fix(playground): Harden open-url middleware and add tests

- Return 405 for non-POST requests instead of hanging
- Validate URL scheme (http/https only)
- Improve error messages when `open` package is unavailable
- Fix inconsistent oxlint disable comments
- Add tests for openURLMiddleware and open-url routing

Co-Authored-By: Krystof Woldrich <krystofwoldrich@gmail.com>

Author: antonis

packages/core/src/js/metro/openUrlMiddleware.ts

@@ -15,6 +15,12 @@ let open: ((url: string) => Promise<void>) | undefined = undefined;
  * Inspired by https://github.com/react-native-community/cli/blob/a856ce027a6b25f9363a8689311cdd4416c0fc89/packages/cli-server-api/src/openURLMiddleware.ts#L17
  */
 export async function openURLMiddleware(req: IncomingMessage, res: ServerResponse): Promise<void> {
+  if (req.method !== 'POST') {
+    res.writeHead(405);
+    res.end('Method not allowed. Use POST.');
+    return;
+  }
+
   if (!open) {
     try {
       // oxlint-disable-next-line import/no-extraneous-dependencies
@@ -24,48 +30,50 @@ export async function openURLMiddleware(req: IncomingMessage, res: ServerRespons
     }
   }
 
-  if (req.method === 'POST') {
-    const body = await getRawBody(req);
-    let url: string | undefined = undefined;
-
-    try {
-      const parsedBody = JSON.parse(body) as { url?: string };
-      url = parsedBody.url;
-    } catch (e) {
-      res.writeHead(400);
-      res.end('Invalid request body. Expected a JSON object with a url key.');
-      return;
-    }
-
-    try {
-      if (!url) {
-        res.writeHead(400);
-        res.end('Invalid request body. Expected a JSON object with a url key.');
-        return;
-      }
+  const body = await getRawBody(req);
+  let url: string | undefined = undefined;
 
-      if (!open) {
-        throw new Error('The "open" module is not available.');
-      }
+  try {
+    const parsedBody = JSON.parse(body) as { url?: string };
+    url = parsedBody.url;
+  } catch (e) {
+    res.writeHead(400);
+    res.end('Invalid request body. Expected a JSON object with a url key.');
+    return;
+  }
 
-      await open(url);
-    } catch (e) {
-      // oxlint-disable-next-line no-console
-      console.log(`${S} Open: ${url}`);
+  if (!url) {
+    res.writeHead(400);
+    res.end('Invalid request body. Expected a JSON object with a url key.');
+    return;
+  }
 
-      res.writeHead(500);
+  if (!url.startsWith('https://') && !url.startsWith('http://')) {
+    res.writeHead(400);
+    res.end('Invalid URL scheme. Only http:// and https:// URLs are allowed.');
+    return;
+  }
 
-      if (!open) {
-        res.end('Failed to open URL. The "open" module is not available.');
-      } else {
-        res.end('Failed to open URL.');
-      }
-      return;
-    }
+  if (!open) {
+    // oxlint-disable-next-line no-console
+    console.log(`${S} Could not open URL automatically. Open manually: ${url}`);
+    res.writeHead(500);
+    res.end('Failed to open URL. The "open" package is not available. Install it or open the URL manually.');
+    return;
+  }
 
-    // eslint-disable-next-line no-console
-    console.log(`${S} Opened URL: ${url}`);
-    res.writeHead(200);
-    res.end();
+  try {
+    await open(url);
+  } catch (e) {
+    // oxlint-disable-next-line no-console
+    console.log(`${S} Failed to open URL automatically. Open manually: ${url}`);
+    res.writeHead(500);
+    res.end('Failed to open URL.');
+    return;
   }
+
+  // oxlint-disable-next-line no-console
+  console.log(`${S} Opened URL: ${url}`);
+  res.writeHead(200);
+  res.end();
 }

packages/core/test/tools/metroMiddleware.test.ts

@@ -3,6 +3,7 @@ import type { StackFrame } from '@sentry/core';
 import { afterEach, beforeEach, describe, expect, it, jest } from '@jest/globals';
 import * as fs from 'fs';
 
+import * as openUrlMiddlewareModule from '../../src/js/metro/openUrlMiddleware';
 import * as metroMiddleware from '../../src/js/tools/metroMiddleware';
 
 const { withSentryMiddleware, createSentryMetroMiddleware, stackFramesContextMiddleware } = metroMiddleware;
@@ -83,6 +84,24 @@ describe('metroMiddleware', () => {
       expect(spiedStackFramesContextMiddleware).toHaveBeenCalledWith(sentryRequest, response, next);
     });
 
+    it('should call openURLMiddleware for sentry open-url requests', () => {
+      const spiedOpenURLMiddleware = jest
+        .spyOn(openUrlMiddlewareModule, 'openURLMiddleware')
+        .mockReturnValue(undefined as any);
+
+      const testedMiddleware = createSentryMetroMiddleware(defaultMiddleware);
+
+      const openUrlRequest = {
+        url: '/__sentry/open-url',
+      } as any;
+      testedMiddleware(openUrlRequest, response, next);
+      expect(defaultMiddleware).not.toHaveBeenCalled();
+      expect(spiedStackFramesContextMiddleware).not.toHaveBeenCalled();
+      expect(spiedOpenURLMiddleware).toHaveBeenCalledWith(openUrlRequest, response);
+
+      spiedOpenURLMiddleware.mockRestore();
+    });
+
     it('should call default middleware for non-sentry requests', () => {
       const testedMiddleware = createSentryMetroMiddleware(defaultMiddleware);
 

packages/core/test/tools/openUrlMiddleware.test.ts

@@ -0,0 +1,109 @@
+import { describe, expect, it, jest, beforeEach, afterEach } from '@jest/globals';
+
+import { openURLMiddleware } from '../../src/js/metro/openUrlMiddleware';
+
+jest.mock('../../src/js/metro/openUrlMiddleware', () => jest.requireActual('../../src/js/metro/openUrlMiddleware'));
+
+let mockOpen: jest.Mock | undefined;
+
+jest.mock('open', () => {
+  mockOpen = jest.fn().mockResolvedValue(undefined);
+  return mockOpen;
+});
+
+function createRequest(method: string, body: string) {
+  return {
+    method,
+    on: jest.fn((event: string, cb: (data?: string) => void) => {
+      if (event === 'data') {
+        cb(body);
+      } else if (event === 'end') {
+        cb();
+      }
+    }),
+  } as any;
+}
+
+function createResponse() {
+  return {
+    writeHead: jest.fn(),
+    end: jest.fn(),
+  } as any;
+}
+
+describe('openURLMiddleware', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  afterEach(() => {
+    jest.restoreAllMocks();
+  });
+
+  it('should return 405 for non-POST requests', async () => {
+    const req = createRequest('GET', '');
+    const res = createResponse();
+
+    await openURLMiddleware(req, res);
+
+    expect(res.writeHead).toHaveBeenCalledWith(405);
+  });
+
+  it('should return 400 for invalid JSON body', async () => {
+    const req = createRequest('POST', 'not json');
+    const res = createResponse();
+
+    await openURLMiddleware(req, res);
+
+    expect(res.writeHead).toHaveBeenCalledWith(400);
+  });
+
+  it('should return 400 for missing url in body', async () => {
+    const req = createRequest('POST', '{}');
+    const res = createResponse();
+
+    await openURLMiddleware(req, res);
+
+    expect(res.writeHead).toHaveBeenCalledWith(400);
+  });
+
+  it('should return 400 for non-http URL schemes', async () => {
+    const req = createRequest('POST', JSON.stringify({ url: 'file:///etc/passwd' }));
+    const res = createResponse();
+
+    await openURLMiddleware(req, res);
+
+    expect(res.writeHead).toHaveBeenCalledWith(400);
+    expect(res.end).toHaveBeenCalledWith(expect.stringContaining('Invalid URL scheme'));
+  });
+
+  it('should open https URLs', async () => {
+    const req = createRequest('POST', JSON.stringify({ url: 'https://sentry.io/issues/' }));
+    const res = createResponse();
+
+    await openURLMiddleware(req, res);
+
+    expect(mockOpen).toHaveBeenCalledWith('https://sentry.io/issues/');
+    expect(res.writeHead).toHaveBeenCalledWith(200);
+  });
+
+  it('should open http URLs', async () => {
+    const req = createRequest('POST', JSON.stringify({ url: 'http://localhost:3000' }));
+    const res = createResponse();
+
+    await openURLMiddleware(req, res);
+
+    expect(mockOpen).toHaveBeenCalledWith('http://localhost:3000');
+    expect(res.writeHead).toHaveBeenCalledWith(200);
+  });
+
+  it('should return 500 when open fails', async () => {
+    mockOpen!.mockRejectedValueOnce(new Error('open failed'));
+    const req = createRequest('POST', JSON.stringify({ url: 'https://sentry.io/' }));
+    const res = createResponse();
+
+    await openURLMiddleware(req, res);
+
+    expect(res.writeHead).toHaveBeenCalledWith(500);
+  });
+});