From e7f86e35b64b04b438cadeef0b8a243d66ef5304 Mon Sep 17 00:00:00 2001
From: Moti Zilberman <moti@meta.com>
Date: Mon, 19 Feb 2024 05:34:11 -0800
Subject: [PATCH] Reject Runtime.evaluate messages with the wrong contextId

Summary:
Changelog: [Internal]

Hermes:

Adds the missing `validateExecutionContext` call to `Runtime.evaluate`.

React Native:

Adds an integration test case to cover the expected behaviour around targeting `Runtime.evaluate` by execution context.

bypass-github-export-checks

Reviewed By: huntie

Differential Revision: D53776532

fbshipit-source-id: 66676383ba5b373fdbf2deb8c75f22791b07e300
---
 API/hermes/inspector/chrome/CDPHandler.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/API/hermes/inspector/chrome/CDPHandler.cpp b/API/hermes/inspector/chrome/CDPHandler.cpp
index aa835b19621..17f2b43157f 100644
--- a/API/hermes/inspector/chrome/CDPHandler.cpp
+++ b/API/hermes/inspector/chrome/CDPHandler.cpp
@@ -1405,6 +1405,9 @@ void CDPHandlerImpl::handle(const m::runtime::EnableRequest &req) {
 }
 
 void CDPHandlerImpl::handle(const m::runtime::EvaluateRequest &req) {
+  if (!validateExecutionContext(req.id, req.contextId)) {
+    return;
+  }
   {
     pendingEvals_.push(
         {req.id,