Skip to content

Conversation

mhassan1
Copy link
Contributor

@mhassan1 mhassan1 commented Sep 16, 2025

Motivation/Description of the PR

This PR resolves a command injection vulnerability in the emptyFolder utility (on the 3.x branch); see GHSA-34w8-mcwr-vg29.

Applicable helpers:

  • Playwright
  • Puppeteer
  • WebDriver
  • REST
  • FileHelper
  • Appium
  • TestCafe

Applicable plugins:

  • allure
  • autoDelay
  • autoLogin
  • customLocator
  • pauseOnFail
  • coverage
  • retryFailedStep
  • screenshotOnFail
  • selenoid
  • stepByStepReport
  • stepTimeout
  • wdio
  • subtitles

Type of change

  • 🔥 Breaking changes
  • 🚀 New functionality
  • 🐛 Bug fix
  • 🧹 Chore
  • 📋 Documentation changes/updates
  • ♨️ Hot fix
  • 🔨 Markdown files fix - not related to source code
  • 💅 Polish code

Checklist:

  • Tests have been added
  • Documentation has been added (Run npm run docs)
  • Lint checking (Run npm run lint)
  • Local tests are passed (Run npm test)

Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a critical command injection vulnerability in the emptyFolder utility function by replacing the unsafe shell command execution with safe Node.js filesystem operations.

  • Replaces child_process.execSync with shell command concatenation with native fs operations
  • Adds safety check for non-existent directories
  • Changes from async to synchronous function signature

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@thomashohn
Copy link
Contributor

@kobenguyent Could you re-trigger a build and merge it if ok?

@kobenguyent kobenguyent merged commit 6ff0dc6 into codeceptjs:3.x Sep 21, 2025
14 of 15 checks passed
@kobenguyent kobenguyent mentioned this pull request Sep 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants