feat(poc): sanity plugin check - POC

[gustavolira]

Summary

POC that validates all dynamic plugins from the RHDH catalog index can be loaded by Backstage, without requiring a Kubernetes cluster or container deployment.

Reduces sanity plugin validation from ~20 minutes (cluster + deploy + Playwright) to ~3 minutes (extract + Jest).

What it does

Phase 1: Plugin Loadability (Jest + startTestBackend) -- WORKING

• Extracts all OCI plugins from quay.io/rhdh/plugin-catalog-index:1.10
• Loads 15 backend plugins into startTestBackend simultaneously -- verifies Backstage starts
• Validates 14 frontend plugins have valid dist-scalprum bundle artifacts
• Time: ~3 min extraction + ~2s testing

Phase 2: E2E Browser Tests (Playwright) -- PARTIAL

• Starts real Backstage backend with 21 frontend + 17 backend dynamic plugins loaded via scalprum
• Reuses existing specs from e2e-tests/playwright/ directly (no copying)
• Health check Playwright test passes
• Browser tests blocked on ~15 local plugins not yet available as OCI (homepage, sidebar config, etc.)
• Will work fully when all plugins migrate to OCI in 1.10

install-dynamic-plugins-fast.py -- INCLUDED

• High-performance rewrite of install-dynamic-plugins.py
• Parallel OCI downloads via ThreadPoolExecutor (auto-scales to CPU count)
• Shared image cache, cached skopeo inspect results
• Skips missing local plugins gracefully (key for running outside container)
• Benchmarked: 34% faster (2:42 vs 4:05)

Test plan

cd sanity-plugin-check
bash scripts/extract-plugins.sh 1.10  # ~3 min
npm install
npx jest --forceExit                  # ~2 seconds, 3/3 pass

What needs to happen for full e2e

When RHDH 1.10 migrates all local wrappers to OCI images, Phase 2 browser tests will pass without any code changes to this POC.

🤖 Generated with Claude Code

[gustavolira]

/review

[rhdh-qodo-merge]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪

🔒 Security concerns Archive extraction / path traversal: install-dynamic-plugins-fast.py downloads remote OCI images and extracts tar layers and npm tarballs to disk. Even with MAX_ENTRY_SIZE limits and tar filters, extraction code is a common source of path traversal issues (e.g., ../ entries, absolute paths, or symlink/hardlink tricks) that could write outside the intended destination. The tar member validation should be audited to ensure extracted paths are always confined to the target directory, and that link handling uses the correct tar member fields. Additionally, skipping integrity checks via SKIP_INTEGRITY_CHECK=true (used in the extraction script) increases supply-chain risk if this is ever used beyond local/dev contexts.

⚡ Recommended focus areas for review Archive safety The new OCI/NPM extraction code should be carefully validated for path traversal and unsafe tar member handling. In particular, ensure plugin_path cannot contain .. or absolute paths, that tar members’ names cannot escape the destination when extracted, and that symlink/hardlink handling is correct (the current checks mix linkname/linkpath semantics and may not prevent all escapes). Also confirm that using tar.extractall(..., filter=...) behaves consistently across the supported Python versions. def extract_oci_plugin(tarball: str, plugin_path: str, destination: str) -> None: plugin_dir = os.path.join(destination, plugin_path) if os.path.exists(plugin_dir): shutil.rmtree(plugin_dir, ignore_errors=True) with tarfile.open(tarball, "r:*") as tar: members = [] for m in tar.getmembers(): if not m.name.startswith(plugin_path): continue if m.size > MAX_ENTRY_SIZE: raise InstallException(f"Zip bomb detected: {m.name}") if (m.islnk() or m.issym()): real = os.path.realpath(os.path.join(plugin_path, *os.path.split(m.linkname))) if not real.startswith(plugin_path): continue members.append(m) tar.extractall(os.path.abspath(destination), members=members, filter="tar") def extract_npm_package(archive: str, destination: str) -> str: prefix = "package/" pkg_dir = archive.replace(".tgz", "") pkg_dir_real = os.path.realpath(pkg_dir) if os.path.exists(pkg_dir): shutil.rmtree(pkg_dir, ignore_errors=True) os.mkdir(pkg_dir) with tarfile.open(archive, "r:*") as tar: members = [] for m in tar.getmembers(): if m.isdir(): continue if m.isreg(): if not m.name.startswith(prefix): raise InstallException(f"NPM archive entry doesn't start with 'package/': {m.name}") if m.size > MAX_ENTRY_SIZE: raise InstallException(f"Zip bomb detected: {m.name}") m.name = m.name.removeprefix(prefix) members.append(m) elif m.islnk() or m.issym(): if not m.linkpath.startswith(prefix): raise InstallException(f"NPM archive link outside archive: {m.name} -> {m.linkpath}") m.name = m.name.removeprefix(prefix) m.linkpath = m.linkpath.removeprefix(prefix) real = os.path.realpath(os.path.join(pkg_dir, *os.path.split(m.linkname))) if not real.startswith(pkg_dir_real): raise InstallException(f"NPM archive link escape: {m.name} -> {m.linkpath}") members.append(m) else: raise InstallException(f"NPM archive non-regular file: {m.name}") tar.extractall(pkg_dir, members=members, filter="data") Fragile API patchModuleResolution monkey-patches Node’s internal Module._nodeModulePaths, which is an undocumented/private API and may break across Node versions or behave differently under Jest/ts-jest. Consider scoping the patch as narrowly as possible (e.g., only within tests), adding a guard/telemetry when patching fails, and documenting expected Node/Jest compatibility since this affects plugin loading correctness. export function patchModuleResolution(): void { const nodeModule = Module as unknown as { _nodeModulePaths: (...args: unknown[]) => string[]; }; if (!nodeModule._nodeModulePaths) return; const extraPath = path.resolve(__dirname, "..", "node_modules"); const original = nodeModule._nodeModulePaths; nodeModule._nodeModulePaths = (...args: unknown[]) => { const paths = original.apply(nodeModule, args); if (!paths.includes(extraPath)) paths.push(extraPath); return paths; };

📄 References redhat-developer/rhdh/dynamic-plugins/_utils/src/wrappers.test.ts [141-307] redhat-developer/rhdh/e2e-tests/playwright/e2e/plugins/analytics/analytics-enabled.spec.ts [1-29] redhat-developer/rhdh/e2e-tests/playwright/e2e/plugins/analytics/analytics-disabled-rbac.spec.ts [1-29] redhat-developer/rhdh/e2e-tests/playwright/e2e/plugins/quick-start.spec.ts [1-92] redhat-developer/rhdh/e2e-tests/playwright/e2e/plugins/bulk-import.spec.ts [10-282] redhat-developer/rhdh/e2e-tests/playwright/e2e/plugins/quay/quay.spec.ts [6-51] redhat-developer/rhdh/e2e-tests/playwright/e2e/plugins/tekton/tekton.spec.ts [14-56] redhat-developer/rhdh/e2e-tests/playwright/e2e/plugins/kubernetes/kubernetes-rbac.spec.ts [1-95]

[github-actions]

The container image build workflow finished with status: cancelled.

[github-actions]

The container image build workflow finished with status: cancelled.

[github-actions]

The container image build workflow finished with status: cancelled.

[github-actions]

The container image build workflow finished with status: cancelled.

[github-actions]

Image was built and published successfully. It is available at:

• quay.io/rhdh-community/rhdh:pr-4523
• quay.io/rhdh-community/rhdh:pr-4523-de82fb58

[github-actions]

The container image build workflow finished with status: cancelled.

[sonarqubecloud]

Quality Gate passed

Issues
6 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Image was built and published successfully. It is available at:

• quay.io/rhdh-community/rhdh:pr-4523
• quay.io/rhdh-community/rhdh:pr-4523-ef866646