Merge remote-tracking branches 'origin/fix/DEVA11Y-473-https-download-url', 'origin/fix/DEVA11Y-474-https-shell-download', 'origin/fix/DEVA11Y-475-remove-cli-self-update', 'origin/fix/DEVA11Y-476-pin-semgrep-image', 'origin/fix/DEVA11Y-477-pin-spm-dependency', 'origin/fix/DEVA11Y-478-remove-spm-self-update', 'origin/fix/DEVA11Y-479-block-file-scheme', 'origin/fix/DEVA11Y-480-sanitize-version-string', 'origin/fix/DEVA11Y-481-restrict-network-scope', 'origin/fix/DEVA11Y-482-atomic-cache-update', 'origin/fix/DEVA11Y-483-spm-tmpdir-isolation' and 'origin/fix/DEVA11Y-484-extraction-size-limit' into security/all-fixes-combined

Author: sunny-se

.github/workflows/Semgrep.yml

@@ -26,8 +26,9 @@ jobs:
     runs-on: ubuntu-latest
 
     container:
-      # A Docker image with Semgrep installed. Do not change this.
-      image: returntocorp/semgrep
+      # Pinned by digest for supply-chain integrity (DEVA11Y-476).
+      # To update: docker manifest inspect returntocorp/semgrep:latest
+      image: returntocorp/semgrep@sha256:f682953ce85e3725f4a4dd94bd7ad13e570bb6b2c7a8cf7c6e38a9eac89239b2
 
     # Skip any PR created by dependabot to avoid permission issues:
     if: (github.actor != 'dependabot[bot]')

Package.swift

@@ -19,8 +19,7 @@ let package = Package(
                 ),
                 permissions: [
                     .allowNetworkConnections(
-                        // scope: .all(ports: []),
-                        scope: .all(),
+                        scope: .all(ports: []),
                         reason: "Please allow network connection permission to authenticate and run accessibility rules."
                     ),
                     .writeToPackageDirectory(reason: "Please allow writing to package directory for logging.")

Plugins/BrowserStackAccessibilityLint/BrowserStackAccessibilityLint.swift

@@ -100,10 +100,13 @@ private func parseOverride(urlString: String?) throws -> URL? {
     guard let urlString = urlString, !urlString.isEmpty else {
         return nil
     }
-    if let url = URL(string: urlString), let scheme = url.scheme, ["http", "https", "file"].contains(scheme.lowercased()) {
-        return url
+    guard let url = URL(string: urlString), let scheme = url.scheme else {
+        throw PluginError("Invalid download URL: \(urlString). Only HTTPS URLs are supported.")
+    }
+    guard scheme.lowercased() == "https" else {
+        throw PluginError("Unsupported URL scheme '\(scheme)' in download URL. Only HTTPS is allowed.")
     }
-    return URL(fileURLWithPath: urlString)
+    return url
 }
 
 private func sanitizeArguments(_ arguments: [String]) -> [String] {
@@ -199,33 +202,40 @@ private struct BrowserStackCLIDownloader {
             return BrowserStackCLIArtifact(version: info.version, executableURL: expectedExecutableURL)
         }
 
-        if fileManager.fileExists(atPath: versionDirectory.path) {
-            try fileManager.removeItem(at: versionDirectory)
-        }
-        try fileManager.createDirectory(at: versionDirectory, withIntermediateDirectories: true)
-
         Diagnostics.remark("BrowserStackAccessibilityLint: Downloading CLI \(info.version)...")
 
+        // Download into a temporary directory to avoid TOCTOU races
+        let tempDirectory = cacheRoot.appendingPathComponent(".download-\(UUID().uuidString)", isDirectory: true)
+        try fileManager.createDirectory(at: tempDirectory, withIntermediateDirectories: true)
+        defer { try? fileManager.removeItem(at: tempDirectory) }
+
         #if os(Windows)
-        let archiveURL = versionDirectory.appendingPathComponent("browserstack-cli.zip")
+        let archiveURL = tempDirectory.appendingPathComponent("browserstack-cli.zip")
         try await download(from: info.resolvedURL, to: archiveURL)
         Diagnostics.remark("BrowserStackAccessibilityLint: Extracting CLI \(info.version)...")
-        try unzip(archive: archiveURL, into: versionDirectory)
+        try unzip(archive: archiveURL, into: tempDirectory)
         try? fileManager.removeItem(at: archiveURL)
         #else
-        try extractWithBsdtar(from: info.resolvedURL, into: versionDirectory)
+        try extractWithBsdtar(from: info.resolvedURL, into: tempDirectory)
         #endif
 
-        let locatedBinary = try locateExecutable(in: versionDirectory, preferredName: executableName)
-        let finalBinaryURL: URL
-        if locatedBinary.lastPathComponent == executableName {
-            finalBinaryURL = locatedBinary
-        } else {
-            finalBinaryURL = expectedExecutableURL
-            if fileManager.fileExists(atPath: finalBinaryURL.path) {
-                try fileManager.removeItem(at: finalBinaryURL)
+        let locatedBinary = try locateExecutable(in: tempDirectory, preferredName: executableName)
+
+        // Atomically swap: remove old version dir, move temp into place
+        if fileManager.fileExists(atPath: versionDirectory.path) {
+            try fileManager.removeItem(at: versionDirectory)
+        }
+        try fileManager.moveItem(at: tempDirectory, to: versionDirectory)
+
+        let finalBinaryURL = versionDirectory.appendingPathComponent(locatedBinary.lastPathComponent, isDirectory: false)
+        if locatedBinary.lastPathComponent != executableName {
+            let expectedURL = versionDirectory.appendingPathComponent(executableName, isDirectory: false)
+            if fileManager.fileExists(atPath: expectedURL.path) {
+                try fileManager.removeItem(at: expectedURL)
             }
-            try fileManager.moveItem(at: locatedBinary, to: finalBinaryURL)
+            try fileManager.moveItem(at: finalBinaryURL, to: expectedURL)
+            try ensureExecutablePermissions(at: expectedURL)
+            return BrowserStackCLIArtifact(version: info.version, executableURL: expectedURL)
         }
 
         try ensureExecutablePermissions(at: finalBinaryURL)
@@ -285,6 +295,8 @@ private struct BrowserStackCLIDownloader {
             let message = String(data: tarError.fileHandleForReading.readDataToEndOfFile(), encoding: .utf8)?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
             forwardExit(code: bsdtar.terminationStatus, message: message.isEmpty ? "bsdtar failed to extract BrowserStack CLI." : message)
         }
+
+        try validateExtractedSize(of: directory)
     }
 
     private func extractLocalArchive(at archiveURL: URL, into directory: URL) throws {
@@ -301,6 +313,11 @@ private struct BrowserStackCLIDownloader {
             throw PluginError("Failed to launch bsdtar: \(error.localizedDescription)")
         }
 
+        if process.terminationReason == .exit && process.terminationStatus == 0 {
+            try validateExtractedSize(of: directory)
+            return
+        }
+
         if process.terminationReason != .exit || process.terminationStatus != 0 {
             // Fall back to copying the file directly if it's already an executable.
             let message = String(data: errorPipe.fileHandleForReading.readDataToEndOfFile(), encoding: .utf8)?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
@@ -315,6 +332,24 @@ private struct BrowserStackCLIDownloader {
             }
         }
     }
+
+    private func validateExtractedSize(of directory: URL, maxBytes: UInt64 = 100 * 1024 * 1024) throws {
+        var totalSize: UInt64 = 0
+        let enumerator = fileManager.enumerator(
+            at: directory,
+            includingPropertiesForKeys: [.fileSizeKey],
+            options: [.skipsHiddenFiles]
+        )
+        while let fileURL = enumerator?.nextObject() as? URL {
+            if let size = try? fileURL.resourceValues(forKeys: [.fileSizeKey]).fileSize {
+                totalSize += UInt64(size)
+                if totalSize > maxBytes {
+                    try? fileManager.removeItem(at: directory)
+                    throw PluginError("Extracted archive exceeds maximum allowed size (\(maxBytes / (1024 * 1024)) MB). Possible decompression bomb.")
+                }
+            }
+        }
+    }
     #endif
 
     private func resolveOverrideArtifact(from url: URL) async throws -> ArtifactInfo {
@@ -557,8 +592,13 @@ private func hardwareIdentifier() throws -> String {
 private func extractVersion(from url: URL) -> String? {
     let filename = url.deletingPathExtension().lastPathComponent
     if let range = filename.range(of: "-", options: .backwards) {
-        let version = filename[range.upperBound...]
-        return version.isEmpty ? nil : String(version)
+        let version = String(filename[range.upperBound...])
+        if version.isEmpty { return nil }
+        // Reject path traversal and non-semver characters
+        let allowed = CharacterSet.alphanumerics.union(CharacterSet(charactersIn: ".-+"))
+        guard version.unicodeScalars.allSatisfy({ allowed.contains($0) }) else { return nil }
+        guard !version.contains("..") else { return nil }
+        return version
     }
     return nil
 }

scripts/bash/cli.sh

@@ -78,21 +78,11 @@ a11y_scan() {
       $BINARY_PATH a11y $EXTRA_ARGS
 }
 
-script_self_update() {
-  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/bash/cli.sh"
-
-  updated_script=$(curl -R -z "$SCRIPT_PATH" "$remote_url")
-  if [[ $updated_script =~ ^#! ]]; then
-    echo "$updated_script" > "$SCRIPT_PATH"
-  fi
-}
-
 download_binary() {
-  curl -R -z "$BINARY_ZIP_PATH" -L "http://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
+  curl -R -z "$BINARY_ZIP_PATH" -L "https://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
   bsdtar -xvf "$BINARY_ZIP_PATH" -O > "$BINARY_PATH" && chmod 0775 "$BINARY_PATH"
 }
 
-script_self_update
 if [[ $SUBCOMMAND == "register-pre-commit-hook" ]]; then
   register_git_hook
   exit 0

scripts/bash/spm.sh

@@ -1,7 +1,8 @@
 #!/usr/bin/env bash -il
 
-[ -f "${PWD}/Package.swift" ]
-PACKAGE_EXISTS="$?"
+ORIGINAL_DIR="${PWD}"
+HAS_EXISTING_PACKAGE=0
+[ -f "${PWD}/Package.swift" ] && HAS_EXISTING_PACKAGE=1
 GIT_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)
 SCRIPT_PATH=$(realpath --relative-to="$GIT_ROOT" "$0" 2>/dev/null || realpath "$0")
 SUBCOMMAND="$1"
@@ -41,26 +42,30 @@ EOF
 a11y_scan() {
   # Ensure Package.swift is removed on exit (acts like a finally block)
   cleanup() {
-      if [ $PACKAGE_EXISTS -eq 0 ]; then
+      if [ $HAS_EXISTING_PACKAGE -eq 1 ]; then
           return
       fi
-      rm -f -- "${PWD}/Package.swift" "${PWD}/Package.resolved"
+      if [ -n "$WORK_DIR" ] && [ -d "$WORK_DIR" ]; then
+          rm -rf -- "$WORK_DIR"
+      fi
   }
   trap cleanup EXIT
 
   setup() {
-      if [ $PACKAGE_EXISTS -eq 0 ]; then
+      if [ $HAS_EXISTING_PACKAGE -eq 1 ]; then
+          WORK_DIR="$ORIGINAL_DIR"
           return
       fi
 
-      cat > Package.swift <<EOF
+      WORK_DIR=$(mktemp -d)
+      cat > "$WORK_DIR/Package.swift" <<EOF
 // swift-tools-version: 5.9
 import PackageDescription
 
 let package = Package(
     name: "Dummy",
     dependencies: [
-        .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", branch: "main")
+        .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", revision: "0428b322b00494b19e44c20c37502a0ee31af642")
     ],
     targets: []
 )
@@ -71,6 +76,7 @@ EOF
   if [[ -z "$EXTRA_ARGS" ]]; then
     EXTRA_ARGS="--include **/*.swift --include **/*.xib --include **/*.storyboard"
   fi
+  cd "$WORK_DIR"
   env -i HOME="$HOME" \
       XCODE_VERSION_ACTUAL="$XCODE_VERSION_ACTUAL"\
       BROWSERSTACK_USERNAME="$BROWSERSTACK_USERNAME"\
@@ -83,16 +89,6 @@ EOF
           scan $EXTRA_ARGS
 }
 
-script_self_update() {
-  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/bash/spm.sh"
-
-  updated_script=$(curl -R -z "$SCRIPT_PATH" "$remote_url")
-  if [[ $updated_script =~ ^#! ]]; then
-    echo "$updated_script" > "$SCRIPT_PATH"
-  fi
-}
-
-script_self_update
 if [[ $SUBCOMMAND == "register-pre-commit-hook" ]]; then
   register_git_hook
   exit 0

scripts/fish/cli.sh

@@ -90,21 +90,11 @@ a11y_scan() {
       $BINARY_PATH a11y $EXTRA_ARGS
 }
 
-script_self_update() {
-  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/fish/cli.sh"
-
-  updated_script=$(curl -R -z "$SCRIPT_PATH" "$remote_url")
-  if [[ $updated_script =~ ^#! ]]; then
-    echo "$updated_script" > "$SCRIPT_PATH"
-  fi
-}
-
 download_binary() {
-  curl -R -z "$BINARY_ZIP_PATH" -L "http://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
+  curl -R -z "$BINARY_ZIP_PATH" -L "https://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
   bsdtar -xvf "$BINARY_ZIP_PATH" -O > "$BINARY_PATH" && chmod 0775 "$BINARY_PATH"
 }
 
-script_self_update
 if [[ $SUBCOMMAND == "register-pre-commit-hook" ]]; then
   register_git_hook
   exit 0

scripts/fish/spm.sh

@@ -13,8 +13,9 @@ export BROWSERSTACK_USERNAME=$($fish_bin -lic 'echo $BROWSERSTACK_USERNAME' | ta
 export BROWSERSTACK_ACCESS_KEY=$($fish_bin -lic 'echo $BROWSERSTACK_ACCESS_KEY' | tail -n 1)
 
 # Don't change anything after this, same as the bash equivalent
-[ -f "${PWD}/Package.swift" ]
-PACKAGE_EXISTS="$?"
+ORIGINAL_DIR="${PWD}"
+HAS_EXISTING_PACKAGE=0
+[ -f "${PWD}/Package.swift" ] && HAS_EXISTING_PACKAGE=1
 GIT_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)
 SCRIPT_PATH=$(realpath --relative-to="$GIT_ROOT" "$0" 2>/dev/null || realpath "$0")
 SUBCOMMAND="$1"
@@ -54,26 +55,30 @@ EOF
 a11y_scan() {
   # Ensure Package.swift is removed on exit (acts like a finally block)
   cleanup() {
-      if [ $PACKAGE_EXISTS -eq 0 ]; then
+      if [ $HAS_EXISTING_PACKAGE -eq 1 ]; then
           return
       fi
-      rm -f -- "${PWD}/Package.swift" "${PWD}/Package.resolved"
+      if [ -n "$WORK_DIR" ] && [ -d "$WORK_DIR" ]; then
+          rm -rf -- "$WORK_DIR"
+      fi
   }
   trap cleanup EXIT
 
   setup() {
-      if [ $PACKAGE_EXISTS -eq 0 ]; then
+      if [ $HAS_EXISTING_PACKAGE -eq 1 ]; then
+          WORK_DIR="$ORIGINAL_DIR"
           return
       fi
 
-      cat > Package.swift <<EOF
+      WORK_DIR=$(mktemp -d)
+      cat > "$WORK_DIR/Package.swift" <<EOF
 // swift-tools-version: 5.9
 import PackageDescription
 
 let package = Package(
     name: "Dummy",
     dependencies: [
-        .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", branch: "main")
+        .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", revision: "0428b322b00494b19e44c20c37502a0ee31af642")
     ],
     targets: []
 )
@@ -84,6 +89,7 @@ EOF
   if [[ -z "$EXTRA_ARGS" ]]; then
     EXTRA_ARGS="--include **/*.swift --include **/*.xib --include **/*.storyboard"
   fi
+  cd "$WORK_DIR"
   env -i HOME="$HOME" \
       XCODE_VERSION_ACTUAL="$XCODE_VERSION_ACTUAL"\
       BROWSERSTACK_USERNAME="$BROWSERSTACK_USERNAME"\
@@ -96,16 +102,6 @@ EOF
           scan $EXTRA_ARGS
 }
 
-script_self_update() {
-  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/fish/spm.sh"
-
-  updated_script=$(curl -R -z "$SCRIPT_PATH" "$remote_url")
-  if [[ $updated_script =~ ^#! ]]; then
-    echo "$updated_script" > "$SCRIPT_PATH"
-  fi
-}
-
-script_self_update
 if [[ $SUBCOMMAND == "register-pre-commit-hook" ]]; then
   register_git_hook
   exit 0

scripts/zsh/cli.sh

@@ -89,21 +89,11 @@ a11y_scan() {
       $BINARY_PATH a11y $EXTRA_ARGS
 }
 
-script_self_update() {
-  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/zsh/cli.sh"
-
-  updated_script=$(curl -R -z "$SCRIPT_PATH" "$remote_url")
-  if [[ $updated_script =~ ^#! ]]; then
-    echo "$updated_script" > "$SCRIPT_PATH"
-  fi
-}
-
 download_binary() {
-  curl -R -z "$BINARY_ZIP_PATH" -L "http://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
+  curl -R -z "$BINARY_ZIP_PATH" -L "https://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
   bsdtar -xvf "$BINARY_ZIP_PATH" -O > "$BINARY_PATH" && chmod 0775 "$BINARY_PATH"
 }
 
-script_self_update
 if [[ $SUBCOMMAND == "register-pre-commit-hook" ]]; then
   register_git_hook
   exit 0