starred/hoppscotch
1
0
Fork 0
mirror of https://github.com/hoppscotch/hoppscotch.git synced 2026-04-25 16:55:59 +03:00
Code Issues 711 Projects Releases 5 Packages Wiki Activity

[PR #5791] [MERGED] feat(js-sandbox): add extensive Web Crypto API support #5351

New issue
Closed
opened 2026-03-17 02:48:31 +03:00 by kerem · 0 comments
kerem commented 2026-03-17 02:48:31 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/hoppscotch/hoppscotch/pull/5791
Author: @jamesgeorge007
Created: 1/20/2026
Status: Merged
Merged: 1/22/2026
Merged by: @jamesgeorge007

Base: nextHead: feat/js-sandbox-web-crypto-api-support

📝 Commits (1)

  • 8c0dc5a feat(js-sandbox): add extensive Web Crypto API support

📊 Changes

13 files changed (+3223 additions, -199 deletions)

View changed files

📝 packages/hoppscotch-cli/src/__tests__/e2e/fixtures/collections/scripting-revamp-coll.json (+195 -137)
packages/hoppscotch-js-sandbox/src/__tests__/cage-modules/crypto/encrypt-decrypt.spec.ts (+261 -0)
packages/hoppscotch-js-sandbox/src/__tests__/cage-modules/crypto/key-operations.spec.ts (+829 -0)
packages/hoppscotch-js-sandbox/src/__tests__/cage-modules/crypto/random-values.spec.ts (+243 -0)
packages/hoppscotch-js-sandbox/src/__tests__/cage-modules/crypto/sign-verify.spec.ts (+207 -0)
packages/hoppscotch-js-sandbox/src/__tests__/cage-modules/crypto/subtle-digest.spec.ts (+207 -0)
📝 packages/hoppscotch-js-sandbox/src/__tests__/pm-namespace/serialization-edge-cases.spec.ts (+0 -1)
📝 packages/hoppscotch-js-sandbox/src/__tests__/pw-namespace/expect/toBeLevelxxx.spec.ts (+0 -3)
packages/hoppscotch-js-sandbox/src/cage-modules/crypto.ts (+1031 -0)
📝 packages/hoppscotch-js-sandbox/src/cage-modules/default.ts (+2 -2)
📝 packages/hoppscotch-js-sandbox/src/cage-modules/fetch.ts (+5 -56)
📝 packages/hoppscotch-js-sandbox/src/cage-modules/index.ts (+2 -0)
packages/hoppscotch-js-sandbox/src/cage-modules/utils/vm-marshal.ts (+241 -0)

📄 Description

Relates to #2015, #5523, #3353, https://github.com/AndrewBastin/faraday-cage/issues/1.

Closes FE-1104.

This PR brings comprehensive Web Crypto API support to Hoppscotch's experimental scripting sandbox, enabling users to perform real cryptographic operations in their pre-request and test scripts.

A custom in-house implementation of the cage module is maintained to enable faster iteration and project-specific behaviour. The relevant upstream issue is linked for visibility, following the same approach used for the custom fetch cage module.

What's changed

New files:

  • cage-modules/crypto.ts — Custom crypto module implementing the full crypto.subtle API (~1,100 lines). Replaces faraday-cage's built-in crypto, which lacked proper crypto.subtle support across the VM boundary.
  • cage-modules/utils/vm-marshal.ts — Shared utilities for marshalling values between QuickJS VM and host: vmArrayToUint8Array(), uint8ArrayToVmArray(), CryptoKeyRegistry for storing CryptoKey objects, and marshalValue() for generic object serialisation.

Modified files:

  • cage-modules/default.ts — Swapped faraday-cage's crypto for customCryptoModule in the default module set
  • cage-modules/fetch.ts — Refactored to use shared vm-marshal.ts utilities instead of duplicating marshalling logic
  • cage-modules/index.ts — Export the new crypto module and its config type

Test files:

  • Added 5 unit test suites for crypto operations (encrypt/decrypt, sign/verify, key operations, random values, digest).
  • Updated CLI e2e collection with 14 crypto-specific assertions.
  • Fixed circular reference test handling in serialization-edge-cases.spec.ts.
  • Simplified skip annotation in toBeLevelxxx.spec.ts.

Crypto operations now available

  • Hashing: SHA-1, SHA-256, SHA-384, SHA-512
  • Encryption: AES-GCM, AES-CBC, AES-CTR, RSA-OAEP
  • Signatures: HMAC, ECDSA, RSA-PSS, RSA-PKCS1-v1_5
  • Key management: generate, import, export (JWK/raw/PKCS8/SPKI), derive (PBKDF2/HKDF), wrap/unwrap (AES-KW)
  • Random: crypto.getRandomValues(), crypto.randomUUID()

Note to reviewers

Try out the following snippet:

// SHA-256 hashing
const data = new TextEncoder().encode("Hello")
// hash is a plain array of bytes
const hash = await crypto.subtle.digest('SHA-256', data)

// HMAC-SHA256 signature
const key = await crypto.subtle.generateKey(
  { name: 'HMAC', hash: 'SHA-256' },
  false,
  ['sign']
)
const signature = await crypto.subtle.sign('HMAC', key, data)

The main challenge was safely transferring cryptographic values across the QuickJS VM boundary. Since QuickJS doesn't natively support Uint8Array or CryptoKey objects, custom marshalling is used to convert between VM arrays and host types. CryptoKey objects are stored in a host-side registry (with 5-minute TTL) and referenced by ID from the VM.

All operations delegate to the host's native WebCrypto; no cryptographic primitives are implemented here. Async operations are tracked to prevent "use after free" errors when the VM is disposed of while crypto work is pending.

Tests perform real cryptographic round-trips (encrypt→decrypt, sign→verify) rather than just checking function existence.

No breaking changes to the public API.

Summary by cubic

Adds full Web Crypto API support to the Hoppscotch JavaScript sandbox, enabling real hashing, encryption, signing, key management, and random utilities in pre-request and test scripts. Implements a custom crypto module that safely bridges the QuickJS VM to the host WebCrypto.

  • New Features

    • Supports crypto.subtle: digest, encrypt/decrypt (AES, RSA), sign/verify (HMAC, ECDSA, RSA), key generate/import/export/derive/wrap, plus getRandomValues and randomUUID.
    • Delegates all operations to native WebCrypto; no custom crypto primitives.
    • Added unit tests and CLI e2e assertions covering round-trip encrypt/decrypt and sign/verify.

  • Refactors

    • Replaced faraday-cage crypto with customCryptoModule in default modules; exported the module and its config.
    • Introduced shared VM marshalling utilities and a host-side CryptoKey registry (TTL) to pass data/keys across the VM boundary.
    • Updated fetch module to use shared marshalling and simplified serialization types.
    • Minor test cleanups (circular reference handling, reduced skip annotations).

Written for commit 8c0dc5a12e. Summary will update on new commits.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/hoppscotch/hoppscotch/pull/5791 **Author:** [@jamesgeorge007](https://github.com/jamesgeorge007) **Created:** 1/20/2026 **Status:** ✅ Merged **Merged:** 1/22/2026 **Merged by:** [@jamesgeorge007](https://github.com/jamesgeorge007) **Base:** `next` ← **Head:** `feat/js-sandbox-web-crypto-api-support` --- ### 📝 Commits (1) - [`8c0dc5a`](https://github.com/hoppscotch/hoppscotch/commit/8c0dc5a12e2b2f84109b694392491e57b4aeac6f) feat(js-sandbox): add extensive Web Crypto API support ### 📊 Changes **13 files changed** (+3223 additions, -199 deletions) <details> <summary>View changed files</summary> 📝 `packages/hoppscotch-cli/src/__tests__/e2e/fixtures/collections/scripting-revamp-coll.json` (+195 -137) ➕ `packages/hoppscotch-js-sandbox/src/__tests__/cage-modules/crypto/encrypt-decrypt.spec.ts` (+261 -0) ➕ `packages/hoppscotch-js-sandbox/src/__tests__/cage-modules/crypto/key-operations.spec.ts` (+829 -0) ➕ `packages/hoppscotch-js-sandbox/src/__tests__/cage-modules/crypto/random-values.spec.ts` (+243 -0) ➕ `packages/hoppscotch-js-sandbox/src/__tests__/cage-modules/crypto/sign-verify.spec.ts` (+207 -0) ➕ `packages/hoppscotch-js-sandbox/src/__tests__/cage-modules/crypto/subtle-digest.spec.ts` (+207 -0) 📝 `packages/hoppscotch-js-sandbox/src/__tests__/pm-namespace/serialization-edge-cases.spec.ts` (+0 -1) 📝 `packages/hoppscotch-js-sandbox/src/__tests__/pw-namespace/expect/toBeLevelxxx.spec.ts` (+0 -3) ➕ `packages/hoppscotch-js-sandbox/src/cage-modules/crypto.ts` (+1031 -0) 📝 `packages/hoppscotch-js-sandbox/src/cage-modules/default.ts` (+2 -2) 📝 `packages/hoppscotch-js-sandbox/src/cage-modules/fetch.ts` (+5 -56) 📝 `packages/hoppscotch-js-sandbox/src/cage-modules/index.ts` (+2 -0) ➕ `packages/hoppscotch-js-sandbox/src/cage-modules/utils/vm-marshal.ts` (+241 -0) </details> ### 📄 Description Relates to #2015, #5523, #3353, https://github.com/AndrewBastin/faraday-cage/issues/1. Closes FE-1104. This PR brings comprehensive Web Crypto API support to Hoppscotch's experimental scripting sandbox, enabling users to perform real cryptographic operations in their pre-request and test scripts. A custom in-house implementation of the cage module is maintained to enable faster iteration and project-specific behaviour. The relevant upstream issue is linked for visibility, following the same approach used for the custom fetch cage module. ### What's changed **New files:** - `cage-modules/crypto.ts` — Custom crypto module implementing the full `crypto.subtle` API (~1,100 lines). Replaces faraday-cage's built-in crypto, which lacked proper `crypto.subtle` support across the VM boundary. - `cage-modules/utils/vm-marshal.ts` — Shared utilities for marshalling values between QuickJS VM and host: `vmArrayToUint8Array()`, `uint8ArrayToVmArray()`, `CryptoKeyRegistry` for storing CryptoKey objects, and `marshalValue()` for generic object serialisation. **Modified files:** - `cage-modules/default.ts` — Swapped faraday-cage's `crypto` for `customCryptoModule` in the default module set - `cage-modules/fetch.ts` — Refactored to use shared `vm-marshal.ts` utilities instead of duplicating marshalling logic - `cage-modules/index.ts` — Export the new crypto module and its config type **Test files:** - Added 5 unit test suites for crypto operations (encrypt/decrypt, sign/verify, key operations, random values, digest). - Updated CLI e2e collection with 14 crypto-specific assertions. - Fixed circular reference test handling in `serialization-edge-cases.spec.ts`. - Simplified skip annotation in `toBeLevelxxx.spec.ts`. ### Crypto operations now available - Hashing: SHA-1, SHA-256, SHA-384, SHA-512 - Encryption: AES-GCM, AES-CBC, AES-CTR, RSA-OAEP - Signatures: HMAC, ECDSA, RSA-PSS, RSA-PKCS1-v1_5 - Key management: generate, import, export (JWK/raw/PKCS8/SPKI), derive (PBKDF2/HKDF), wrap/unwrap (AES-KW) - Random: `crypto.getRandomValues()`, `crypto.randomUUID()` ### Note to reviewers Try out the following snippet: ```js // SHA-256 hashing const data = new TextEncoder().encode("Hello") // hash is a plain array of bytes const hash = await crypto.subtle.digest('SHA-256', data) // HMAC-SHA256 signature const key = await crypto.subtle.generateKey( { name: 'HMAC', hash: 'SHA-256' }, false, ['sign'] ) const signature = await crypto.subtle.sign('HMAC', key, data) ``` The main challenge was safely transferring cryptographic values across the QuickJS VM boundary. Since QuickJS doesn't natively support `Uint8Array` or `CryptoKey` objects, custom marshalling is used to convert between VM arrays and host types. CryptoKey objects are stored in a host-side registry (with 5-minute TTL) and referenced by ID from the VM. All operations delegate to the host's native `WebCrypto`; no cryptographic primitives are implemented here. Async operations are tracked to prevent "use after free" errors when the VM is disposed of while crypto work is pending. Tests perform real cryptographic round-trips (encrypt→decrypt, sign→verify) rather than just checking function existence. No breaking changes to the public API. <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Adds full Web Crypto API support to the Hoppscotch JavaScript sandbox, enabling real hashing, encryption, signing, key management, and random utilities in pre-request and test scripts. Implements a custom crypto module that safely bridges the QuickJS VM to the host WebCrypto. - **New Features** - Supports crypto.subtle: digest, encrypt/decrypt (AES, RSA), sign/verify (HMAC, ECDSA, RSA), key generate/import/export/derive/wrap, plus getRandomValues and randomUUID. - Delegates all operations to native WebCrypto; no custom crypto primitives. - Added unit tests and CLI e2e assertions covering round-trip encrypt/decrypt and sign/verify. - **Refactors** - Replaced faraday-cage crypto with customCryptoModule in default modules; exported the module and its config. - Introduced shared VM marshalling utilities and a host-side CryptoKey registry (TTL) to pass data/keys across the VM boundary. - Updated fetch module to use shared marshalling and simplified serialization types. - Minor test cleanups (circular reference handling, reduced skip annotations). <sup>Written for commit 8c0dc5a12e2b2f84109b694392491e57b4aeac6f. Summary will update on new commits.</sup> <!-- End of auto-generated description by cubic. --> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
kerem 2026-03-17 02:48:31 +03:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
chore/security-fix-2026-4-0
next
fix/mockserver-env-set-url-priority
feat/rest-gql-merge
refactor/workspaces
fix/onboarding-mass-assignment
desktop-settings-phase-0-schema-bridge-shell
patch
test-webhook
pr/johnan319/5745
tembo/optimize-performance-db-queries
add-claude-github-actions-1772782423108
fix/code-scanning-103
fix/mock-server-example-endpoint-match-v2
fix/rate-limit-on-health-route
hotfix/api-doc-collection-deletetion
cd-test
fix/mock-server-backend-followup
chore/code-scanning-52
chore/verion-addition-check
nested-migrations
scripting-system-updates-worker-setup
scripting-system-updates
pr/shipko/4367
ci-test
feat/user-delete-condition
feat/user-workspace-stats-api
chore/collection-export-addition
fix/import-file-size-limit-flow
feat/dashboard-common
feat/sort-environment-alphabetically
feat/infra-config-encryption
refactor/team
feat/collection-duplicationn
feat/secure-cookies-toggle
pr/pavog/4195
pr/pavog/4196
test/patch-demo
feat/native-interceptor-updates
pr/AndrewBastin/4111
feat/user-last-active-on
fix/codemirror-large-text-scroll-bug
fix/precision-lost-beautify
fix/env-diff-test-schema-error
fix/email-case-sensitive
release/2024.3.3
refactor/workspace-login-conversion
feat/node-apline-version-upgrade
feat/seed
release/2024.3.2
fix/sh-email-handlebar-issue
feat/app-experiment-animation
release/2024.3.1
release/2024.3.0
pr/jamesgeorge007/3937
experiment/deploychan
feat/github-enterprise-auth
refactor/collection-search-query
hotfix/infra-config-reset-bug
fix/secret-var-bug
hotfix/full-text-search
hotfix/request-variable-version-syncing
feat/request-variable
feat/server-config-additional-properties
pr/JoelJacobStephen/3845
release/2023.12.6
fix/safari-codemirror-perf-bug
release/2023.12.5
release/2023.12.4
fix/secret-env-bugs-tooltip
release/2023.12.3
fix/shared-request-bug
fix/disable-context-menu-option
release/2023.12.2
release/2023.12.1
fix/shared-request-bugs
release/2023.12.0
fix/gql-history-schema
fix/actions-not-working-without-sidebar
pr/jamesgeorge007/3665
chore/desktop-app-corrections
fix/auth-headers-in-coll
fix/embed-url
improve/placeholder
add-realtime-logos
feat/shared-request-embeds
feat/collection-headers
revamp/header
release/2023.8.4
refactor/interceptor-error-display
feat/subpath-based-access
release/2023.8.3
feat/shared-requests
feat/desktop
fix/nodemailer-templates-issue
feature/upgrade-graphql-ws
fix/graphql-crashing
fix/set-environments-when-no-env-selected
refactor/pre-prisma-bump-setup
release/2023.8.2
pr/danitherex/3216
perf/raw-db-query
release/2023.8.1
revert-3348-perf/reduce-backend-calls
fix/incorrect-tab-count-close-all-tab
fix/duplicate-tab-bug
release/2023.8.0
hotfix/fetch-shortcode
fix/tab-right-click-rename-bug
chore/docker-fixes
pr/JoelJacobStephen/3178
feat/fe-accessible-auth-provider-env
feat-cherry-pick/conditional-auth-select
feat/conditional-auth-select
release/2023.4.8
fix/generate-sitemap-issue
test/backend-test-case
refactor/team-invitation
pr/AndrewBastin/3171
release/2023.4.7
fix/duplicate-team-invite
fix/unified-bg-color-coll-tree
fix/shortcode-screen-stuck
release/2023.4.6
revert-3117-patch-3
fix/env-selector-bg
fix/db-url
release/2023.4.4
fix/sync-popup-bug
fix/team-env-set-test
chore/wss-to-ws-on-env
fix/prettify-xml-response
feat/db-volume-addition
feat/env-selector-tabs-ui
bug/broken-env
release/2023.4.2
fix/switch-workspace-env-bug
fix/magic-link
fix/cookie-handler
HPS-OSS-1
staging
revert/auth-issue
feat/export-env
refactor/commons
reference/path-variables
orphan-pr/2243
feat/realtime-search
fix/save-override
refactor/strategies
feat/embeds
bug/withDefaults
feat/show-keys
refactor/toast
2026.3.1
2026.3.0
2026.2.1
2026.2.0
2026.1.1
2026.1.0
2025.12.1
2025.12.0
2025.11.2
2025.11.1
2025.11.0
2025.10.1
2025.10.0
2025.9.2
2025.9.1
2025.9.0
2025.8.1
2025.8.0
2025.7.1
2025.7.0
2025.6.1
2025.6.0
2025.5.4
2025.5.3
2025.5.2
2025.5.1
2025.5.0
2025.4.2
2025.4.1
2025.4.0
2025.3.2
2025.3.1
2025.3.0
2025.2.3
2025.2.2
2025.2.1
2025.2.0
2025.1.1
2025.1.0
2024.12.2
2024.12.1
2024.12.0
2024.11.0
2024.10.2
2024.10.1
2024.10.0
2024.9.3
2024.9.2
2024.9.1
2024.9.0
2024.8.3
2024.8.2
2024.8.1
2024.8.0
2024.7.2
2024.7.1
2024.7.0
2024.6.1
2024.6.0
2024.3.4
2024.3.3
2024.3.2
2024.3.1
2024.3.0
2023.12.6
2023.12.5
2023.12.4
2023.12.3
2023.12.2
2023.12.1
2023.12.0
2023.8.4
2023.8.3
2023.8.2
2023.8.1
2023.8.0
2023.4.8
2023.4.7
2023.4.6
2023.4.5
2023.4.4
2023.4.3
2023.4.2
2023.4.1
2023.4.0
v3.0.1
v3.0.0
v2.2.1
v2.2.0
v2.1.0
v2.0.0
v1.12.0
v1.10.0
v1.9.9
v1.9.7
v1.9.5
v1.9.0
v1.8.0
v1.5.0
v1.0.0
v0.1.0
Labels
Clear labels   
CodeDay

   
a11y

   
browser limited

   
bug

   
bug fix

   
cli

   
core

   
critical

   
design

   
desktop

   
discussion

   
docker

   
documentation

   
duplicate

   
enterprise

   
feature

   
feature

   
fosshack

   
future

   
good first issue

   
hacktoberfest

   
help wanted

   
i18n

   
invalid

   
major

   
minor

   
need information

   
need testing

   
not applicable to hoppscotch

   
not reproducible

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
refactor

   
resolved

   
sandbox

   
self-host

   
spam

   
stale

   
testmu

   
wip

   
wont fix
No labels
CodeDay
a11y
browser limited
bug
bug fix
cli
core
critical
design
desktop
discussion
docker
documentation
duplicate
enterprise
feature
feature
fosshack
future
good first issue
hacktoberfest
help wanted
i18n
invalid
major
minor
need information
need testing
not applicable to hoppscotch
not reproducible
pull-request
question
refactor
resolved
sandbox
self-host
spam
stale
testmu
wip
wont fix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hoppscotch#5351
No description provided.