fix(security): harden self-update with tagged refs + SHA-256 verification (DEVA11Y-478)

sunny-se · claude · sunny-se · commit c0b5ede0a581 · 2026-06-09T11:30:59.000+05:30
Self-update previously fetched executable code from refs/heads/main with
only a shebang check (CWE-494, CVSS 7.8). Now:

1. Version pointer (latest-version.txt) fetched from main — metadata only
2. Actual script fetched from immutable tagged ref (refs/tags/vX.Y.Z)
3. SHA-256 checksum verified against SHA256SUMS before overwriting

Migration: old scripts on dev machines will self-update from main one
last time, pulling the new mechanism. All subsequent updates go through
the verified tagged path.

Post-merge: tag the merge commit as v1.0.0 and push tag immediately.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/scripts/SHA256SUMS b/scripts/SHA256SUMS
@@ -0,0 +1,6 @@
+6d1569318fb07fe4319b88dd129c78953e6a66ebc39f98bd24ec73a121d4fc1e  bash/cli.sh
+5754120729dc9e503b7454419fd243297e3392cd57e459f3efe29f06f3c78c2d  bash/spm.sh
+559b757e67f1057f329911a7ce21cadb9637858bfab4192c673ecd6898f7ab47  fish/cli.sh
+929e1418b3e09fc72577dc8e8d62f1fc585e7538ec4f720c0b596e2ab7df2e34  fish/spm.sh
+16f67393c7f036a88f25fccd647cfbf286718f0792b7c4accb49adc620168976  zsh/cli.sh
+f9c450e90c1f7b1917ef2106d04df7d02775465af1052ba14b211550125000aa  zsh/spm.sh
diff --git a/scripts/bash/cli.sh b/scripts/bash/cli.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash -il
+SCRIPT_VERSION="v1.0.0"
 
 GIT_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)
 SCRIPT_PATH=$(realpath --relative-to="$GIT_ROOT" "$0" 2>/dev/null || realpath "$0")
@@ -79,12 +80,42 @@ a11y_scan() {
 }
 
 script_self_update() {
-  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/bash/cli.sh"
+  local repo_base="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools"
+  local version_url="${repo_base}/refs/heads/main/scripts/latest-version.txt"
+  local script_rel_path="bash/cli.sh"
 
-  updated_script=$(curl -R -z "$SCRIPT_PATH" "$remote_url")
-  if [[ $updated_script =~ ^#! ]]; then
-    echo "$updated_script" > "$SCRIPT_PATH"
+  # Fetch remote version (lightweight metadata from main, not executable code)
+  local remote_version
+  remote_version=$(curl -fsSL --max-time 10 "$version_url" 2>/dev/null | tr -d '[:space:]')
+  if [[ -z "$remote_version" || "$remote_version" == "$SCRIPT_VERSION" ]]; then
+    return 0
   fi
+
+  # Fetch script and checksums from immutable tagged ref
+  local tag_base="${repo_base}/refs/tags/${remote_version}/scripts"
+  local tmp_script tmp_sums
+  tmp_script=$(mktemp)
+  tmp_sums=$(mktemp)
+  trap 'rm -f "$tmp_script" "$tmp_sums"' RETURN
+
+  if ! curl -fsSL --max-time 30 "${tag_base}/${script_rel_path}" -o "$tmp_script" 2>/dev/null; then
+    return 0
+  fi
+  if ! curl -fsSL --max-time 10 "${tag_base}/SHA256SUMS" -o "$tmp_sums" 2>/dev/null; then
+    return 0
+  fi
+
+  # Verify SHA-256 checksum
+  local expected actual
+  expected=$(grep "  ${script_rel_path}$" "$tmp_sums" | cut -d' ' -f1)
+  actual=$(shasum -a 256 "$tmp_script" | cut -d' ' -f1)
+  if [[ -z "$expected" || "$actual" != "$expected" ]]; then
+    echo "[self-update] WARNING: Checksum verification failed for ${script_rel_path}. Update aborted." >&2
+    return 1
+  fi
+
+  cp "$tmp_script" "$0"
+  echo "[self-update] Updated to ${remote_version}." >&2
 }
 
 download_binary() {
diff --git a/scripts/bash/spm.sh b/scripts/bash/spm.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash -il
+SCRIPT_VERSION="v1.0.0"
 
 [ -f "${PWD}/Package.swift" ]
 PACKAGE_EXISTS="$?"
@@ -84,12 +85,42 @@ EOF
 }
 
 script_self_update() {
-  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/bash/spm.sh"
+  local repo_base="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools"
+  local version_url="${repo_base}/refs/heads/main/scripts/latest-version.txt"
+  local script_rel_path="bash/spm.sh"
 
-  updated_script=$(curl -R -z "$SCRIPT_PATH" "$remote_url")
-  if [[ $updated_script =~ ^#! ]]; then
-    echo "$updated_script" > "$SCRIPT_PATH"
+  # Fetch remote version (lightweight metadata from main, not executable code)
+  local remote_version
+  remote_version=$(curl -fsSL --max-time 10 "$version_url" 2>/dev/null | tr -d '[:space:]')
+  if [[ -z "$remote_version" || "$remote_version" == "$SCRIPT_VERSION" ]]; then
+    return 0
   fi
+
+  # Fetch script and checksums from immutable tagged ref
+  local tag_base="${repo_base}/refs/tags/${remote_version}/scripts"
+  local tmp_script tmp_sums
+  tmp_script=$(mktemp)
+  tmp_sums=$(mktemp)
+  trap 'rm -f "$tmp_script" "$tmp_sums"' RETURN
+
+  if ! curl -fsSL --max-time 30 "${tag_base}/${script_rel_path}" -o "$tmp_script" 2>/dev/null; then
+    return 0
+  fi
+  if ! curl -fsSL --max-time 10 "${tag_base}/SHA256SUMS" -o "$tmp_sums" 2>/dev/null; then
+    return 0
+  fi
+
+  # Verify SHA-256 checksum
+  local expected actual
+  expected=$(grep "  ${script_rel_path}$" "$tmp_sums" | cut -d' ' -f1)
+  actual=$(shasum -a 256 "$tmp_script" | cut -d' ' -f1)
+  if [[ -z "$expected" || "$actual" != "$expected" ]]; then
+    echo "[self-update] WARNING: Checksum verification failed for ${script_rel_path}. Update aborted." >&2
+    return 1
+  fi
+
+  cp "$tmp_script" "$0"
+  echo "[self-update] Updated to ${remote_version}." >&2
 }
 
 script_self_update
diff --git a/scripts/fish/cli.sh b/scripts/fish/cli.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash -il
+SCRIPT_VERSION="v1.0.0"
 
 export PATH="$PATH:/opt/homebrew/bin"
 # Shell specific
@@ -91,12 +92,42 @@ a11y_scan() {
 }
 
 script_self_update() {
-  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/fish/cli.sh"
+  local repo_base="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools"
+  local version_url="${repo_base}/refs/heads/main/scripts/latest-version.txt"
+  local script_rel_path="fish/cli.sh"
+
+  # Fetch remote version (lightweight metadata from main, not executable code)
+  local remote_version
+  remote_version=$(curl -fsSL --max-time 10 "$version_url" 2>/dev/null | tr -d '[:space:]')
+  if [[ -z "$remote_version" || "$remote_version" == "$SCRIPT_VERSION" ]]; then
+    return 0
+  fi
+
+  # Fetch script and checksums from immutable tagged ref
+  local tag_base="${repo_base}/refs/tags/${remote_version}/scripts"
+  local tmp_script tmp_sums
+  tmp_script=$(mktemp)
+  tmp_sums=$(mktemp)
+  trap 'rm -f "$tmp_script" "$tmp_sums"' RETURN
+
+  if ! curl -fsSL --max-time 30 "${tag_base}/${script_rel_path}" -o "$tmp_script" 2>/dev/null; then
+    return 0
+  fi
+  if ! curl -fsSL --max-time 10 "${tag_base}/SHA256SUMS" -o "$tmp_sums" 2>/dev/null; then
+    return 0
+  fi
 
-  updated_script=$(curl -R -z "$SCRIPT_PATH" "$remote_url")
-  if [[ $updated_script =~ ^#! ]]; then
-    echo "$updated_script" > "$SCRIPT_PATH"
+  # Verify SHA-256 checksum
+  local expected actual
+  expected=$(grep "  ${script_rel_path}$" "$tmp_sums" | cut -d' ' -f1)
+  actual=$(shasum -a 256 "$tmp_script" | cut -d' ' -f1)
+  if [[ -z "$expected" || "$actual" != "$expected" ]]; then
+    echo "[self-update] WARNING: Checksum verification failed for ${script_rel_path}. Update aborted." >&2
+    return 1
   fi
+
+  cp "$tmp_script" "$0"
+  echo "[self-update] Updated to ${remote_version}." >&2
 }
 
 download_binary() {
diff --git a/scripts/fish/spm.sh b/scripts/fish/spm.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash -il
+SCRIPT_VERSION="v1.0.0"
 
 export PATH="$PATH:/opt/homebrew/bin"
 # Shell specific
@@ -97,12 +98,42 @@ EOF
 }
 
 script_self_update() {
-  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/fish/spm.sh"
+  local repo_base="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools"
+  local version_url="${repo_base}/refs/heads/main/scripts/latest-version.txt"
+  local script_rel_path="fish/spm.sh"
 
-  updated_script=$(curl -R -z "$SCRIPT_PATH" "$remote_url")
-  if [[ $updated_script =~ ^#! ]]; then
-    echo "$updated_script" > "$SCRIPT_PATH"
+  # Fetch remote version (lightweight metadata from main, not executable code)
+  local remote_version
+  remote_version=$(curl -fsSL --max-time 10 "$version_url" 2>/dev/null | tr -d '[:space:]')
+  if [[ -z "$remote_version" || "$remote_version" == "$SCRIPT_VERSION" ]]; then
+    return 0
   fi
+
+  # Fetch script and checksums from immutable tagged ref
+  local tag_base="${repo_base}/refs/tags/${remote_version}/scripts"
+  local tmp_script tmp_sums
+  tmp_script=$(mktemp)
+  tmp_sums=$(mktemp)
+  trap 'rm -f "$tmp_script" "$tmp_sums"' RETURN
+
+  if ! curl -fsSL --max-time 30 "${tag_base}/${script_rel_path}" -o "$tmp_script" 2>/dev/null; then
+    return 0
+  fi
+  if ! curl -fsSL --max-time 10 "${tag_base}/SHA256SUMS" -o "$tmp_sums" 2>/dev/null; then
+    return 0
+  fi
+
+  # Verify SHA-256 checksum
+  local expected actual
+  expected=$(grep "  ${script_rel_path}$" "$tmp_sums" | cut -d' ' -f1)
+  actual=$(shasum -a 256 "$tmp_script" | cut -d' ' -f1)
+  if [[ -z "$expected" || "$actual" != "$expected" ]]; then
+    echo "[self-update] WARNING: Checksum verification failed for ${script_rel_path}. Update aborted." >&2
+    return 1
+  fi
+
+  cp "$tmp_script" "$0"
+  echo "[self-update] Updated to ${remote_version}." >&2
 }
 
 script_self_update
diff --git a/scripts/latest-version.txt b/scripts/latest-version.txt
@@ -0,0 +1 @@
+v1.0.0
diff --git a/scripts/zsh/cli.sh b/scripts/zsh/cli.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash -il
+SCRIPT_VERSION="v1.0.0"
 
 # Shell specific
 zsh_bin=$(command -v zsh)
@@ -90,12 +91,42 @@ a11y_scan() {
 }
 
 script_self_update() {
-  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/zsh/cli.sh"
+  local repo_base="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools"
+  local version_url="${repo_base}/refs/heads/main/scripts/latest-version.txt"
+  local script_rel_path="zsh/cli.sh"
+
+  # Fetch remote version (lightweight metadata from main, not executable code)
+  local remote_version
+  remote_version=$(curl -fsSL --max-time 10 "$version_url" 2>/dev/null | tr -d '[:space:]')
+  if [[ -z "$remote_version" || "$remote_version" == "$SCRIPT_VERSION" ]]; then
+    return 0
+  fi
+
+  # Fetch script and checksums from immutable tagged ref
+  local tag_base="${repo_base}/refs/tags/${remote_version}/scripts"
+  local tmp_script tmp_sums
+  tmp_script=$(mktemp)
+  tmp_sums=$(mktemp)
+  trap 'rm -f "$tmp_script" "$tmp_sums"' RETURN
+
+  if ! curl -fsSL --max-time 30 "${tag_base}/${script_rel_path}" -o "$tmp_script" 2>/dev/null; then
+    return 0
+  fi
+  if ! curl -fsSL --max-time 10 "${tag_base}/SHA256SUMS" -o "$tmp_sums" 2>/dev/null; then
+    return 0
+  fi
 
-  updated_script=$(curl -R -z "$SCRIPT_PATH" "$remote_url")
-  if [[ $updated_script =~ ^#! ]]; then
-    echo "$updated_script" > "$SCRIPT_PATH"
+  # Verify SHA-256 checksum
+  local expected actual
+  expected=$(grep "  ${script_rel_path}$" "$tmp_sums" | cut -d' ' -f1)
+  actual=$(shasum -a 256 "$tmp_script" | cut -d' ' -f1)
+  if [[ -z "$expected" || "$actual" != "$expected" ]]; then
+    echo "[self-update] WARNING: Checksum verification failed for ${script_rel_path}. Update aborted." >&2
+    return 1
   fi
+
+  cp "$tmp_script" "$0"
+  echo "[self-update] Updated to ${remote_version}." >&2
 }
 
 download_binary() {
diff --git a/scripts/zsh/spm.sh b/scripts/zsh/spm.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash -il
+SCRIPT_VERSION="v1.0.0"
 
 # Shell specific
 zsh_bin=$(command -v zsh)
@@ -96,12 +97,42 @@ EOF
 }
 
 script_self_update() {
-  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/zsh/spm.sh"
+  local repo_base="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools"
+  local version_url="${repo_base}/refs/heads/main/scripts/latest-version.txt"
+  local script_rel_path="zsh/spm.sh"
 
-  updated_script=$(curl -R -z "$SCRIPT_PATH" "$remote_url")
-  if [[ $updated_script =~ ^#! ]]; then
-    echo "$updated_script" > "$SCRIPT_PATH"
+  # Fetch remote version (lightweight metadata from main, not executable code)
+  local remote_version
+  remote_version=$(curl -fsSL --max-time 10 "$version_url" 2>/dev/null | tr -d '[:space:]')
+  if [[ -z "$remote_version" || "$remote_version" == "$SCRIPT_VERSION" ]]; then
+    return 0
   fi
+
+  # Fetch script and checksums from immutable tagged ref
+  local tag_base="${repo_base}/refs/tags/${remote_version}/scripts"
+  local tmp_script tmp_sums
+  tmp_script=$(mktemp)
+  tmp_sums=$(mktemp)
+  trap 'rm -f "$tmp_script" "$tmp_sums"' RETURN
+
+  if ! curl -fsSL --max-time 30 "${tag_base}/${script_rel_path}" -o "$tmp_script" 2>/dev/null; then
+    return 0
+  fi
+  if ! curl -fsSL --max-time 10 "${tag_base}/SHA256SUMS" -o "$tmp_sums" 2>/dev/null; then
+    return 0
+  fi
+
+  # Verify SHA-256 checksum
+  local expected actual
+  expected=$(grep "  ${script_rel_path}$" "$tmp_sums" | cut -d' ' -f1)
+  actual=$(shasum -a 256 "$tmp_script" | cut -d' ' -f1)
+  if [[ -z "$expected" || "$actual" != "$expected" ]]; then
+    echo "[self-update] WARNING: Checksum verification failed for ${script_rel_path}. Update aborted." >&2
+    return 1
+  fi
+
+  cp "$tmp_script" "$0"
+  echo "[self-update] Updated to ${remote_version}." >&2
 }
 
 script_self_update
