fix(browser): align browser.proxy profile mutation guards (#60489)

* fix(browser): block proxy profile mutations * docs(changelog): add browser proxy guard entry --------- Co-authored-by: Devin Robison <drobison@nvidia.com> Co-authored-by: Devin Robison <drobison00@users.noreply.github.com>
2026-04-18 04:31:10 +00:00 · 2026-04-07 12:00:21 -07:00
parent 744d176744
commit e5aae5e056
5 changed files with 99 additions and 37 deletions
--- a/extensions/browser/src/node-host/invoke-browser.test.ts
+++ b/extensions/browser/src/node-host/invoke-browser.test.ts
@@ -316,9 +316,7 @@ describe("runBrowserProxyCommand", () => {
          timeoutMs: 50,
        }),
      ),
-    ).rejects.toThrow(
-      "INVALID_REQUEST: browser.proxy cannot mutate persistent browser profiles when allowProfiles is configured",
-    );
+    ).rejects.toThrow("INVALID_REQUEST: browser.proxy cannot mutate persistent browser profiles");
    expect(dispatcherMocks.dispatch).not.toHaveBeenCalled();
  });

@@ -336,9 +334,7 @@ describe("runBrowserProxyCommand", () => {
          timeoutMs: 50,
        }),
      ),
-    ).rejects.toThrow(
-      "INVALID_REQUEST: browser.proxy cannot mutate persistent browser profiles when allowProfiles is configured",
-    );
+    ).rejects.toThrow("INVALID_REQUEST: browser.proxy cannot mutate persistent browser profiles");
    expect(dispatcherMocks.dispatch).not.toHaveBeenCalled();
  });

@@ -357,9 +353,7 @@ describe("runBrowserProxyCommand", () => {
          timeoutMs: 50,
        }),
      ),
-    ).rejects.toThrow(
-      "INVALID_REQUEST: browser.proxy cannot mutate persistent browser profiles when allowProfiles is configured",
-    );
+    ).rejects.toThrow("INVALID_REQUEST: browser.proxy cannot mutate persistent browser profiles");
    expect(dispatcherMocks.dispatch).not.toHaveBeenCalled();
  });

@@ -390,27 +384,17 @@ describe("runBrowserProxyCommand", () => {
    );
  });

-  it("preserves legacy proxy behavior when allowProfiles is empty", async () => {
-    dispatcherMocks.dispatch.mockResolvedValue({
-      status: 200,
-      body: { ok: true },
-    });
-
-    await runBrowserProxyCommand(
-      JSON.stringify({
-        method: "POST",
-        path: "/profiles/create",
-        body: { name: "poc", cdpUrl: "http://127.0.0.1:9222" },
-        timeoutMs: 50,
-      }),
-    );
-
-    expect(dispatcherMocks.dispatch).toHaveBeenCalledWith(
-      expect.objectContaining({
-        method: "POST",
-        path: "/profiles/create",
-        body: { name: "poc", cdpUrl: "http://127.0.0.1:9222" },
-      }),
-    );
+  it("rejects persistent profile creation when allowProfiles is empty", async () => {
+    await expect(
+      runBrowserProxyCommand(
+        JSON.stringify({
+          method: "POST",
+          path: "/profiles/create",
+          body: { name: "poc", cdpUrl: "http://127.0.0.1:9222" },
+          timeoutMs: 50,
+        }),
+      ),
+    ).rejects.toThrow("INVALID_REQUEST: browser.proxy cannot mutate persistent browser profiles");
+    expect(dispatcherMocks.dispatch).not.toHaveBeenCalled();
  });
 });
--- a/extensions/browser/src/node-host/invoke-browser.ts
+++ b/extensions/browser/src/node-host/invoke-browser.ts
@@ -240,12 +240,10 @@ export async function runBrowserProxyCommand(paramsJSON?: string | null): Promis
      profile: params.profile,
    }) ?? "";
  const allowedProfiles = proxyConfig.allowProfiles;
+  if (isPersistentBrowserProfileMutation(method, path)) {
+    throw new Error("INVALID_REQUEST: browser.proxy cannot mutate persistent browser profiles");
+  }
  if (allowedProfiles.length > 0) {
-    if (isPersistentBrowserProfileMutation(method, path)) {
-      throw new Error(
-        "INVALID_REQUEST: browser.proxy cannot mutate persistent browser profiles when allowProfiles is configured",
-      );
-    }
    if (path !== "/profiles") {
      const profileToCheck = requestedProfile || resolved.defaultProfile;
      if (!isProfileAllowed({ allowProfiles: allowedProfiles, profile: profileToCheck })) {