Skip to content

feat: native module substitution #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
CAMOBAP wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

feat: native module substitution #20

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0dad24b
feat: native module substitution
alexbabrykovich Mar 5, 2026
d8b9cfe
feat: add android fs native modules for substitution
alexbabrykovich Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
279 changes: 279 additions & 0 deletions EXPO_SUPPORT_IMPLEMENTATION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,279 @@
# Expo Support Implementation for react-native-sandbox

## Overview

This document describes the implementation of Expo support for the `@callstack/react-native-sandbox` package. The implementation uses conditional compilation to support both React Native CLI and Expo environments seamlessly.

## Architecture

### Problem Statement

The original `react-native-sandbox` package heavily depends on React Native's `RCTDefaultReactNativeFactoryDelegate` and `RCTReactNativeFactory` classes. Expo uses different factory classes (`ExpoReactNativeFactory` and `ExpoReactNativeFactoryDelegate`) that are not compatible with the React Native CLI classes.

### Solution

The solution implements **conditional compilation** using preprocessor definitions to switch between React Native and Expo classes at compile time. This approach:

1. **Maintains the same API** - No changes required in JavaScript code
2. **Uses drop-in replacement** - Expo classes are used when `EXPO_MODULE` is defined
3. **Preserves functionality** - All sandbox features work in both environments
4. **Ensures compatibility** - Works with both React Native CLI and Expo projects

## Implementation Details

### 1. Conditional Header Imports

**File**: `packages/react-native-sandbox/ios/SandboxReactNativeDelegate.h`

```objc
// Conditional imports based on platform
#ifdef EXPO_MODULE
// Expo imports
#import <ExpoModulesCore/ExpoReactNativeFactoryDelegate.h>
#else
// React Native imports
#import <React-RCTAppDelegate/RCTDefaultReactNativeFactoryDelegate.h>
#endif

// Conditional class inheritance
#ifdef EXPO_MODULE
@interface SandboxReactNativeDelegate : ExpoReactNativeFactoryDelegate
#else
@interface SandboxReactNativeDelegate : RCTDefaultReactNativeFactoryDelegate
#endif
```

### 2. Conditional Implementation

**File**: `packages/react-native-sandbox/ios/SandboxReactNativeDelegate.mm`

```objc
// Conditional imports for Expo support
#ifdef EXPO_MODULE
#import <ExpoModulesCore/ExpoModulesCore.h>
#import <ExpoModulesCore/EXAppDefines.h>
#endif

// Conditional initialization
- (instancetype)init
{
if (self = [super init]) {
_hasOnMessageHandler = NO;
_hasOnErrorHandler = NO;

#ifdef EXPO_MODULE
// Expo-specific initialization
NSLog(@"[SandboxReactNativeDelegate] Initialized for Expo environment");
#else
// React Native initialization
self.dependencyProvider = [[RCTAppDependencyProvider alloc] init];
#endif
}
return self;
}

// Conditional bundle URL handling
- (NSURL *)bundleURL
{
// ... common code ...

#ifdef EXPO_MODULE
// Expo-specific bundle URL handling
NSString *bundleName = [jsBundleSourceNS hasSuffix:@".bundle"] ?
[jsBundleSourceNS stringByDeletingPathExtension] : jsBundleSourceNS;
return [[NSBundle mainBundle] URLForResource:bundleName withExtension:@"bundle"];
#else
// React Native bundle URL handling
NSString *bundleName = [jsBundleSourceNS hasSuffix:@".bundle"] ?
[jsBundleSourceNS stringByDeletingPathExtension] : jsBundleSourceNS;
return [[RCTBundleURLProvider sharedSettings] jsBundleURLForBundleRoot:bundleName];
#endif
}
```

### 3. Conditional Component View

**File**: `packages/react-native-sandbox/ios/SandboxReactNativeViewComponentView.mm`

```objc
// Conditional imports based on platform
#ifdef EXPO_MODULE
#import <ExpoModulesCore/ExpoReactNativeFactory.h>
#else
#import <React-RCTAppDelegate/RCTReactNativeFactory.h>
#endif

// Conditional property declaration
@interface SandboxReactNativeViewComponentView () <RCTSandboxReactNativeViewViewProtocol>
#ifdef EXPO_MODULE
@property (nonatomic, strong) ExpoReactNativeFactory *reactNativeFactory;
#else
@property (nonatomic, strong) RCTReactNativeFactory *reactNativeFactory;
#endif
// ... other properties
@end

// Conditional factory creation
- (void)loadReactNativeView
{
// ... common code ...

if (!self.reactNativeFactory) {
#ifdef EXPO_MODULE
self.reactNativeFactory = [[ExpoReactNativeFactory alloc] initWithDelegate:self.reactNativeDelegate];
#else
self.reactNativeFactory = [[RCTReactNativeFactory alloc] initWithDelegate:self.reactNativeDelegate];
#endif
}

// ... rest of the method
}
```

### 4. Conditional Podspec Configuration

**File**: `packages/react-native-sandbox/React-Sandbox.podspec`

```ruby
# Add Expo-specific header search paths when building for Expo
if ENV['EXPO_MODULE'] == '1'
header_search_paths << "\"$(PODS_ROOT)/Headers/Public/ExpoModulesCore\""
end

# Conditional dependencies based on platform
if ENV['EXPO_MODULE'] == '1'
s.dependency "ExpoModulesCore"
s.pod_target_xcconfig = {
"HEADER_SEARCH_PATHS" => header_search_paths,
"CLANG_CXX_LANGUAGE_STANDARD" => "c++17",
"GCC_PREPROCESSOR_DEFINITIONS" => "EXPO_MODULE=1"
}
else
s.pod_target_xcconfig = {
"HEADER_SEARCH_PATHS" => header_search_paths,
"CLANG_CXX_LANGUAGE_STANDARD" => "c++17"
}
end
```

## Usage

### React Native CLI Projects

No changes required. The package works as before:

```tsx
import SandboxReactNativeView from '@callstack/react-native-sandbox';

<SandboxReactNativeView
componentName="YourComponent"
jsBundleSource="sandbox"
onMessage={console.log}
onError={console.error}
/>
```

### Expo Projects

1. **Install the package**:
```bash
npx expo install @callstack/react-native-sandbox
```

2. **Use the same API**:
```tsx
import SandboxReactNativeView from '@callstack/react-native-sandbox';

<SandboxReactNativeView
componentName="YourComponent"
jsBundleSource="sandbox"
onMessage={console.log}
onError={console.error}
/>
```

3. **Optional configuration** in `app.json`:
```json
{
"expo": {
"plugins": [
[
"expo-build-properties",
{
"ios": {
"useFrameworks": "static"
}
}
]
]
}
}
```

## Demo App

A complete Expo demo app is provided at `apps/expo-demo/` that demonstrates:

- **Counter App**: Simple counter with increment/decrement functionality
- **Calculator App**: Basic calculator with arithmetic operations
- **Sandboxed Environment**: Each app runs in its own isolated React Native instance
- **Message Passing**: Apps can communicate through the sandbox messaging system

### Running the Demo

```bash
cd apps/expo-demo
npm install
npm start
```

## Key Benefits

1. **Seamless Integration**: No code changes required when switching between React Native CLI and Expo
2. **Drop-in Replacement**: Expo classes are used automatically when detected
3. **Full Feature Parity**: All sandbox features work identically in both environments
4. **Backward Compatibility**: Existing React Native CLI projects continue to work unchanged
5. **Future-Proof**: Easy to extend for other React Native environments

## Technical Considerations

### Preprocessor Definitions

The implementation uses `EXPO_MODULE` as the main preprocessor definition to distinguish between environments. This is set automatically by the podspec when building for Expo.

### Bundle URL Handling

Expo and React Native CLI handle bundle URLs differently:
- **React Native CLI**: Uses `RCTBundleURLProvider` for development and production bundles
- **Expo**: Uses direct bundle file access from the app bundle

### Dependency Provider

Expo may handle dependency providers differently than React Native CLI, so the initialization is conditional.

### Factory Classes

The core difference is in the factory classes:
- **React Native CLI**: `RCTReactNativeFactory` and `RCTDefaultReactNativeFactoryDelegate`
- **Expo**: `ExpoReactNativeFactory` and `ExpoReactNativeFactoryDelegate`

## Testing

The implementation has been tested with:

1. **React Native CLI projects**: All existing functionality preserved
2. **Expo projects**: Full sandbox functionality working
3. **Cross-platform**: iOS and Android support maintained
4. **Message passing**: Inter-sandbox communication working
5. **Error handling**: Proper error propagation in both environments

## Future Enhancements

1. **Android Support**: Extend the same conditional compilation approach to Android
2. **Additional Expo Features**: Leverage Expo-specific features when available
3. **Performance Optimization**: Optimize for Expo's specific runtime characteristics
4. **Plugin System**: Create an Expo plugin for easier integration

## Conclusion

The Expo support implementation successfully provides a seamless experience for both React Native CLI and Expo developers. The conditional compilation approach ensures that the package works optimally in both environments while maintaining a consistent API and full feature parity.
38 changes: 32 additions & 6 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@ Full examples:
- [`apps/recursive`](./apps/recursive/README.md): An example application with few nested sandbox instances.
- [`apps/p2p-chat`](./apps/p2p-counter/README.md): Direct sandbox-to-sandbox chat demo.
- [`apps/p2p-counter`](./apps/p2p-counter/README.md): Direct sandbox-to-sandbox communication demo.
- [`apps/fs-experiment`](./apps/fs-experiment/README.md): File system & storage isolation with TurboModule substitutions.

## 📚 API Reference

Expand All @@ -170,9 +171,15 @@ We're actively working on expanding the capabilities of `react-native-sandbox`.
- Resource usage limits and monitoring
- Sandbox capability restrictions
- Unresponsiveness detection
- [ ] **Storage Isolation** - Secure data partitioning
- Per-sandbox AsyncStorage isolation
- Secure file system access controls
- [x] **TurboModule Substitutions** - Replace native module implementations per sandbox
- Configurable via `turboModuleSubstitutions` prop (JS/TS only)
- Sandbox-aware modules receive origin context for per-instance scoping
- Supports both TurboModules (new arch) and legacy bridge modules
Copy link
Copy Markdown
Collaborator

@devinpatell devinpatell Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The repo uses RCTReactNativeFactory (iOS) and RCTHostImpl (Android) for creating the RN runtimes for each sandbox view. These are both Fabric-only APIs, so is "legacy bridge modules" support needed here?

- [x] **Storage & File System Isolation** - Secure data partitioning
- Per-sandbox AsyncStorage isolation via scoped storage directories
- Sandboxed file system access (react-native-fs, react-native-file-access) with path jailing
- All directory constants overridden to sandbox-scoped paths
- Network/system operations blocked in sandboxed FS modules
- [ ] **Developer Tools** - Enhanced debugging and development experience

Contributions and feedback on these roadmap items are welcome! Please check our [issues](https://github.com/callstackincubator/react-native-sandbox/issues) for detailed discussions on each feature.
Expand All @@ -187,17 +194,36 @@ A primary security concern when running multiple React Native instances is the p
- **Data Leakage:** One sandbox could use a shared TurboModule to store data, which could then be read by another sandbox or the host. This breaks the isolation model.
- **Unintended Side-Effects:** A sandbox could call a method on a shared module that changes its state, affecting the behavior of the host or other sandboxes in unpredictable ways.

To address this, `react-native-sandbox` allows you to provide a **whitelist of allowed TurboModules** for each sandbox instance via the `allowedTurboModules` prop. Only the modules specified in this list will be accessible from within the sandbox, significantly reducing the attack surface. It is critical to only whitelist modules that are stateless or are explicitly designed to be shared safely.
To address this, `react-native-sandbox` provides two mechanisms:

**Default Whitelist:** By default, only `NativeMicrotasksCxx` is whitelisted. Modules like `NativePerformanceCxx`, `PlatformConstants`, `DevSettings`, `LogBox`, and other third-party modules are *not* whitelisted.
- **TurboModule Allowlisting** — Use the `allowedTurboModules` prop to control which native modules the sandbox can access. Only modules in this list are resolved; all others return a stub that rejects with a clear error.

- **TurboModule Substitutions** — Use the `turboModuleSubstitutions` prop to transparently replace a module with a sandbox-aware alternative. For example, when sandbox JS requests `RNCAsyncStorage`, the host can resolve different implementation like `SandboxedAsyncStorage` instead — an implementation that scopes storage to the sandbox's origin. Substituted modules that conform to `RCTSandboxAwareModule` (ObjC) or `ISandboxAwareModule` (C++) receive the sandbox context (origin, requested name, resolved name) after instantiation.

```tsx
<SandboxReactNativeView
allowedTurboModules={['RNFSManager', 'FileAccess', 'RNCAsyncStorage']}
turboModuleSubstitutions={{
RNFSManager: 'SandboxedRNFSManager',
FileAccess: 'SandboxedFileAccess',
RNCAsyncStorage: 'SandboxedAsyncStorage',
}}
/>
```

**Default Allowlist:** A baseline set of essential React Native modules is allowed by default (e.g., `EventDispatcher`, `AppState`, `Appearance`, `Networking`, `DeviceInfo`, `KeyboardObserver`, and others required for basic rendering and dev tooling). See the [full list in source](https://github.com/callstackincubator/react-native-sandbox/blob/main/packages/react-native-sandbox/src/index.tsx). Third-party modules and storage/FS modules are *not* included — they must be explicitly added via `allowedTurboModules` or provided through `turboModuleSubstitutions`.

### Performance

- **Resource Exhaustion (Denial of Service):** A sandboxed instance could intentionally or unintentionally consume excessive CPU or memory, potentially leading to a denial-of-service attack that slows down or crashes the entire application. The host should be prepared to monitor and terminate misbehaving instances.

### File System & Storage

- **Persistent Storage Conflicts:** Standard APIs like `AsyncStorage` may not be instance-aware, potentially allowing a sandbox to read or overwrite data stored by the host or other sandboxes. Any storage mechanism must be properly partitioned to ensure data isolation.
- **Persistent Storage Conflicts:** Standard APIs like `AsyncStorage` are not instance-aware by default, potentially allowing a sandbox to read or overwrite data stored by the host or other sandboxes. Use `turboModuleSubstitutions` to replace these modules with sandbox-aware implementations that scope data per origin.
- **File System Path Jailing:** Sandboxed file system modules (`SandboxedRNFSManager`, `SandboxedFileAccess`) override directory constants and validate all path arguments, ensuring file operations are confined to a per-origin sandbox directory. Paths outside the sandbox root are rejected with `EPERM`.
- **Network Operations Blocked:** Sandboxed FS modules block download/upload/fetch operations to prevent data exfiltration.

See the [`apps/fs-experiment`](./apps/fs-experiment/) example for a working demonstration.

### Platform-Specific Considerations

Expand Down
Loading
Loading