From d9e52e8883933cd7f60de8f0020b32651d3d3539 Mon Sep 17 00:00:00 2001 From: Jimesh-browserstack <110160157+Jimesh-browserstack@users.noreply.github.com> Date: Thu, 7 May 2026 16:46:47 +0530 Subject: [PATCH 1/2] fix(security): remove env-controlled module path in crashReporter [APS-19013] INJ-012: requireModule no longer honors process.env["browserStackCwd"] for node_modules resolution. Module paths now come from process.cwd() (or the internal browserstack-cypress-cli node_modules path when invoked with internal=true), eliminating env-controlled module hijack (CWE-427). --- bin/testObservability/crashReporter/index.js | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/bin/testObservability/crashReporter/index.js b/bin/testObservability/crashReporter/index.js index 1839c168..95c01881 100644 --- a/bin/testObservability/crashReporter/index.js +++ b/bin/testObservability/crashReporter/index.js @@ -27,9 +27,7 @@ let packages = {}; exports.requireModule = (module, internal = false) => { let local_path = ""; - if(process.env["browserStackCwd"]){ - local_path = path.join(process.env["browserStackCwd"], 'node_modules', module); - } else if(internal) { + if(internal) { local_path = path.join(process.cwd(), 'node_modules', 'browserstack-cypress-cli', 'node_modules', module); } else { local_path = path.join(process.cwd(), 'node_modules', module); From 2768343eaf374050a4f9f5f77d4ac1b3e84dc932 Mon Sep 17 00:00:00 2001 From: Jimesh Chokshi Date: Thu, 7 May 2026 16:49:31 +0530 Subject: [PATCH 2/2] fix(security): remove shell:true from spawn in runCypressTestsLocally [APS-19013] INJ-004: drop shell:true from the spawn options in helper.js runCypressTestsLocally. spawn passes argv directly to npx so the shell is not needed. Eliminates shell-injection via metacharacters in --spec / other rawArgs reaching the local Cypress runner (CWE-78). --- bin/testObservability/helper/helper.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/testObservability/helper/helper.js b/bin/testObservability/helper/helper.js index 264639b5..fceb4a65 100644 --- a/bin/testObservability/helper/helper.js +++ b/bin/testObservability/helper/helper.js @@ -930,7 +930,7 @@ exports.runCypressTestsLocally = (bsConfig, args, rawArgs) => { const cypressProcess = spawn( 'npx', ['cypress', 'run', ...getReRunSpecs(rawArgs.slice(1)), ...getLocalSessionReporter()], - { stdio: 'inherit', cwd: process.cwd(), env: process.env, shell: true } + { stdio: 'inherit', cwd: process.cwd(), env: process.env } ); cypressProcess.on('close', async (code) => { logger.info(`Cypress process exited with code ${code}`);