Skip to content

fix(utils): resolve command injection vulnerability in emptyFolder (3.x) #5190

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 21, 2025
Merged

fix(utils): resolve command injection vulnerability in emptyFolder (3.x) #5190

merged 2 commits into from
Sep 21, 2025

Conversation

mhassan1
Copy link
Contributor

@mhassan1 mhassan1 commented Sep 16, 2025
edited
Loading

Motivation/Description of the PR

This PR resolves a command injection vulnerability in the emptyFolder utility (on the 3.x branch); see GHSA-34w8-mcwr-vg29.

Applicable helpers:

  • Playwright
  • Puppeteer
  • WebDriver
  • REST
  • FileHelper
  • Appium
  • TestCafe

Applicable plugins:

  • allure
  • autoDelay
  • autoLogin
  • customLocator
  • pauseOnFail
  • coverage
  • retryFailedStep
  • screenshotOnFail
  • selenoid
  • stepByStepReport
  • stepTimeout
  • wdio
  • subtitles

Type of change

  • 🔥 Breaking changes
  • 🚀 New functionality
  • 🐛 Bug fix
  • 🧹 Chore
  • 📋 Documentation changes/updates
  • ♨️ Hot fix
  • 🔨 Markdown files fix - not related to source code
  • 💅 Polish code

Checklist:

  • Tests have been added
  • Documentation has been added (Run npm run docs)
  • Lint checking (Run npm run lint)
  • Local tests are passed (Run npm test)

@kobenguyent kobenguyent requested a review from Copilot September 16, 2025 20:14
Copilot
Copilot AI reviewed Sep 16, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a critical command injection vulnerability in the emptyFolder utility function by replacing the unsafe shell command execution with safe Node.js filesystem operations.

  • Replaces child_process.execSync with shell command concatenation with native fs operations
  • Adds safety check for non-existent directories
  • Changes from async to synchronous function signature

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@thomashohn
Copy link
Contributor

@kobenguyent Could you re-trigger a build and merge it if ok?

@kobenguyent kobenguyent merged commit 6ff0dc6 into codeceptjs:3.x Sep 21, 2025
14 of 15 checks passed
@kobenguyent kobenguyent mentioned this pull request Sep 22, 2025
Merged
@mhassan1 mhassan1 mentioned this pull request Sep 22, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mhassan1 @thomashohn @kobenguyent