From 2d72ba0cb58e5a84668b2a6ca234bfe51e66b164 Mon Sep 17 00:00:00 2001
From: Sunny Sethi <sunny.se@browserstack.com>
Date: Tue, 26 May 2026 14:31:41 +0530
Subject: [PATCH] fix(security): use isolated temp directory in spm.sh scripts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

F-014 / DEVA11Y-483 — Concurrent spm.sh instances shared CWD
(CWE-362), causing cleanup trap to delete sibling's Package.swift.
Use mktemp -d for an isolated working directory per invocation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 scripts/bash/spm.sh | 18 ++++++++++++------
 scripts/fish/spm.sh | 18 ++++++++++++------
 scripts/zsh/spm.sh  | 18 ++++++++++++------
 3 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/scripts/bash/spm.sh b/scripts/bash/spm.sh
index 1202e11..f09c66b 100644
--- a/scripts/bash/spm.sh
+++ b/scripts/bash/spm.sh
@@ -1,7 +1,8 @@
 #!/usr/bin/env bash -il
 
-[ -f "${PWD}/Package.swift" ]
-PACKAGE_EXISTS="$?"
+ORIGINAL_DIR="${PWD}"
+HAS_EXISTING_PACKAGE=0
+[ -f "${PWD}/Package.swift" ] && HAS_EXISTING_PACKAGE=1
 GIT_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)
 SCRIPT_PATH=$(realpath --relative-to="$GIT_ROOT" "$0" 2>/dev/null || realpath "$0")
 SUBCOMMAND="$1"
@@ -41,19 +42,23 @@ EOF
 a11y_scan() {
   # Ensure Package.swift is removed on exit (acts like a finally block)
   cleanup() {
-      if [ $PACKAGE_EXISTS -eq 0 ]; then
+      if [ $HAS_EXISTING_PACKAGE -eq 1 ]; then
           return
       fi
-      rm -f -- "${PWD}/Package.swift" "${PWD}/Package.resolved"
+      if [ -n "$WORK_DIR" ] && [ -d "$WORK_DIR" ]; then
+          rm -rf -- "$WORK_DIR"
+      fi
   }
   trap cleanup EXIT
 
   setup() {
-      if [ $PACKAGE_EXISTS -eq 0 ]; then
+      if [ $HAS_EXISTING_PACKAGE -eq 1 ]; then
+          WORK_DIR="$ORIGINAL_DIR"
           return
       fi
 
-      cat > Package.swift <<EOF
+      WORK_DIR=$(mktemp -d)
+      cat > "$WORK_DIR/Package.swift" <<EOF
 // swift-tools-version: 5.9
 import PackageDescription
 
@@ -71,6 +76,7 @@ EOF
   if [[ -z "$EXTRA_ARGS" ]]; then
     EXTRA_ARGS="--include **/*.swift --include **/*.xib --include **/*.storyboard"
   fi
+  cd "$WORK_DIR"
   env -i HOME="$HOME" \
       XCODE_VERSION_ACTUAL="$XCODE_VERSION_ACTUAL"\
       BROWSERSTACK_USERNAME="$BROWSERSTACK_USERNAME"\
diff --git a/scripts/fish/spm.sh b/scripts/fish/spm.sh
index 9ac8a67..07f4771 100644
--- a/scripts/fish/spm.sh
+++ b/scripts/fish/spm.sh
@@ -13,8 +13,9 @@ export BROWSERSTACK_USERNAME=$($fish_bin -lic 'echo $BROWSERSTACK_USERNAME' | ta
 export BROWSERSTACK_ACCESS_KEY=$($fish_bin -lic 'echo $BROWSERSTACK_ACCESS_KEY' | tail -n 1)
 
 # Don't change anything after this, same as the bash equivalent
-[ -f "${PWD}/Package.swift" ]
-PACKAGE_EXISTS="$?"
+ORIGINAL_DIR="${PWD}"
+HAS_EXISTING_PACKAGE=0
+[ -f "${PWD}/Package.swift" ] && HAS_EXISTING_PACKAGE=1
 GIT_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)
 SCRIPT_PATH=$(realpath --relative-to="$GIT_ROOT" "$0" 2>/dev/null || realpath "$0")
 SUBCOMMAND="$1"
@@ -54,19 +55,23 @@ EOF
 a11y_scan() {
   # Ensure Package.swift is removed on exit (acts like a finally block)
   cleanup() {
-      if [ $PACKAGE_EXISTS -eq 0 ]; then
+      if [ $HAS_EXISTING_PACKAGE -eq 1 ]; then
           return
       fi
-      rm -f -- "${PWD}/Package.swift" "${PWD}/Package.resolved"
+      if [ -n "$WORK_DIR" ] && [ -d "$WORK_DIR" ]; then
+          rm -rf -- "$WORK_DIR"
+      fi
   }
   trap cleanup EXIT
 
   setup() {
-      if [ $PACKAGE_EXISTS -eq 0 ]; then
+      if [ $HAS_EXISTING_PACKAGE -eq 1 ]; then
+          WORK_DIR="$ORIGINAL_DIR"
           return
       fi
 
-      cat > Package.swift <<EOF
+      WORK_DIR=$(mktemp -d)
+      cat > "$WORK_DIR/Package.swift" <<EOF
 // swift-tools-version: 5.9
 import PackageDescription
 
@@ -84,6 +89,7 @@ EOF
   if [[ -z "$EXTRA_ARGS" ]]; then
     EXTRA_ARGS="--include **/*.swift --include **/*.xib --include **/*.storyboard"
   fi
+  cd "$WORK_DIR"
   env -i HOME="$HOME" \
       XCODE_VERSION_ACTUAL="$XCODE_VERSION_ACTUAL"\
       BROWSERSTACK_USERNAME="$BROWSERSTACK_USERNAME"\
diff --git a/scripts/zsh/spm.sh b/scripts/zsh/spm.sh
index 35df10f..785c0f3 100644
--- a/scripts/zsh/spm.sh
+++ b/scripts/zsh/spm.sh
@@ -12,8 +12,9 @@ export BROWSERSTACK_USERNAME=$($zsh_bin -lic 'echo $BROWSERSTACK_USERNAME' | tai
 export BROWSERSTACK_ACCESS_KEY=$($zsh_bin -lic 'echo $BROWSERSTACK_ACCESS_KEY' | tail -n 1)
 
 # Don't change anything after this, same as the bash equivalent
-[ -f "${PWD}/Package.swift" ]
-PACKAGE_EXISTS="$?"
+ORIGINAL_DIR="${PWD}"
+HAS_EXISTING_PACKAGE=0
+[ -f "${PWD}/Package.swift" ] && HAS_EXISTING_PACKAGE=1
 GIT_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)
 SCRIPT_PATH=$(realpath --relative-to="$GIT_ROOT" "$0" 2>/dev/null || realpath "$0")
 SUBCOMMAND="$1"
@@ -53,19 +54,23 @@ EOF
 a11y_scan() {
   # Ensure Package.swift is removed on exit (acts like a finally block)
   cleanup() {
-      if [ $PACKAGE_EXISTS -eq 0 ]; then
+      if [ $HAS_EXISTING_PACKAGE -eq 1 ]; then
           return
       fi
-      rm -f -- "${PWD}/Package.swift" "${PWD}/Package.resolved"
+      if [ -n "$WORK_DIR" ] && [ -d "$WORK_DIR" ]; then
+          rm -rf -- "$WORK_DIR"
+      fi
   }
   trap cleanup EXIT
 
   setup() {
-      if [ $PACKAGE_EXISTS -eq 0 ]; then
+      if [ $HAS_EXISTING_PACKAGE -eq 1 ]; then
+          WORK_DIR="$ORIGINAL_DIR"
           return
       fi
 
-      cat > Package.swift <<EOF
+      WORK_DIR=$(mktemp -d)
+      cat > "$WORK_DIR/Package.swift" <<EOF
 // swift-tools-version: 5.9
 import PackageDescription
 
@@ -83,6 +88,7 @@ EOF
   if [[ -z "$EXTRA_ARGS" ]]; then
     EXTRA_ARGS="--include **/*.swift --include **/*.xib --include **/*.storyboard"
   fi
+  cd "$WORK_DIR"
   env -i HOME="$HOME" \
       XCODE_VERSION_ACTUAL="$XCODE_VERSION_ACTUAL"\
       BROWSERSTACK_USERNAME="$BROWSERSTACK_USERNAME"\