Security error fix

Author: vishnuv688

packages/backend/package.json

@@ -32,9 +32,11 @@
     "fastify": "^5.8.4",
     "get-port": "^7.1.0",
     "import-meta-resolve": "^4.1.0",
+    "shell-quote": "^1.8.3",
     "tree-kill": "^1.2.2"
   },
   "devDependencies": {
+    "@types/shell-quote": "^1.7.5",
     "@types/ws": "^8.18.1",
     "nodemon": "^3.1.14",
     "ws": "^8.18.3"

packages/backend/src/index.ts

@@ -136,7 +136,17 @@ export async function start(
       )
       replayBufferedMessages(socket)
       clients.add(socket)
-      socket.on('close', () => clients.delete(socket))
+      socket.on('close', () => {
+        clients.delete(socket)
+        // Last dashboard window closed — tell the worker so it can wind
+        // down. Lets the user close Chrome to end an interactive review
+        // session under any runner.
+        if (clients.size === 0 && workerSocket?.readyState === WebSocket.OPEN) {
+          workerSocket.send(
+            JSON.stringify({ scope: 'clientDisconnected', data: {} })
+          )
+        }
+      })
 
       if (workerSocket?.readyState === WebSocket.OPEN) {
         workerSocket.send(

packages/backend/src/runner.ts

@@ -4,6 +4,7 @@ import path from 'node:path'
 import url from 'node:url'
 import { createRequire } from 'node:module'
 import kill from 'tree-kill'
+import { parse as shellParse } from 'shell-quote'
 import type { RunnerRequestBody } from './types.js'
 import { WDIO_CONFIG_FILENAMES, NIGHTWATCH_CONFIG_FILENAMES } from './types.js'
 
@@ -188,12 +189,12 @@ class TestRunner {
     if (isGenericShell) {
       const command = this.#resolveGenericCommand(payload)
       this.#baseDir = process.env.DEVTOOLS_RUNNER_CWD || process.cwd()
-      child = spawn(command, {
+      const { file, args } = this.#parseGenericCommand(command)
+      child = spawn(file, args, {
         cwd: this.#baseDir,
         env: childEnv,
         stdio: 'inherit',
-        detached: false,
-        shell: true
+        detached: false
       })
     } else {
       const configPath = this.#resolveConfigPath(payload)
@@ -270,6 +271,17 @@ class TestRunner {
     return fallback || template || ''
   }
 
+  #parseGenericCommand(command: string): { file: string; args: string[] } {
+    const tokens = (shellParse(command) as unknown[]).filter(
+      (token): token is string => typeof token === 'string'
+    )
+    if (tokens.length === 0) {
+      throw new Error('Invalid generic command: empty command')
+    }
+    const [file, ...args] = tokens
+    return { file, args }
+  }
+
   stop() {
     if (!this.#child || !this.#child.pid) {
       return

packages/selenium-devtools/example/vitest-test/setup.js

@@ -0,0 +1,43 @@
+import net from 'node:net'
+import { spawn } from 'node:child_process'
+import { createRequire } from 'node:module'
+
+const require = createRequire(import.meta.url)
+
+export async function startDetachedBackend(opts: {
+  port: number
+  hostname: string
+  readyTimeoutMs?: number
+}): Promise<{ port: number }> {
+  const backendPath = require.resolve('@wdio/devtools-backend')
+  const code = `import(${JSON.stringify(backendPath)}).then(m => m.start({ port: ${opts.port}, hostname: ${JSON.stringify(opts.hostname)} })).catch(err => { console.error(err); process.exit(1) })`
+  spawn(process.execPath, ['-e', code], {
+    detached: true,
+    stdio: 'ignore'
+  }).unref()
+
+  const deadline = Date.now() + (opts.readyTimeoutMs ?? 10000)
+  while (Date.now() < deadline) {
+    if (await canConnect(opts.port, opts.hostname)) {
+      return { port: opts.port }
+    }
+    await new Promise((resolve) => setTimeout(resolve, 100))
+  }
+  throw new Error(
+    `Detached backend never came up on ${opts.hostname}:${opts.port}`
+  )
+}
+
+function canConnect(port: number, host: string): Promise<boolean> {
+  return new Promise((resolve) => {
+    const sock = net.connect(port, host)
+    sock.once('connect', () => {
+      sock.destroy()
+      resolve(true)
+    })
+    sock.once('error', () => {
+      sock.destroy()
+      resolve(false)
+    })
+  })
+}