feat: add comprehensive e2e security test suite

- Add Playwright-based security testing framework
- Implement context isolation validation tests
- Add sandbox security validation tests
- Include RCE exposure detection tests
- Add authentication flow regression tests
- Set up GitHub Actions workflow for automated security testing
- Update gitignore to exclude test artifacts and reports

This establishes automated security testing to validate context isolation
and sandbox configurations, helping prevent RCE vulnerabilities.

fix: add TypeScript configuration for e2e security tests

- Create tsconfig.e2e-security.json for e2e security test files
- Update ESLint parser options to include e2e security TypeScript config
- Resolves ESLint parsing errors for test/e2e-security/**/* files

This fixes the CI lint failures by ensuring ESLint can properly parse
the new e2e security test TypeScript files.

fix: add ESLint overrides for e2e security tests

- Disable strict linting rules for test/e2e-security/**/*.ts files
- Allow console statements, missing JSDoc, unused vars in test files
- Disable no-unsanitized/property for security test injection scenarios

This allows security test files to use console logging and test-specific
patterns while maintaining strict linting for production code.

fix: auto-format e2e security test files

- Apply prettier formatting to all e2e security test files
- Fix trailing spaces, indentation, and import ordering
- Resolve remaining linting issues for CI pipeline

This commit applies automatic formatting fixes to ensure
all e2e security test files pass the CI linting checks.

fix: exclude e2e-security from main ESLint to resolve CI import errors

- Exclude test/e2e-security/**/* from main project ESLint configuration
- Create separate ESLint config for e2e-security directory with proper import resolution
- Remove e2e-security TypeScript config from main parser options
- Add dedicated tsconfig.json for e2e-security tests

This resolves CI linting failures caused by @playwright/test import resolution
issues in the main project's ESLint configuration.

fix: use yarn consistently and properly handle .yarn cache

- Update GitHub Actions workflow to use yarn for e2e-security dependencies
- Remove package-lock.json and use yarn.lock for e2e-security
- Add .yarn/cache and install-state.gz to gitignore for e2e-security
- Ensure consistent package manager usage across CI and local development

This resolves package manager inconsistencies and follows yarn v3 best practices
by excluding cache files while maintaining proper dependency management.

Author: vkuprin

.eslintrc.json

@@ -3,7 +3,7 @@
     "jasmine": true
   },
   "extends": "@wireapp/eslint-config",
-  "ignorePatterns": ["**/*.js", "**/*.jsx"], // Ignore JS files until we migrate to TS
+  "ignorePatterns": ["**/*.js", "**/*.jsx", "test/e2e-security/**/*"], // Ignore JS files until we migrate to TS
   "overrides": [
     {
       "files": ["*.ts", "*.tsx"],

.github/workflows/security-tests.yml

@@ -0,0 +1,161 @@
+name: Security E2E Tests
+
+on:
+  push:
+    branches: [main, staging, dev]
+  pull_request:
+    branches: [main, staging, dev]
+    paths:
+      - 'electron/src/**'
+      - 'test/e2e-security/**'
+      - '.github/workflows/security-tests.yml'
+
+jobs:
+  security-tests:
+    name: Security E2E Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    
+    steps:
+      - name: Cancel Previous Runs
+        uses: styfle/[email protected]
+        with:
+          access_token: ${{github.token}}
+          
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+          
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 18.x
+          cache: 'yarn'
+          
+      - name: Install dependencies
+        run: yarn --immutable
+        
+      - name: Build Electron app
+        run: yarn build:ts
+        
+      - name: Install security test dependencies
+        run: |
+          cd test/e2e-security
+          yarn install
+
+      - name: Install Playwright browsers
+        run: |
+          cd test/e2e-security
+          yarn playwright install --with-deps
+          
+      - name: Use xvfb-run on Linux
+        run: |
+          cd test/e2e-security
+          sed -i 's/playwright test/xvfb-run playwright test/g' package.json
+          
+      - name: Run Security Exposure Tests
+        run: yarn test:security:exposure
+        continue-on-error: false
+        
+      - name: Run Security Validation Tests
+        run: yarn test:security:validation
+        continue-on-error: false
+        
+      - name: Run Security Regression Tests
+        run: yarn test:security:regression
+        continue-on-error: false
+        
+      - name: Upload Security Test Report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-test-report
+          path: test/e2e-security/security-test-report/
+          retention-days: 30
+          
+      - name: Upload Test Results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-test-results
+          path: test/e2e-security/test-results/
+          retention-days: 30
+          
+      - name: Comment PR with Security Test Results
+        if: github.event_name == 'pull_request' && always()
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            
+            try {
+              const reportPath = 'test/e2e-security/security-test-report/summary.json';
+              if (fs.existsSync(reportPath)) {
+                const summary = JSON.parse(fs.readFileSync(reportPath, 'utf8'));
+                
+                const comment = `## 🛡️ Security Test Results
+                
+                **Context Isolation & Sandbox Validation**
+                
+                - **Total Tests**: ${summary.totalTests || 'N/A'}
+                - **Passed**: ${summary.passed || 'N/A'} ✅
+                - **Failed**: ${summary.failed || 'N/A'} ${summary.failed > 0 ? '❌' : ''}
+                - **Duration**: ${summary.duration || 'N/A'}ms
+                
+                **Security Validations**
+                - Context Isolation: ${summary.contextIsolationVerified ? '✅ Verified' : '❌ Failed'}
+                - Sandbox Enforcement: ${summary.sandboxVerified ? '✅ Verified' : '❌ Failed'}
+                
+                ${summary.failed > 0 ? '⚠️ **Security tests failed!** Please review the test results and ensure all security measures are properly implemented.' : '🎉 **All security tests passed!** Context isolation and sandbox are working correctly.'}
+                
+                [View detailed report](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})
+                `;
+                
+                github.rest.issues.createComment({
+                  issue_number: context.issue.number,
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  body: comment
+                });
+              }
+            } catch (error) {
+              console.log('Could not read test summary:', error);
+            }
+            
+  security-audit:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    needs: security-tests
+    if: always()
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 18.x
+          cache: 'yarn'
+          
+      - name: Install dependencies
+        run: yarn --immutable
+        
+      - name: Run npm audit
+        run: yarn audit --level moderate
+        continue-on-error: true
+        
+      - name: Run security linting
+        run: |
+          yarn eslint electron/src --ext .ts,.js --config .eslintrc.js --format json --output-file security-lint-report.json || true
+          
+      - name: Upload Security Audit Results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-audit-results
+          path: |
+            security-lint-report.json
+          retention-days: 30

.gitignore

@@ -33,3 +33,11 @@ resources
 !.yarn/releases
 !.yarn/sdks
 !.yarn/versions
+
+# E2E test artifacts
+test/e2e-security/test-results/
+test/e2e-security/security-test-report/
+test/e2e-security/node_modules/
+test/e2e-security/.yarn/cache/
+test/e2e-security/.yarn/install-state.gz
+test-results/

package.json

@@ -199,6 +199,12 @@
     "test:renderer": "electron-mocha --renderer --require .babel-register.js \"electron/src/**/*.test?(.renderer).ts\" --no-sandbox --window-config electron/test/mocha-window-config.json",
     "test:types": "tsc --noEmit",
     "test:react": "jest",
+    "test:security": "cd test/e2e-security && npm run test:security",
+    "test:security:exposure": "cd test/e2e-security && npm run test:security:exposure",
+    "test:security:validation": "cd test/e2e-security && npm run test:security:validation",
+    "test:security:regression": "cd test/e2e-security && npm run test:security:regression",
+    "test:security:debug": "cd test/e2e-security && npm run test:security:debug",
+    "test:security:install": "cd test/e2e-security && npm install && npm run test:security:install",
     "translate:upload": "ts-node -P tsconfig.bin.json ./bin/translations_upload.ts",
     "translate:download": "ts-node -P tsconfig.bin.json ./bin/translations_download.ts"
   },

test/e2e-security/.eslintrc.json

@@ -0,0 +1,20 @@
+{
+  "extends": ["../../.eslintrc.json"],
+  "parserOptions": {
+    "project": ["./tsconfig.json"]
+  },
+  "rules": {
+    "no-console": "off",
+    "valid-jsdoc": "off",
+    "@typescript-eslint/no-unused-vars": "off",
+    "no-unsanitized/property": "off",
+    "import/no-unresolved": "off"
+  },
+  "settings": {
+    "import/resolver": {
+      "node": {
+        "paths": ["node_modules", "../../node_modules"]
+      }
+    }
+  }
+}

test/e2e-security/fixtures/malicious-scripts/rce-attempt.js

@@ -0,0 +1,143 @@
+/*
+ * Wire
+ * Copyright (C) 2025 Wire Swiss GmbH
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
+ */
+
+/**
+ * MALICIOUS SCRIPT FOR SECURITY TESTING
+ * 
+ * ⚠️  WARNING: This script contains malicious code patterns for testing purposes only!
+ * 
+ * This script attempts various RCE (Remote Code Execution) techniques that should
+ * be blocked by context isolation and sandbox enforcement.
+ * 
+ * If any of these attempts succeed, it indicates a security vulnerability.
+ */
+
+// Attempt 1: Direct require() access
+try {
+  const fs = require('fs');
+  window.__RCE_SUCCESS_FS = true;
+  window.__RCE_FS_METHODS = Object.keys(fs);
+} catch (e) {
+  window.__RCE_BLOCKED_FS = true;
+}
+
+// Attempt 2: Process object access
+try {
+  const proc = process;
+  window.__RCE_SUCCESS_PROCESS = true;
+  window.__RCE_PROCESS_VERSION = proc.version;
+  window.__RCE_PROCESS_ENV = Object.keys(proc.env);
+} catch (e) {
+  window.__RCE_BLOCKED_PROCESS = true;
+}
+
+// Attempt 3: Child process execution
+try {
+  const {exec} = require('child_process');
+  exec('whoami', (error, stdout, stderr) => {
+    window.__RCE_SUCCESS_EXEC = true;
+    window.__RCE_EXEC_OUTPUT = stdout;
+  });
+} catch (e) {
+  window.__RCE_BLOCKED_EXEC = true;
+}
+
+// Attempt 4: File system access
+try {
+  const fs = require('fs');
+  const content = fs.readFileSync('/etc/passwd', 'utf8');
+  window.__RCE_SUCCESS_FILE_READ = true;
+  window.__RCE_FILE_CONTENT = content;
+} catch (e) {
+  window.__RCE_BLOCKED_FILE_READ = true;
+}
+
+// Attempt 5: Network access to local services
+try {
+  const net = require('net');
+  const client = net.createConnection({port: 22}, () => {
+    window.__RCE_SUCCESS_NET = true;
+  });
+  client.on('error', () => {
+    window.__RCE_BLOCKED_NET = true;
+  });
+} catch (e) {
+  window.__RCE_BLOCKED_NET = true;
+}
+
+// Attempt 6: Global object pollution
+try {
+  global.__RCE_GLOBAL_POLLUTION = true;
+  window.__RCE_SUCCESS_GLOBAL = true;
+} catch (e) {
+  window.__RCE_BLOCKED_GLOBAL = true;
+}
+
+// Attempt 7: Buffer access
+try {
+  const buffer = Buffer.from('test');
+  window.__RCE_SUCCESS_BUFFER = true;
+  window.__RCE_BUFFER_SIZE = buffer.length;
+} catch (e) {
+  window.__RCE_BLOCKED_BUFFER = true;
+}
+
+// Attempt 8: Module loading
+try {
+  const path = require('path');
+  window.__RCE_SUCCESS_PATH = true;
+  window.__RCE_PATH_SEP = path.sep;
+} catch (e) {
+  window.__RCE_BLOCKED_PATH = true;
+}
+
+// Attempt 9: OS information access
+try {
+  const os = require('os');
+  window.__RCE_SUCCESS_OS = true;
+  window.__RCE_OS_PLATFORM = os.platform();
+  window.__RCE_OS_HOSTNAME = os.hostname();
+} catch (e) {
+  window.__RCE_BLOCKED_OS = true;
+}
+
+// Attempt 10: Crypto access
+try {
+  const crypto = require('crypto');
+  window.__RCE_SUCCESS_CRYPTO = true;
+  window.__RCE_CRYPTO_METHODS = Object.keys(crypto);
+} catch (e) {
+  window.__RCE_BLOCKED_CRYPTO = true;
+}
+
+// Report results
+window.__RCE_TEST_COMPLETE = true;
+window.__RCE_RESULTS = {
+  fs: window.__RCE_SUCCESS_FS || false,
+  process: window.__RCE_SUCCESS_PROCESS || false,
+  exec: window.__RCE_SUCCESS_EXEC || false,
+  fileRead: window.__RCE_SUCCESS_FILE_READ || false,
+  net: window.__RCE_SUCCESS_NET || false,
+  global: window.__RCE_SUCCESS_GLOBAL || false,
+  buffer: window.__RCE_SUCCESS_BUFFER || false,
+  path: window.__RCE_SUCCESS_PATH || false,
+  os: window.__RCE_SUCCESS_OS || false,
+  crypto: window.__RCE_SUCCESS_CRYPTO || false,
+};
+
+console.log('RCE Test Results:', window.__RCE_RESULTS);