fix(playground): Only auto-open sentry.io URLs, log others to console

antonis · claude · antonis · commit ec8663bb84d8 · 2026-04-02T13:42:38.000+02:00
For non-sentry.io hosts, the URL is printed to the Metro console
instead of being opened automatically, so users can decide whether
to trust it. This prevents the middleware from being used to open
arbitrary URLs while still supporting all *.sentry.io subdomains.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/packages/core/src/js/metro/openUrlMiddleware.ts b/packages/core/src/js/metro/openUrlMiddleware.ts
@@ -54,6 +54,14 @@ export async function openURLMiddleware(req: IncomingMessage, res: ServerRespons
     return;
   }
 
+  if (!isTrustedSentryHost(url)) {
+    // oxlint-disable-next-line no-console
+    console.log(`${S} Untrusted host, not opening automatically. Open manually if you trust this URL: ${url}`);
+    res.writeHead(200);
+    res.end();
+    return;
+  }
+
   if (!open) {
     // oxlint-disable-next-line no-console
     console.log(`${S} Could not open URL automatically. Open manually: ${url}`);
@@ -77,3 +85,12 @@ export async function openURLMiddleware(req: IncomingMessage, res: ServerRespons
   res.writeHead(200);
   res.end();
 }
+
+function isTrustedSentryHost(url: string): boolean {
+  try {
+    const { hostname } = new URL(url);
+    return hostname === 'sentry.io' || hostname.endsWith('.sentry.io');
+  } catch (e) {
+    return false;
+  }
+}
diff --git a/packages/core/test/tools/openUrlMiddleware.test.ts b/packages/core/test/tools/openUrlMiddleware.test.ts
@@ -77,7 +77,7 @@ describe('openURLMiddleware', () => {
     expect(res.end).toHaveBeenCalledWith(expect.stringContaining('Invalid URL scheme'));
   });
 
-  it('should open https URLs', async () => {
+  it('should open sentry.io URLs', async () => {
     const req = createRequest('POST', JSON.stringify({ url: 'https://sentry.io/issues/' }));
     const res = createResponse();
 
@@ -87,13 +87,23 @@ describe('openURLMiddleware', () => {
     expect(res.writeHead).toHaveBeenCalledWith(200);
   });
 
-  it('should open http URLs', async () => {
-    const req = createRequest('POST', JSON.stringify({ url: 'http://localhost:3000' }));
+  it('should open subdomain.sentry.io URLs', async () => {
+    const req = createRequest('POST', JSON.stringify({ url: 'https://my-org.sentry.io/issues/?project=123' }));
     const res = createResponse();
 
     await openURLMiddleware(req, res);
 
-    expect(mockOpen).toHaveBeenCalledWith('http://localhost:3000');
+    expect(mockOpen).toHaveBeenCalledWith('https://my-org.sentry.io/issues/?project=123');
+    expect(res.writeHead).toHaveBeenCalledWith(200);
+  });
+
+  it('should not auto-open non-sentry.io URLs and log to console instead', async () => {
+    const req = createRequest('POST', JSON.stringify({ url: 'https://example.com/malicious' }));
+    const res = createResponse();
+
+    await openURLMiddleware(req, res);
+
+    expect(mockOpen).not.toHaveBeenCalled();
     expect(res.writeHead).toHaveBeenCalledWith(200);
   });
 
