Master merge

Author: bsautomation

bin/helpers/readCypressConfigUtil.js

@@ -8,6 +8,26 @@ const constants = require("./constants");
 const utils = require("./utils");
 const logger = require('./logger').winstonLogger;
 
+// Defense-in-depth: reject file paths containing shell metacharacters.
+// This guards against command injection even if execFileSync is ever
+// replaced with a shell-based exec in the future.
+//
+// Note: backslash (\) is intentionally NOT included here because it is a
+// legitimate path separator on Windows (e.g. C:\Users\me\cypress.config.js).
+// The actual security boundary is execFileSync (no shell), not this regex.
+const DANGEROUS_PATH_CHARS = /[;"`$|&(){}]/;
+
+function validateFilePath(filepath) {
+    if (DANGEROUS_PATH_CHARS.test(filepath)) {
+        throw new Error(
+            `Invalid cypress config file path: "${filepath}" contains disallowed characters. ` +
+            'File paths must not include shell metacharacters such as ; " ` $ | & ( ) { }'
+        );
+    }
+}
+
+exports.validateFilePath = validateFilePath;
+
 exports.detectLanguage = (cypress_config_filename) => {
     const extension = cypress_config_filename.split('.').pop()
     return constants.CYPRESS_V10_AND_ABOVE_CONFIG_FILE_EXTENSIONS.includes(extension) ? extension : 'js'
@@ -186,13 +206,29 @@ exports.convertTsConfig = (bsConfig, cypress_config_filepath, bstack_node_module
 }
 
 exports.loadJsFile =  (cypress_config_filepath, bstack_node_modules_path) => {
-    const require_module_helper_path = path.join(__dirname, 'requireModule.js')
-    let load_command = `NODE_PATH="${bstack_node_modules_path}" node "${require_module_helper_path}" "${cypress_config_filepath}"`
-    if (/^win/.test(process.platform)) {
-        load_command = `set NODE_PATH=${bstack_node_modules_path}&& node "${require_module_helper_path}" "${cypress_config_filepath}"`
+    // Security: validate file path to reject shell metacharacters (defense-in-depth)
+    validateFilePath(cypress_config_filepath);
+
+    // UX: surface a clear error if the cypress config file is missing.
+    // (This is purely a UX check — the security boundary is execFileSync above
+    // plus the metacharacter regex; existsSync alone would NOT prevent injection.)
+    if (!fs.existsSync(cypress_config_filepath)) {
+        throw new Error(`Cypress config file not found at: ${cypress_config_filepath}`);
     }
-    logger.debug(`Running: ${load_command}`)
-    cp.execSync(load_command)
+
+    const require_module_helper_path = path.join(__dirname, 'requireModule.js')
+
+    // Security fix: use execFileSync instead of execSync to avoid shell interpolation.
+    // execFileSync spawns the process directly without a shell, so user-controlled
+    // values in cypress_config_filepath cannot break out into shell commands.
+    const execOptions = {
+        env: Object.assign({}, process.env, { NODE_PATH: bstack_node_modules_path })
+    };
+    const args = [require_module_helper_path, cypress_config_filepath];
+
+    logger.debug(`Running: node ${args.map(a => '"' + a + '"').join(' ')} (via execFileSync, NODE_PATH=${bstack_node_modules_path})`);
+    cp.execFileSync('node', args, execOptions);
+
     const cypress_config = JSON.parse(fs.readFileSync(config.configJsonFileName).toString())
     if (fs.existsSync(config.configJsonFileName)) {
         fs.unlinkSync(config.configJsonFileName)

bin/testObservability/cypress/index.js

@@ -201,24 +201,30 @@ Cypress.on('command:end', (command) => {
   });
 });
 
-Cypress.Commands.overwrite('log', (originalFn, ...args) => {
+Cypress.on('command:enqueued', (attrs) => {
+  if (!Cypress.env('BROWSERSTACK_O11Y_LOGS')) return;
+  if (!attrs || attrs.name !== 'log') return;
+  const args = attrs.args || [];
   if (args.includes('test_observability_log') || args.includes('test_observability_command')) return;
   const message = args.reduce((result, logItem) => {
     if (typeof logItem === 'object') {
       return [result, JSON.stringify(logItem)].join(' ');
     }
-
     return [result, logItem ? logItem.toString() : ''].join(' ');
   }, '');
   eventsQueue.push({
     task: 'test_observability_log',
     data: {
-      'level': 'info',
+      level: 'info',
       message,
       timestamp: new Date().toISOString()
     },
     options: { log: false }
   });
+});
+
+Cypress.Commands.overwrite('log', (originalFn, ...args) => {
+  if (args.includes('test_observability_log') || args.includes('test_observability_command')) return;
   originalFn(...args);
 });
 

bin/testObservability/reporter/index.js

@@ -631,7 +631,9 @@ class MyReporter {
       if(this.current_hook && ( this.current_hook.hookAnalyticsId && !this.runStatusMarkedHash[this.current_hook.hookAnalyticsId] )) {
         log.hook_run_uuid = this.current_hook.hookAnalyticsId;
       }
-      if(!log.hook_run_uuid && this.current_test && ( this.current_test.testAnalyticsId && !this.runStatusMarkedHash[this.current_test.testAnalyticsId] )) log.test_run_uuid = this.current_test.testAnalyticsId;
+      if(!log.hook_run_uuid && this.current_test && this.current_test.testAnalyticsId) {
+        log.test_run_uuid = this.current_test.testAnalyticsId;
+      }
       if(log.hook_run_uuid || log.test_run_uuid) {
         await uploadEventData({
           event_type: 'LogCreated',