Skip to content

feat: lift network.ts fs/path behind window.main.timeline IPC bridge (PR B)#9945

Open
jackkav wants to merge 2 commits into
chore/disable-node-integrationfrom
feat/network-timeline-ipc-bridge
Open

feat: lift network.ts fs/path behind window.main.timeline IPC bridge (PR B)#9945
jackkav wants to merge 2 commits into
chore/disable-node-integrationfrom
feat/network-timeline-ipc-bridge

Conversation

@jackkav
Copy link
Copy Markdown
Contributor

@jackkav jackkav commented May 21, 2026

Summary

  • Removes node:fs and node:path from renderer-reachable src/network/network.ts — last Node builtin user in the network stack
  • Adds two narrow IPC helpers in main (timeline.getPath sync, timeline.appendToFile async) that replace three path-construction blocks and two appendFile calls
  • appendToTimeline validates the target path is inside responses/ and ends in .timeline, matching the same defence-in-depth pattern as writeResponseBodyToFile
  • Shrinks config/renderer-node-import-baseline.json by 2 entries (src/network/network.ts fs + path)

Context

Part of the nodeIntegration: false renderer migration. This is PR B from NODE_INTEGRATION_MIGRATION_PR_PLAN.md (option 1 — narrow main-side helper; defers option 2 pipeline-to-main move to post-flip cleanup).

Stacks on top of chore/disable-node-integration.

Test plan

  • npm run type-check — passes (0 errors)
  • npm run check:renderer-node-imports — passes, baseline no longer contains src/network/network.ts
  • Manual: send a request and confirm the timeline file is written correctly
  • Manual: confirm pre-request script errors still appear in the timeline

🤖 Generated with Claude Code

@jackkav @claude
feat: lift network.ts fs/path use behind window.main.timeline IPC bridge
60d8bfc 
Removes `node:fs` and `node:path` from the renderer-reachable
`src/network/network.ts`. Three timeline-path constructions and two
`appendFile` calls are replaced with narrow `window.main.timeline.getPath`
(sync IPC) and `window.main.timeline.appendToFile` (async IPC) helpers
that live in main, where Node builtins belong.

Path validation in `appendToTimeline` mirrors `writeResponseBodyToFile`:
only paths inside the `responses/` directory ending in `.timeline` are
accepted, preventing a compromised renderer from writing arbitrary files.

Updates `config/renderer-node-import-baseline.json` to remove the two
`src/network/network.ts` entries — the baseline shrinks as intended.

Part of the nodeIntegration: false migration (PR B).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

ghost commented May 21, 2026
edited by github-actions Bot
Loading

✅ Circular References Report

Generated at: 2026-05-21T15:03:07.459Z
Status: ✅ NO CHANGE

Summary

Metric Base (chore/disable-node-integration) PR Change
Total Circular References 19 19 0 (0.00%)
Click to view all circular references in PR (19) 
insomnia-inso/src/db/models/types.ts -> insomnia-inso/src/db/types.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts -> insomnia/src/network/cancellation.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts -> insomnia/src/network/cancellation.ts -> insomnia/src/script-executor.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts -> insomnia/src/network/cancellation.ts -> insomnia/src/script-executor.ts -> insomnia/src/scripting/require-interceptor.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts -> insomnia/src/network/concurrency.ts
insomnia/src/network/network.ts -> insomnia/src/common/render.ts
insomnia/src/network/network.ts -> insomnia/src/common/render.ts -> insomnia/src/templating/index.ts -> insomnia/src/plugins/index.ts -> insomnia/src/plugins/context/app.ts -> insomnia/src/templating/types.ts -> insomnia/src/plugins/context/network.ts
insomnia/src/network/network.ts -> insomnia/src/main/network/get-auth-header.ts -> insomnia/src/main/network/o-auth-2/get-token.ts
insomnia/src/plugins/index.ts -> insomnia/src/plugins/context/app.ts -> insomnia/src/templating/types.ts -> insomnia/src/plugins/context/store.ts
insomnia/src/plugins/index.ts -> insomnia/src/plugins/misc.ts
insomnia/src/templating/base-extension-worker.ts -> insomnia/src/templating/worker.ts
insomnia/src/templating/index.ts -> insomnia/src/templating/base-extension.ts
insomnia/src/templating/types.ts -> insomnia/src/plugins/context/network.ts
insomnia/src/templating/types.ts -> insomnia/src/templating/utils.ts
insomnia/src/ui/components/settings/import-export.tsx -> insomnia/src/ui/components/modals/export-requests-modal.tsx
insomnia/src/ui/components/tabs/tab-list.tsx -> insomnia/src/ui/components/tabs/tab.tsx
insomnia/src/ui/components/templating/tag-editor-arg-sub-form.tsx -> insomnia/src/ui/components/templating/external-vault/external-vault-form.tsx
insomnia/src/ui/components/viewers/response-viewer.tsx -> insomnia/src/ui/components/viewers/response-multipart-viewer.tsx
Click to view all circular references in base branch (19) 
insomnia-inso/src/db/models/types.ts -> insomnia-inso/src/db/types.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts -> insomnia/src/network/cancellation.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts -> insomnia/src/network/cancellation.ts -> insomnia/src/script-executor.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts -> insomnia/src/network/cancellation.ts -> insomnia/src/script-executor.ts -> insomnia/src/scripting/require-interceptor.ts
insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts -> insomnia/src/network/network.ts -> insomnia/src/network/concurrency.ts
insomnia/src/network/network.ts -> insomnia/src/common/render.ts
insomnia/src/network/network.ts -> insomnia/src/common/render.ts -> insomnia/src/templating/index.ts -> insomnia/src/plugins/index.ts -> insomnia/src/plugins/context/app.ts -> insomnia/src/templating/types.ts -> insomnia/src/plugins/context/network.ts
insomnia/src/network/network.ts -> insomnia/src/main/network/get-auth-header.ts -> insomnia/src/main/network/o-auth-2/get-token.ts
insomnia/src/plugins/index.ts -> insomnia/src/plugins/context/app.ts -> insomnia/src/templating/types.ts -> insomnia/src/plugins/context/store.ts
insomnia/src/plugins/index.ts -> insomnia/src/plugins/misc.ts
insomnia/src/templating/base-extension-worker.ts -> insomnia/src/templating/worker.ts
insomnia/src/templating/index.ts -> insomnia/src/templating/base-extension.ts
insomnia/src/templating/types.ts -> insomnia/src/plugins/context/network.ts
insomnia/src/templating/types.ts -> insomnia/src/templating/utils.ts
insomnia/src/ui/components/settings/import-export.tsx -> insomnia/src/ui/components/modals/export-requests-modal.tsx
insomnia/src/ui/components/tabs/tab-list.tsx -> insomnia/src/ui/components/tabs/tab.tsx
insomnia/src/ui/components/templating/tag-editor-arg-sub-form.tsx -> insomnia/src/ui/components/templating/external-vault/external-vault-form.tsx
insomnia/src/ui/components/viewers/response-viewer.tsx -> insomnia/src/ui/components/viewers/response-multipart-viewer.tsx

Analysis

No Change: This PR does not introduce or remove any circular references.

This report was generated automatically by comparing against the chore/disable-node-integration branch.

@jackkav @claude
fix: address Aikido path-traversal feedback and mock window.main in n…
9e98eca 
…etwork tests

- `getTimelinePath`: use `path.resolve` + `path.relative` check instead of
  `path.join` to prevent path-traversal attacks (Aikido medium severity finding)
- `network.test.ts`: add `vi.stubGlobal('window', ...)` mock for
  `window.main.timeline` so tests don't throw "window is not defined" now
  that `defaultSendActionRuntime` calls `window.main.timeline.appendToFile`

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jackkav