Skip to content

fix(security): address multiple security vulnerabilities across codebase#14570

Merged
christian-bromann merged 13 commits intomainfrom
cb/security-fixes
Jul 16, 2025
Merged

fix(security): address multiple security vulnerabilities across codebase#14570
christian-bromann merged 13 commits intomainfrom
cb/security-fixes

Conversation

@christian-bromann
Copy link
Member

@christian-bromann christian-bromann commented Jun 18, 2025

This PR addresses several security vulnerabilities identified through static analysis, implementing comprehensive fixes across multiple packages to strengthen WebdriverIO's security posture.

📋 Summary of Fixes

14 files modified with security improvements across the following categories:

Vulnerability Type Files Affected Description
ReDoS (Regular Expression DoS) 4 files Fixed catastrophic backtracking in regex patterns
Command Injection 3 files Replaced shell command construction with safe spawn calls
Prototype Pollution 1 file Added key validation in object merging functions
Directory Traversal 1 file Implemented path validation for zip extraction
Incomplete Sanitization 4 files Enhanced escaping and domain validation
Regex Character Range 1 file Fixed unintended character matching

🛡️ Detailed Fixes

ReDoS Prevention

  • packages/wdio-logger/src/utils.ts: Added validation for user-provided regex patterns to prevent exponential backtracking
  • packages/wdio-json-reporter/src/mergeResults.ts: Implemented safe file pattern validation with fallback to secure defaults
  • packages/wdio-utils/src/utils.ts: Fixed catastrophic backtracking in function detection regex
  • packages/webdriverio/src/commands/element/getHTML.ts: Optimized HTML comment removal regex

Command Injection Prevention

  • packages/wdio-utils/src/node/utils.ts:
    • Replaced execSync with spawnSync for Chrome version detection
    • Replaced execSync with spawnSync for Firefox version detection
  • infra/compiler/src/plugins.ts: Converted TypeScript compilation from shell command to direct process execution

Prototype Pollution Protection

  • packages/wdio-browserstack-service/src/util.ts: Added key validation in mergeDeep() to prevent __proto__, constructor, and prototype pollution

Directory Traversal Protection

  • scripts/bidi/downloadSpec.ts: Implemented comprehensive zip entry path validation to prevent zip slip attacks

Enhanced Sanitization

  • packages/wdio-browserstack-service/src/ai-handler.ts: Improved string escaping for JavaScript execution contexts
  • packages/wdio-cucumber-framework/src/utils.ts: Enhanced regex escaping for Cucumber tag expressions
  • packages/wdio-cli/src/constants.ts: Fixed hostname validation for LambdaTest domains
  • packages/webdriver/src/utils.ts: Fixed hostname validation for SauceLabs domains
  • packages/wdio-browserstack-service/src/util.ts: Fixed hostname validation for BrowserStack domains
  • packages/wdio-mocha-framework/src/common.ts: Replaced regex with safer string methods for module path parsing

Character Range Fixes

  • packages/webdriverio/src/utils/findStrategy.ts: Fixed regex character class [a-zA-z] to [a-zA-Z] to prevent unintended character matching

🧪 Security Testing

All fixes have been designed to:

  • ✅ Maintain backward compatibility
  • ✅ Preserve existing functionality
  • ✅ Use fail-safe defaults when validation fails
  • ✅ Provide clear error messages for debugging

🎯 Impact

These fixes address potential security vectors including:

  • Denial of Service via regex complexity attacks
  • Remote Code Execution via command injection
  • Application logic tampering via prototype pollution
  • File system access via directory traversal
  • Data injection via incomplete sanitization

🔍 Validation Methods Used

  • Static analysis tools (CodeQL)
  • Manual code review
  • Security pattern matching
  • Input validation testing

No breaking changes - All modifications maintain API compatibility while significantly improving security posture.

@christian-bromann christian-bromann requested a review from a team as a code owner June 18, 2025 06:07
@christian-bromann christian-bromann added the PR: Bug Fix 🐛 PRs that contain bug fixes label Jun 18, 2025
@pkg-pr-new
Copy link

pkg-pr-new bot commented Jun 18, 2025
edited
Loading

Open in StackBlitz

create-wdio

npm i https://pkg.pr.new/webdriverio/webdriverio/create-wdio@14570

eslint-plugin-wdio

npm i https://pkg.pr.new/webdriverio/webdriverio/eslint-plugin-wdio@14570

@wdio/allure-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/allure-reporter@14570

@wdio/appium-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/appium-service@14570

@wdio/browser-runner

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/browser-runner@14570

@wdio/browserstack-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/browserstack-service@14570

@wdio/cli

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/cli@14570

@wdio/concise-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/concise-reporter@14570

@wdio/config

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/config@14570

@wdio/cucumber-framework

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/cucumber-framework@14570

@wdio/dot-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/dot-reporter@14570

@wdio/firefox-profile-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/firefox-profile-service@14570

@wdio/globals

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/globals@14570

@wdio/jasmine-framework

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/jasmine-framework@14570

@wdio/json-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/json-reporter@14570

@wdio/junit-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/junit-reporter@14570

@wdio/lighthouse-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/lighthouse-service@14570

@wdio/local-runner

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/local-runner@14570

@wdio/logger

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/logger@14570

@wdio/mocha-framework

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/mocha-framework@14570

@wdio/protocols

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/protocols@14570

@wdio/repl

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/repl@14570

@wdio/reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/reporter@14570

@wdio/runner

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/runner@14570

@wdio/sauce-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/sauce-service@14570

@wdio/shared-store-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/shared-store-service@14570

@wdio/smoke-test-cjs-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/smoke-test-cjs-service@14570

@wdio/smoke-test-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/smoke-test-reporter@14570

@wdio/smoke-test-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/smoke-test-service@14570

@wdio/spec-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/spec-reporter@14570

@wdio/static-server-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/static-server-service@14570

@wdio/sumologic-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/sumologic-reporter@14570

@wdio/testingbot-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/testingbot-service@14570

@wdio/types

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/types@14570

@wdio/utils

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/utils@14570

@wdio/webdriver-mock-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/webdriver-mock-service@14570

webdriver

npm i https://pkg.pr.new/webdriverio/webdriverio/webdriver@14570

webdriverio

npm i https://pkg.pr.new/webdriverio/webdriverio@14570

commit: daddf20

github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 18, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 14, 2025
View reviewed changes
christian-bromann and others added 2 commits July 14, 2025 11:44
@christian-bromann
fix unit tests
91c920d
@christian-bromann @github-advanced-security
Potential fix for code scanning alert no. 65: Incomplete multi-charac…
44ad9b4 
…ter sanitization

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 14, 2025
View reviewed changes
@christian-bromann @github-advanced-security
Potential fix for code scanning alert no. 69: Incomplete multi-charac…
82d060f 
…ter sanitization

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 14, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 14, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 14, 2025
View reviewed changes
@christian-bromann @github-advanced-security
Potential fix for code scanning alert no. 72: Bad HTML filtering regexp
6da2c87 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 14, 2025
View reviewed changes
christian-bromann and others added 2 commits July 16, 2025 10:12
@christian-bromann @github-advanced-security
Potential fix for code scanning alert no. 76: Incomplete multi-charac…
872b734 
…ter sanitization

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@christian-bromann
more stable comment removal implementation
9eebf5f
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 16, 2025
View reviewed changes
@christian-bromann christian-bromann merged commit 37b4536 into main Jul 16, 2025
46 checks passed
@christian-bromann christian-bromann deleted the cb/security-fixes branch July 16, 2025 18:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

PR: Bug Fix 🐛 PRs that contain bug fixes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@christian-bromann