fix(whatsapp): sandbox chromium by default

2026-02-15 21:57:52 -08:00
parent 63d645bd87
commit 8709c3c9b4
8 changed files with 94 additions and 1 deletions
@@ -564,6 +564,37 @@ describe('WhatsAppAdapter', () => {
    );
  });

+  it('uses sandboxed Chromium args by default', async () => {
+    const connectPromise = adapter.connect();
+    simulateEvent('ready');
+    await connectPromise;
+
+    const { Client } = await import('whatsapp-web.js');
+    expect(Client).toHaveBeenCalledWith(expect.objectContaining({
+      puppeteer: expect.objectContaining({
+        headless: true,
+        args: [],
+      }),
+    }));
+  });
+
+  it('allows opting into no-sandbox Chromium args via config', async () => {
+    const adapterNoSandbox = new WhatsAppAdapter({
+      allowNoSandbox: true,
+    });
+
+    const connectPromise = adapterNoSandbox.connect();
+    simulateEvent('ready');
+    await connectPromise;
+
+    const { Client } = await import('whatsapp-web.js');
+    expect(Client).toHaveBeenCalledWith(expect.objectContaining({
+      puppeteer: expect.objectContaining({
+        args: ['--no-sandbox', '--disable-setuid-sandbox'],
+      }),
+    }));
+  });
+
  it('connect sets error status when initialize() rejects', async () => {
    mockInitialize.mockRejectedValueOnce(new Error('Browser launch failed'));

@@ -32,6 +32,8 @@ export interface WhatsAppAdapterConfig {
  dataDir?: string;
  /** Optional pairing manager for DM pairing codes. */
  pairingManager?: PairingManager;
+  /** Allow launching Chromium without sandbox (unsafe; use only in high-trust/containerized setups). */
+  allowNoSandbox?: boolean;
 }

 /** Minimal shape of a whatsapp-web.js message. */
@@ -88,11 +90,18 @@ export class WhatsAppAdapter implements ChannelAdapter {
        dataPath: this.config.dataDir,
      });

+      const puppeteerArgs = this.config.allowNoSandbox
+        ? ['--no-sandbox', '--disable-setuid-sandbox']
+        : [];
+      if (this.config.allowNoSandbox) {
+        console.warn('WhatsApp adapter: Chromium sandbox disabled via config (unsafe).');
+      }
+
      this.client = new Client({
        authStrategy,
        puppeteer: {
          headless: true,
-          args: ['--no-sandbox', '--disable-setuid-sandbox'],
+          args: puppeteerArgs,
        },
      });

@@ -288,6 +288,29 @@ describe('configSchema — matrix', () => {
  });
 });

+describe('configSchema — whatsapp', () => {
+  const minimalConfig = {
+    telegram: { bot_token: 'test', allowed_chat_ids: [1] },
+    models: { default: { provider: 'anthropic', model: 'claude-3' } },
+  };
+
+  it('defaults whatsapp no_sandbox to false', () => {
+    const result = configSchema.parse({
+      ...minimalConfig,
+      whatsapp: {},
+    });
+    expect(result.whatsapp?.no_sandbox).toBe(false);
+  });
+
+  it('accepts whatsapp no_sandbox override', () => {
+    const result = configSchema.parse({
+      ...minimalConfig,
+      whatsapp: { no_sandbox: true },
+    });
+    expect(result.whatsapp?.no_sandbox).toBe(true);
+  });
+});
+
 describe('configSchema — skills watcher', () => {
  const minimalConfig = {
    telegram: { bot_token: 'test', allowed_chat_ids: [1] },
@@ -373,6 +373,7 @@ const whatsappSchema = z.object({
  allowed_group_ids: z.array(z.string()).default([]),
  require_mention: z.boolean().default(true),
  data_dir: z.string().optional(),
+  no_sandbox: z.boolean().default(false),
 }).optional();

 const matrixSchema = z.object({
@@ -66,6 +66,7 @@ export function registerChannels(deps: ChannelsDeps): ChannelsResult {
      requireMention: config.whatsapp.require_mention,
      dataDir: config.whatsapp.data_dir,
      pairingManager,
+      allowNoSandbox: config.whatsapp.no_sandbox,
    });
    channelRegistry.register(whatsappAdapter);
  }