Feat/eval js

[olesho]

• Added endpoint to evaluate JS (primarily for as a verification for benchmarks)

Summary by CodeRabbit

Release Notes

• New Features
  • Added /page/execute API endpoint to execute JavaScript code within browser tabs
  • Supports dynamic code evaluation with options for asynchronous operations and return value handling
  • Includes execution logging and exception reporting for error tracking

[coderabbitai]

Walkthrough

Two new methods enable JavaScript execution via API: executeJavaScript(payload) in APIServer validates required fields and delegates to BrowserAgentServer's evaluateJavaScript(tabId, expression, options), which executes code in browser tabs using Chrome DevTools Protocol's Runtime.evaluate API.

Changes

Cohort / File(s)	Summary
JavaScript Execution API Endpoint agent-server/nodejs/src/api-server.js	Added /page/execute POST endpoint that accepts execution payloads. Delegates to new executeJavaScript(payload) method for validation and orchestration. Returns structured response with clientId, tabId, result, exceptionDetails, and timestamp. (Note: Duplicate method declaration detected in file)
Browser Agent Evaluation agent-server/nodejs/src/lib/BrowserAgentServer.js	Added async evaluateJavaScript(tabId, expression, options = {}) method to execute JavaScript in browser tabs via Chrome DevTools Protocol Runtime.evaluate. Supports returnByValue and awaitPromise options, includes logging, exception handling, and returns result with extracted values.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant APIServer
    participant BrowserAgentServer
    participant CDP as Chrome DevTools<br/>Protocol

    Client->>APIServer: POST /page/execute<br/>{clientId, tabId, expression}
    APIServer->>APIServer: Validate fields
    APIServer->>APIServer: Log execution attempt
    APIServer->>BrowserAgentServer: evaluateJavaScript(tabId, expression, options)
    BrowserAgentServer->>CDP: Runtime.evaluate(expression)
    CDP-->>BrowserAgentServer: result / exceptionDetails
    BrowserAgentServer->>BrowserAgentServer: Extract result value<br/>Log outcome
    BrowserAgentServer-->>APIServer: {tabId, result, exceptionDetails}
    APIServer-->>Client: {clientId, tabId, result,<br/>exceptionDetails, timestamp}

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Duplicate method declaration: The executeJavaScript method is declared twice in api-server.js; verify whether this is intentional or requires consolidation.
• Field validation logic: Ensure validation of clientId, tabId, and expression covers all edge cases.
• Error handling paths: Verify exception handling and logging are consistent between both methods.
• CDP integration: Confirm Runtime.evaluate options and response extraction logic align with CDP specification.

Poem

🐰 JavaScript hops through new gates,
Express-bound execution delegates!
From API to browser it flies,
Chrome's runtime evaluates and replies—
Code bounces back with results so fine! 🚀

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Feat/eval js' is vague and uses abbreviated, non-descriptive language that lacks specificity about what the change accomplishes.	Use a more descriptive title like 'Add JavaScript evaluation endpoint for benchmarking' that clearly conveys the main change and purpose.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/eval-js

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e387e90 and f5642d3.

📒 Files selected for processing (2)

• agent-server/nodejs/src/api-server.js (2 hunks)
• agent-server/nodejs/src/lib/BrowserAgentServer.js (1 hunks)

🧰 Additional context used

🪛 ESLint

agent-server/nodejs/src/lib/BrowserAgentServer.js

[error] 1225-1225: There must be no hyphen before @param description.

(jsdoc/require-hyphen-before-param-description)

---

[error] 1226-1226: There must be no hyphen before @param description.

(jsdoc/require-hyphen-before-param-description)

---

[error] 1227-1227: There must be no hyphen before @param description.

(jsdoc/require-hyphen-before-param-description)

---

[error] 1228-1228: There must be no hyphen before @param description.

(jsdoc/require-hyphen-before-param-description)

---

[error] 1229-1229: There must be no hyphen before @param description.

(jsdoc/require-hyphen-before-param-description)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: claude-review

🔇 Additional comments (1)

agent-server/nodejs/src/api-server.js (1)

150-156: /page/execute route is consistent with existing endpoints

The new /page/execute case follows the same structure as the other POST-only routes (/tabs/open, /tabs/close, /page/content, /page/screenshot) and delegates cleanly to executeJavaScript(JSON.parse(body)). No issues from a routing/flow perspective.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Validate expression as a non-empty string to avoid runtime errors

executeJavaScript assumes expression is a string (expression.substring(0, 100)) but currently only checks truthiness. A caller passing a non-string (e.g., object/number) will hit a runtime error and a 500 response without a clear validation message.

You can tighten validation and keep logging safe with:

   async executeJavaScript(payload) {
     const { clientId, tabId, expression, returnByValue = true, awaitPromise = false } = payload;

     if (!clientId) {
       throw new Error('Client ID is required');
     }

     if (!tabId) {
       throw new Error('Tab ID is required');
     }

-    if (!expression) {
-      throw new Error('JavaScript expression is required');
-    }
+    if (typeof expression !== 'string' || expression.trim() === '') {
+      throw new Error('JavaScript expression must be a non-empty string');
+    }

     const baseClientId = clientId.split(':')[0];

     logger.info('Executing JavaScript', { baseClientId, tabId, expression: expression.substring(0, 100) });

     const result = await this.browserAgentServer.evaluateJavaScript(tabId, expression, { returnByValue, awaitPromise });

     return {
       clientId: baseClientId,
       tabId: result.tabId,
       result: result.result,
       exceptionDetails: result.exceptionDetails,
       timestamp: Date.now()
     };
   }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	async executeJavaScript(payload) {
	const { clientId, tabId, expression, returnByValue = true, awaitPromise = false } = payload;
	if (!clientId) {
	throw new Error('Client ID is required');
	}
	if (!tabId) {
	throw new Error('Tab ID is required');
	}
	if (!expression) {
	throw new Error('JavaScript expression is required');
	}
	const baseClientId = clientId.split(':')[0];
	logger.info('Executing JavaScript', { baseClientId, tabId, expression: expression.substring(0, 100) });
	const result = await this.browserAgentServer.evaluateJavaScript(tabId, expression, { returnByValue, awaitPromise });
	return {
	clientId: baseClientId,
	tabId: result.tabId,
	result: result.result,
	exceptionDetails: result.exceptionDetails,
	timestamp: Date.now()
	};
	}
	async executeJavaScript(payload) {
	const { clientId, tabId, expression, returnByValue = true, awaitPromise = false } = payload;
	if (!clientId) {
	throw new Error('Client ID is required');
	}
	if (!tabId) {
	throw new Error('Tab ID is required');
	}
	if (typeof expression !== 'string' || expression.trim() === '') {
	throw new Error('JavaScript expression must be a non-empty string');
	}
	const baseClientId = clientId.split(':')[0];
	logger.info('Executing JavaScript', { baseClientId, tabId, expression: expression.substring(0, 100) });
	const result = await this.browserAgentServer.evaluateJavaScript(tabId, expression, { returnByValue, awaitPromise });
	return {
	clientId: baseClientId,
	tabId: result.tabId,
	result: result.result,
	exceptionDetails: result.exceptionDetails,
	timestamp: Date.now()
	};
	}

🤖 Prompt for AI Agents

In agent-server/nodejs/src/api-server.js around lines 347 to 375, the code only
checks expression for truthiness but then calls expression.substring, which will
throw if expression is not a string; update validation to require typeof
expression === 'string' and that expression.trim().length > 0, and throw a clear
Error if not; when logging the expression preview, guard against non-strings by
using a safe conversion (e.g., String(expression).substring(0,100) or
JSON.stringify with try/catch) so logging never triggers a runtime error;
finally ensure the value passed to this.browserAgentServer.evaluateJavaScript is
the validated string.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix JSDoc hyphen lint error and harden expression handling

Two small issues here:

1. JSDoc / ESLint error
   The jsdoc/require-hyphen-before-param-description rule is complaining because of the - before the descriptions (Lines [1225]-[1229]). The rest of the file seems to follow the “no hyphen” style.

   You can fix it with:

   /**
    * Execute JavaScript in a browser tab
   - * @param {string} tabId - Tab ID (target ID)
   - * @param {string} expression - JavaScript expression to execute
   - * @param {Object} options - Execution options
   - * @param {boolean} options.returnByValue - Whether to return by value (default: true)
   - * @param {boolean} options.awaitPromise - Whether to await promises (default: false)

• • @param {string} tabId Tab ID (target ID)
• • @param {string} expression JavaScript expression to execute
• • @param {Object} options Execution options
• • @param {boolean} options.returnByValue Whether to return by value (default: true)
• • @param {boolean} options.awaitPromise Whether to await promises (default: false)
  • @returns {Promise} Result with execution result
    */

    
    2. **Guard against non-string expressions**  
    This public method assumes `expression` is a string (`expression.length` and CDP `Runtime.evaluate`). If someone calls it programmatically with a non-string, you’ll get a runtime error before the CDP call. A lightweight guard keeps failures predictable and aligns with the JSDoc contract:
    
    ```diff
    async evaluateJavaScript(tabId, expression, options = {}) {
    -    const { returnByValue = true, awaitPromise = false } = options;
    +    const { returnByValue = true, awaitPromise = false } = options;
    +
    +    if (typeof expression !== 'string') {
    +      throw new Error('expression must be a string');
    +    }
    

    📝 Committable suggestion

    ‼️ IMPORTANT
    Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

    Suggested change

    	/**
    	* Execute JavaScript in a browser tab
    	* @param {string} tabId - Tab ID (target ID)
    	* @param {string} expression - JavaScript expression to execute
    	* @param {Object} options - Execution options
    	* @param {boolean} options.returnByValue - Whether to return by value (default: true)
    	* @param {boolean} options.awaitPromise - Whether to await promises (default: false)
    	* @returns {Promise<Object>} Result with execution result
    	*/
    	async evaluateJavaScript(tabId, expression, options = {}) {
    	const { returnByValue = true, awaitPromise = false } = options;
    	try {
    	logger.info('Executing JavaScript via CDP', { tabId, expressionLength: expression.length });
    	// Use Runtime.evaluate to execute JavaScript
    	const result = await this.sendCDPCommandToTarget(tabId, 'Runtime.evaluate', {
    	expression,
    	returnByValue,
    	awaitPromise
    	});
    	if (result.exceptionDetails) {
    	logger.warn('JavaScript execution threw exception', {
    	tabId,
    	exception: result.exceptionDetails
    	});
    	} else {
    	logger.info('JavaScript executed successfully', {
    	tabId,
    	resultType: result.result?.type
    	});
    	}
    	// Extract value from CDP RemoteObject
    	// CDP returns RemoteObject with structure: {type: 'string', value: 'foo'}
    	// For undefined/null, CDP returns: {type: 'undefined'} or {type: 'null', value: null}
    	// We need to check if 'value' property exists, not if it's undefined
    	let extractedResult;
    	if (result.result) {
    	if ('value' in result.result) {
    	// RemoteObject has a value field - extract it
    	extractedResult = result.result.value;
    	} else if (result.result.type === 'undefined') {
    	// Special case: undefined has no value field
    	extractedResult = undefined;
    	} else {
    	// For objects/functions without returnByValue, return the whole RemoteObject
    	extractedResult = result.result;
    	}
    	} else {
    	extractedResult = result.result;
    	}
    	return {
    	tabId,
    	result: extractedResult,
    	exceptionDetails: result.exceptionDetails
    	};
    	} catch (error) {
    	logger.error('Failed to execute JavaScript via CDP', {
    	tabId,
    	error: error.message
    	});
    	throw error;
    	}
    	}
    	/**
    	* Execute JavaScript in a browser tab
    	* @param {string} tabId Tab ID (target ID)
    	* @param {string} expression JavaScript expression to execute
    	* @param {Object} options Execution options
    	* @param {boolean} options.returnByValue Whether to return by value (default: true)
    	* @param {boolean} options.awaitPromise Whether to await promises (default: false)
    	* @returns {Promise<Object>} Result with execution result
    	*/
    	async evaluateJavaScript(tabId, expression, options = {}) {
    	const { returnByValue = true, awaitPromise = false } = options;
    	if (typeof expression !== 'string') {
    	throw new Error('expression must be a string');
    	}
    	try {
    	logger.info('Executing JavaScript via CDP', { tabId, expressionLength: expression.length });
    	// Use Runtime.evaluate to execute JavaScript
    	const result = await this.sendCDPCommandToTarget(tabId, 'Runtime.evaluate', {
    	expression,
    	returnByValue,
    	awaitPromise
    	});
    	if (result.exceptionDetails) {
    	logger.warn('JavaScript execution threw exception', {
    	tabId,
    	exception: result.exceptionDetails
    	});
    	} else {
    	logger.info('JavaScript executed successfully', {
    	tabId,
    	resultType: result.result?.type
    	});
    	}
    	// Extract value from CDP RemoteObject
    	// CDP returns RemoteObject with structure: {type: 'string', value: 'foo'}
    	// For undefined/null, CDP returns: {type: 'undefined'} or {type: 'null', value: null}
    	// We need to check if 'value' property exists, not if it's undefined
    	let extractedResult;
    	if (result.result) {
    	if ('value' in result.result) {
    	// RemoteObject has a value field - extract it
    	extractedResult = result.result.value;
    	} else if (result.result.type === 'undefined') {
    	// Special case: undefined has no value field
    	extractedResult = undefined;
    	} else {
    	// For objects/functions without returnByValue, return the whole RemoteObject
    	extractedResult = result.result;
    	}
    	} else {
    	extractedResult = result.result;
    	}
    	return {
    	tabId,
    	result: extractedResult,
    	exceptionDetails: result.exceptionDetails
    	};
    	} catch (error) {
    	logger.error('Failed to execute JavaScript via CDP', {
    	tabId,
    	error: error.message
    	});
    	throw error;
    	}
    	}
    🧰 Tools

    🪛 ESLint

    [error] 1225-1225: There must be no hyphen before @param description.

    (jsdoc/require-hyphen-before-param-description)

    ---

    [error] 1226-1226: There must be no hyphen before @param description.

    (jsdoc/require-hyphen-before-param-description)

    ---

    [error] 1227-1227: There must be no hyphen before @param description.

    (jsdoc/require-hyphen-before-param-description)

    ---

    [error] 1228-1228: There must be no hyphen before @param description.

    (jsdoc/require-hyphen-before-param-description)

    ---

    [error] 1229-1229: There must be no hyphen before @param description.

    (jsdoc/require-hyphen-before-param-description)

    🤖 Prompt for AI Agents

    In agent-server/nodejs/src/lib/BrowserAgentServer.js around lines 1223-1289, fix
    the JSDoc hyphen lint error by removing the leading hyphens from the @param
    descriptions to match the file style, and harden expression handling by
    validating the input before using .length or passing it to CDP: if typeof
    expression !== 'string' throw a TypeError stating "expression must be a string",
    and update the logger usage to compute expressionLength safely (e.g. only access
    expression.length when it's a string) so non-string inputs fail with a clear,
    predictable error rather than a runtime crash.
    

[claude]

Claude finished @olesho's task —— View job

---

Pull Request Review: JavaScript Evaluation Endpoint

I've completed a comprehensive review of the JavaScript evaluation endpoint implementation. Here's my detailed analysis:

Summary

This PR adds a /page/execute endpoint that enables JavaScript evaluation within browser tabs via Chrome DevTools Protocol. The implementation follows the existing codebase patterns but has several security and robustness concerns that should be addressed.

📋 Code Quality & Best Practices

✅ Strengths

• Consistent API design: The /page/execute endpoint follows the same pattern as existing endpoints (/page/screenshot, /page/content)
• Proper error handling structure: Uses try/catch blocks and delegates to shared error handling
• Good logging: Includes appropriate logging for execution attempts and results
• CDP integration: Correctly uses Chrome DevTools Protocol Runtime.evaluate method
• Return value extraction: Properly handles CDP RemoteObject response format

⚠️ Issues Identified

1. Input Validation Vulnerabilities (api-server.js:358-360)

• Only checks expression for truthiness, not type safety
• expression.substring(0, 100) will throw runtime error if expression is not a string
• No validation for expression content or length limits

2. JSDoc Formatting Issues (BrowserAgentServer.js:1225-1229)

• ESLint errors due to hyphens in JSDoc parameter descriptions
• Inconsistent with rest of codebase style

3. Missing Input Type Guards (BrowserAgentServer.js:1232)

• No validation that expression parameter is actually a string before using .length
• Could cause runtime errors if called programmatically with non-string values

🔒 Security Analysis

🚨 Critical Security Concerns

Arbitrary JavaScript Execution Risk

• Endpoint allows execution of ANY JavaScript code in browser context
• No sandboxing, filtering, or restrictions on dangerous operations
• Could be exploited for:
  • Data exfiltration via network requests
  • DOM manipulation attacks
  • Accessing sensitive browser APIs
  • Cross-site scripting if used with untrusted input

Recommendations:

1. Input sanitization: Implement allowlist of safe JavaScript patterns
2. Execution context isolation: Consider running in isolated contexts
3. Time limits: Enforce stricter timeouts to prevent infinite loops
4. Access controls: Restrict which clients can use this endpoint
5. Audit logging: Log all executed expressions for security monitoring

Authentication & Authorization

• No additional authentication beyond basic client/tab validation
• Should consider if this endpoint needs elevated permissions
• Consider rate limiting to prevent abuse

🚀 Performance Considerations

Positive Aspects

• Uses existing CDP infrastructure efficiently
• Proper connection management via sendCDPCommandToTarget
• Reasonable default timeout values

Potential Issues

• No built-in rate limiting for JS execution requests
• Could impact browser performance with heavy computations
• No memory usage monitoring for executed scripts

🧪 Test Coverage

Missing Test Coverage

• Critical: No unit tests for the new functionality
• No integration tests for the endpoint
• No security tests for malicious input scenarios
• No performance tests for edge cases

Testing Recommendations

1. Unit tests for input validation and error handling
2. Integration tests for full API workflow
3. Security tests for malicious JavaScript injection
4. Performance tests for execution limits and timeouts

🐛 Specific Code Issues

api-server.js:347-375

// ISSUE: Type safety violation
if (!expression) {  // Only checks truthiness
  throw new Error('JavaScript expression is required');
}
// Later...
expression.substring(0, 100)  // Will crash if expression is not string

Fix:

if (typeof expression !== 'string' || expression.trim() === '') {
  throw new Error('JavaScript expression must be a non-empty string');
}

BrowserAgentServer.js:1225-1229

// ISSUE: JSDoc formatting
* @param {string} tabId - Tab ID (target ID)
//                      ^ Remove hyphens to match codebase style

BrowserAgentServer.js:1232-1236

// ISSUE: Missing type guard
async evaluateJavaScript(tabId, expression, options = {}) {
  const { returnByValue = true, awaitPromise = false } = options;
  // Should validate expression type before using .length

📊 Performance & Reliability

Memory & Resource Usage

• No memory limits on JavaScript execution
• Could potentially cause memory leaks with large objects
• No cleanup mechanism for long-running evaluations

Error Recovery

• Good exception handling and logging
• Proper CDP error propagation
• Clean failure modes

🔧 Recommended Fixes

Immediate (Required)

1. Fix input validation in api-server.js:358
2. Fix JSDoc formatting in BrowserAgentServer.js:1225-1229
3. Add type guards in BrowserAgentServer.js

Security Hardening (Recommended)

1. Implement JavaScript sandboxing or allowlists
2. Add rate limiting for the endpoint
3. Enhance audit logging
4. Add input length restrictions

Testing (Strongly Recommended)

1. Add unit tests for both files
2. Add integration tests for the endpoint
3. Add security tests for malicious inputs

🎯 Overall Assessment

Functionality: ✅ Correctly implements JavaScript evaluation via CDP
Code Quality: ⚠️ Good structure but needs input validation fixes
Security: 🚨 High risk - allows arbitrary code execution
Performance: ⚠️ Acceptable but needs resource controls
Testing: ❌ No test coverage
Documentation: ✅ Well-documented in CLAUDE.md

💡 Conclusion

This PR successfully adds JavaScript evaluation capability for benchmarking purposes, but requires immediate security and robustness improvements before merge. The functionality is valuable for evaluation scenarios, but the security implications of arbitrary JavaScript execution need careful consideration.

Recommendation: Request changes to address input validation and consider security implications before approval.

---