Skip to content

fix(utils): resolve command injection vulnerability in emptyFolder (3.x) #5190

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: 3.x
Choose a base branch
from
Open

fix(utils): resolve command injection vulnerability in emptyFolder (3.x) #5190

wants to merge 2 commits into from

Conversation

mhassan1
Copy link

@mhassan1 mhassan1 commented Sep 16, 2025
edited
Loading

Motivation/Description of the PR

This PR resolves a command injection vulnerability in the emptyFolder utility (on the 3.x branch); see GHSA-34w8-mcwr-vg29.

Applicable helpers:

  • Playwright
  • Puppeteer
  • WebDriver
  • REST
  • FileHelper
  • Appium
  • TestCafe

Applicable plugins:

  • allure
  • autoDelay
  • autoLogin
  • customLocator
  • pauseOnFail
  • coverage
  • retryFailedStep
  • screenshotOnFail
  • selenoid
  • stepByStepReport
  • stepTimeout
  • wdio
  • subtitles

Type of change

  • 🔥 Breaking changes
  • 🚀 New functionality
  • 🐛 Bug fix
  • 🧹 Chore
  • 📋 Documentation changes/updates
  • ♨️ Hot fix
  • 🔨 Markdown files fix - not related to source code
  • 💅 Polish code

Checklist:

  • Tests have been added
  • Documentation has been added (Run npm run docs)
  • Lint checking (Run npm run lint)
  • Local tests are passed (Run npm test)

@kobenguyent kobenguyent requested a review from Copilot September 16, 2025 20:14
Copilot
Copilot AI reviewed Sep 16, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a critical command injection vulnerability in the emptyFolder utility function by replacing the unsafe shell command execution with safe Node.js filesystem operations.

  • Replaces child_process.execSync with shell command concatenation with native fs operations
  • Adds safety check for non-existent directories
  • Changes from async to synchronous function signature

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mhassan1