#7265: Move Nunjucks template validation to sandbox

[fregante]

What does this PR do?

• Fixes CSP error from Page Editor analysis rule in MV3 #7265

The validation successfully goes through the sandbox, but it requires changes to the analysis in order to accept async validation. I think that's a larger task that can be done separately from this PR.

Tasks

• Move nunjucks validation to sandbox
• Ensure it works outside sandbox
• Ensure it works inside sandbox

Test strings

• {% %} reports a template error correctly
• {% reports a null reference error inside nunjucks itself, it's not our bug
  • Cannot read properties of null (reading 'type') mozilla/nunjucks#1454

Future work

• Catch and reword null reference error?

Checklist

• Add tests
• New files added to src/tsconfig.strictNullChecks.json (if possible)
• Designate a primary reviewer: @grahamlangford

[twschiller]

@fregante see comment here on how we currently handle async methods in analyses: #7265 (comment)

[twschiller]

Tagging @grahamlangford and @fungairino as reviewers for awareness around approach/discussion: #7426 (comment)

[codecov]

Codecov Report

Attention: 7 lines in your changes are missing coverage. Please review.

Comparison is base (cf080f4) 72.61% compared to head (0d845fe) 72.61%.
Report is 1 commits behind head on main.

Files	Patch %	Lines
src/sandbox/messenger/api.ts	0.00%	4 Missing ⚠️
src/sandbox/messenger/executor.ts	88.88%	1 Missing ⚠️
src/sandbox/messenger/registration.ts	0.00%	1 Missing ⚠️
src/starterBricks/contextMenu.ts	0.00%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7426   +/-   ##
=======================================
  Coverage   72.61%   72.61%           
=======================================
  Files        1211     1211           
  Lines       37867    37886   +19     
  Branches     7117     7122    +5     
=======================================
+ Hits        27497    27511   +14     
- Misses      10370    10375    +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[fregante]

It's ready!

Tested with and without sandbox

[fregante]

Nit, before:

// eslint-disable-next-line promise/prefer-await-to-then -- need the complete Promise
const promise = x().then(y => {
  z(y);
});

After:

const promise = (async () => {
  const y = await x();
  z(y);
})();

While a bit more verbose, it's easier to deal with linear await code than then/catch pipelines, which is the reason behind promise/prefer-await-to-then. Once the eslint-disable-next-line comment is factored in, it's actually shorter.

Another example

pixiebrix-extension/src/starterBricks/tourController.ts

Lines 275 to 284 in 7ad11c7

	// Decorate the extension promise with tour tracking
	const runPromise = promise
	// eslint-disable-next-line promise/prefer-await-to-then -- avoid separate method
	.then(() => {
	markTourEnd(nonce, { context });
	})
	// eslint-disable-next-line promise/prefer-await-to-then -- avoid separate method
	.catch((error) => {
	markTourEnd(nonce, { error, context });
	});

[grahamlangford]

Agreed. I wonder what the thought process was behind using the promise callback in the first place.

[twschiller]

I don't know a good reason off the top of my head. In some places we used to use it because microtasks threw off browser user gesture recognition, but that wouldn't apply here

[fregante]

Comment copy-pasted from existing code

[fregante]

Nit: This is the default

I'm not a fan of splice in general so I'd be open to adding a cloneAndClearArray utility to make the intent clear.

Suggested change

	const current = panels.splice(0);
	const current = cloneAndClearArray(panels);

[fregante]

I copied this updated test format from requestPermissionAnalysis.test.ts

[github-actions]

No loom links were found in the first post. Please add one there if you'd like to it to appear on Slack.

Do not edit this comment manually.