
Medium Severity
setResults(syncResults) is a direct state set that overwrites the entire results array. If the Promise.all .then() callback on line 48–51 fires before runSandboxTests() resolves (e.g., under slow CI network), it sets results to wvResults and webViewDone to true. Then setResults(syncResults) overwrites results to only the sync tests — losing the webview results while webViewDone remains true. The Maestro assertion then checks only 3 of 5 expected results and may show SANDBOX_TEST_PASSED without verifying webview sandbox enforcement.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 13a7026. Configure here.
2 participants
What changed (plus any additional context for devs)
Adds an automated Maestro e2e test for the WebView sandbox. Triggered via the existing
rainbow://e2e/<command>deeplink mechanism by adding a newsandbox-testaction.TestDeeplinkHandlermoves fromsrc/components/tosrc/features/e2e/ui/alongside the new sandbox UI.What to test
securityMaestro test passes on the iOS and Android e2e shards.