Merge branch 'main' into fix/DEVA11Y-480-sanitize-version-string

sunny-se · web-flow · commit 788b38e7e978 · 2026-06-05T14:32:59.000+05:30
diff --git a/.github/workflows/Semgrep.yml b/.github/workflows/Semgrep.yml
@@ -26,8 +26,9 @@ jobs:
     runs-on: ubuntu-latest
 
     container:
-      # A Docker image with Semgrep installed. Do not change this.
-      image: returntocorp/semgrep
+      # Pinned by digest for supply-chain integrity (DEVA11Y-476).
+      # To update: docker manifest inspect returntocorp/semgrep:latest
+      image: returntocorp/semgrep@sha256:f682953ce85e3725f4a4dd94bd7ad13e570bb6b2c7a8cf7c6e38a9eac89239b2
 
     # Skip any PR created by dependabot to avoid permission issues:
     if: (github.actor != 'dependabot[bot]')
diff --git a/Package.swift b/Package.swift
@@ -19,8 +19,7 @@ let package = Package(
                 ),
                 permissions: [
                     .allowNetworkConnections(
-                        // scope: .all(ports: []),
-                        scope: .all(),
+                        scope: .all(ports: [80, 443]),
                         reason: "Please allow network connection permission to authenticate and run accessibility rules."
                     ),
                     .writeToPackageDirectory(reason: "Please allow writing to package directory for logging.")
diff --git a/Plugins/BrowserStackAccessibilityLint/BrowserStackAccessibilityLint.swift b/Plugins/BrowserStackAccessibilityLint/BrowserStackAccessibilityLint.swift
@@ -100,10 +100,13 @@ private func parseOverride(urlString: String?) throws -> URL? {
     guard let urlString = urlString, !urlString.isEmpty else {
         return nil
     }
-    if let url = URL(string: urlString), let scheme = url.scheme, ["http", "https", "file"].contains(scheme.lowercased()) {
-        return url
+    guard let url = URL(string: urlString), let scheme = url.scheme else {
+        throw PluginError("Invalid download URL: \(urlString). Only HTTPS URLs are supported.")
+    }
+    guard scheme.lowercased() == "https" else {
+        throw PluginError("Unsupported URL scheme '\(scheme)' in download URL. Only HTTPS is allowed.")
     }
-    return URL(fileURLWithPath: urlString)
+    return url
 }
 
 private func sanitizeArguments(_ arguments: [String]) -> [String] {
@@ -339,7 +342,7 @@ private struct BrowserStackCLIDownloader {
     private func defaultDownloadURL() throws -> URL {
         let os = try currentOSName()
         let arch = try currentArchName()
-        guard let url = URL(string: "http://api.browserstack.com/sdk/v1/download_cli?os=\(os)&os_arch=\(arch)") else {
+        guard let url = URL(string: "https://api.browserstack.com/sdk/v1/download_cli?os=\(os)&os_arch=\(arch)") else {
             throw PluginError("Failed to create download URL for \(os) \(arch).")
         }
         return url
diff --git a/scripts/bash/cli.sh b/scripts/bash/cli.sh
@@ -88,7 +88,7 @@ script_self_update() {
 }
 
 download_binary() {
-  curl -R -z "$BINARY_ZIP_PATH" -L "http://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
+  curl -R -z "$BINARY_ZIP_PATH" -L "https://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
   bsdtar -xvf "$BINARY_ZIP_PATH" -O > "$BINARY_PATH" && chmod 0775 "$BINARY_PATH"
 }
 
diff --git a/scripts/fish/cli.sh b/scripts/fish/cli.sh
@@ -100,7 +100,7 @@ script_self_update() {
 }
 
 download_binary() {
-  curl -R -z "$BINARY_ZIP_PATH" -L "http://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
+  curl -R -z "$BINARY_ZIP_PATH" -L "https://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
   bsdtar -xvf "$BINARY_ZIP_PATH" -O > "$BINARY_PATH" && chmod 0775 "$BINARY_PATH"
 }
 
diff --git a/scripts/zsh/cli.sh b/scripts/zsh/cli.sh
@@ -99,7 +99,7 @@ script_self_update() {
 }
 
 download_binary() {
-  curl -R -z "$BINARY_ZIP_PATH" -L "http://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
+  curl -R -z "$BINARY_ZIP_PATH" -L "https://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
   bsdtar -xvf "$BINARY_ZIP_PATH" -O > "$BINARY_PATH" && chmod 0775 "$BINARY_PATH"
 }
 

Original file line number	Diff line number	Diff line change
`@@ -100,10 +100,13 @@ private func parseOverride(urlString: String?) throws -> URL? {`
`100`	`100`	`guard let urlString = urlString, !urlString.isEmpty else {`
`101`	`101`	`return nil`
`102`	`102`	`}`
`103`		`- if let url = URL(string: urlString), let scheme = url.scheme, ["http", "https", "file"].contains(scheme.lowercased()) {`
`104`		`- return url`
	`103`	`+ guard let url = URL(string: urlString), let scheme = url.scheme else {`
	`104`	`+ throw PluginError("Invalid download URL: \(urlString). Only HTTPS URLs are supported.")`
	`105`	`+ }`
	`106`	`+ guard scheme.lowercased() == "https" else {`
	`107`	`+ throw PluginError("Unsupported URL scheme '\(scheme)' in download URL. Only HTTPS is allowed.")`
`105`	`108`	`}`
`106`		`- return URL(fileURLWithPath: urlString)`
	`109`	`+ return url`
`107`	`110`	`}`
`108`	`111`
`109`	`112`	`private func sanitizeArguments(_ arguments: [String]) -> [String] {`
`@@ -339,7 +342,7 @@ private struct BrowserStackCLIDownloader {`
`339`	`342`	`private func defaultDownloadURL() throws -> URL {`
`340`	`343`	`let os = try currentOSName()`
`341`	`344`	`let arch = try currentArchName()`
`342`		`- guard let url = URL(string: "http://api.browserstack.com/sdk/v1/download_cli?os=\(os)&os_arch=\(arch)") else {`
	`345`	`+ guard let url = URL(string: "https://api.browserstack.com/sdk/v1/download_cli?os=\(os)&os_arch=\(arch)") else {`
`343`	`346`	`throw PluginError("Failed to create download URL for \(os) \(arch).")`
`344`	`347`	`}`
`345`	`348`	`return url`
Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ script_self_update() {`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`download_binary() {`
`91`		`- curl -R -z "$BINARY_ZIP_PATH" -L "http://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"`
	`91`	`+ curl -R -z "$BINARY_ZIP_PATH" -L "https://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"`
`92`	`92`	`bsdtar -xvf "$BINARY_ZIP_PATH" -O > "$BINARY_PATH" && chmod 0775 "$BINARY_PATH"`
`93`	`93`	`}`
`94`	`94`
Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,7 @@ script_self_update() {`
`100`	`100`	`}`
`101`	`101`
`102`	`102`	`download_binary() {`
`103`		`- curl -R -z "$BINARY_ZIP_PATH" -L "http://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"`
	`103`	`+ curl -R -z "$BINARY_ZIP_PATH" -L "https://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"`
`104`	`104`	`bsdtar -xvf "$BINARY_ZIP_PATH" -O > "$BINARY_PATH" && chmod 0775 "$BINARY_PATH"`
`105`	`105`	`}`
`106`	`106`
Original file line number	Diff line number	Diff line change
`@@ -99,7 +99,7 @@ script_self_update() {`
`99`	`99`	`}`
`100`	`100`
`101`	`101`	`download_binary() {`
`102`		`- curl -R -z "$BINARY_ZIP_PATH" -L "http://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"`
	`102`	`+ curl -R -z "$BINARY_ZIP_PATH" -L "https://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"`
`103`	`103`	`bsdtar -xvf "$BINARY_ZIP_PATH" -O > "$BINARY_PATH" && chmod 0775 "$BINARY_PATH"`
`104`	`104`	`}`
`105`	`105`