Skip to content

Commit d9e52e8

Browse files
Jimesh-browserstackJimesh-browserstack
committed
fix(security): remove env-controlled module path in crashReporter [APS-19013]
INJ-012: requireModule no longer honors process.env["browserStackCwd"] for node_modules resolution. Module paths now come from process.cwd() (or the internal browserstack-cypress-cli node_modules path when invoked with internal=true), eliminating env-controlled module hijack (CWE-427).
1 parent ef06797 commit d9e52e8

1 file changed

Lines changed: 1 addition & 3 deletions

File tree

  • bin/testObservability/crashReporter

bin/testObservability/crashReporter/index.js

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -27,9 +27,7 @@ let packages = {};
2727

2828
exports.requireModule = (module, internal = false) => {
2929
let local_path = "";
30-
if(process.env["browserStackCwd"]){
31-
local_path = path.join(process.env["browserStackCwd"], 'node_modules', module);
32-
} else if(internal) {
30+
if(internal) {
3331
local_path = path.join(process.cwd(), 'node_modules', 'browserstack-cypress-cli', 'node_modules', module);
3432
} else {
3533
local_path = path.join(process.cwd(), 'node_modules', module);

0 commit comments

Comments
 (0)