Skip to content

Harden BrowserStack URL output in E2E tests#20011

Open
dimitrop wants to merge 3 commits intophpmyadmin:masterfrom
dimitrop:fix/tests-output-hardening
Open

Harden BrowserStack URL output in E2E tests#20011
dimitrop wants to merge 3 commits intophpmyadmin:masterfrom
dimitrop:fix/tests-output-hardening

Conversation

@dimitrop
Copy link

@dimitrop dimitrop commented Jan 6, 2026

Description

This change hardens the output of the BrowserStack session URL printed by end-to-end tests.

The URL is obtained from an external API response and echoed directly to the test output. While this code path is only used in CI / test environments, the value is still externally sourced and unvalidated.

This patch strips control characters from the URL before printing it, ensuring the output remains well-formed and preventing potential log or terminal control issues.

Fixes # (none)

Notes

  • This change does not affect application runtime behavior.
  • The modification is limited to test infrastructure output.
  • No functional behavior of the tests is altered.

Checklist

  • Read CONTRIBUTING.md
  • Correct target branch
  • Commit includes Signed-off-by line
  • Commit message is descriptive
  • No new functionality introduced

@dimitrop dimitrop force-pushed the fix/tests-output-hardening branch from b737a0d to 1d8ae90 Compare January 6, 2026 14:55
@dimitrop
Harden BrowserStack URL output in E2E tests
a8490a4 
Signed-off-by: dimitrop <dimitris.i.mitropoulos@gmail.com>
@dimitrop dimitrop force-pushed the fix/tests-output-hardening branch from 1d8ae90 to a8490a4 Compare January 6, 2026 16:02
@dimitrop
Update Psalm baseline
d320f78 
Signed-off-by: dimitrop <dimitris.i.mitropoulos@gmail.com>
@dimitrop
Harden BrowserStack error output and update PHPStan baseline
aba718b 
Signed-off-by: dimitrop <dimitris.i.mitropoulos@gmail.com>
@dimitrop dimitrop force-pushed the fix/tests-output-hardening branch from dd74ab2 to aba718b Compare January 6, 2026 22:44
williamdes
williamdes reviewed Jan 8, 2026
View reviewed changes
Copy link
Member

@williamdes williamdes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have some examples?

@dimitrop
Copy link
Author

dimitrop commented Jan 8, 2026

Do you have some examples?

The value printed here originates from an external API response (BrowserStack) and is echoed directly to test output. While this code path is limited to CI and test environments, the data is still externally sourced.

For example, consider a case where the returned URL includes control characters such as newlines, carriage returns, or ANSI escape sequences. If printed verbatim, these can alter log structure, inject misleading log entries, or potentially influence terminal rendering.

Stripping control characters ensures that the output remains well-formed, readable, and safe for consumption by CI logs, terminals, and log processors, without changing the functional behavior of the tests.

This hardening aligns with established guidance on handling externally influenced output, even outside user-facing contexts (e.g. https://cwe.mitre.org/data/definitions/117.html)

@williamdes
Copy link
Member

williamdes commented Jan 17, 2026

I am sorry but I can not see any real world example or impact

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@williamdes williamdes williamdes left review comments

@MauricioFauth MauricioFauth Awaiting requested review from MauricioFauth

@ibennetch ibennetch Awaiting requested review from ibennetch

Assignees

No one assigned

Labels

undecided

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dimitrop @williamdes @phpmyadmin-bot