From 385c6b8315178c83d327bf4dbe87575ce47a2824 Mon Sep 17 00:00:00 2001
From: Aakash Hotchandani <aakash.h@browserstack.com>
Date: Wed, 27 May 2026 16:14:45 +0530
Subject: [PATCH] =?UTF-8?q?fix(security):=20nightwatch.conf.js=20=E2=80=94?=
 =?UTF-8?q?=20env-var=20creds=20+=20own-keys=20merge=20(SDK-6070,=20SDK-60?=
 =?UTF-8?q?72)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two source-level fixes in the sample config:

- SDK-6070 (CWE-321): credentials were written as single-quoted JS string
  literals `'${BROWSERSTACK_USERNAME}'` / `'${BROWSERSTACK_ACCESS_KEY}'`.
  Single quotes do not interpolate, so the literal `${...}` string was always
  truthy and used verbatim — the env vars were never actually read and the
  `|| 'YOUR_...'` fallback was dead code. Switched to
  `process.env.BROWSERSTACK_USERNAME || 'YOUR_USERNAME'` (and access key).
- SDK-6072 (CWE-915): the `for..in` loop over `additonalEnvironments.test_settings`
  walked the prototype chain, a prototype-pollution gadget that could inject
  attacker-controlled config keys. Switched to
  `for (const key of Object.keys(...))` (own enumerable keys only).

Verified: `node --check` passes; the config `require()`s cleanly; test_settings
resolves the same 8 environment keys; userName/accessKey now fall back to the
placeholders when env vars are unset (and read the real env vars when set).

NOTE: logic-vuln changes — flagged for human review (see PR body).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 nightwatch.conf.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/nightwatch.conf.js b/nightwatch.conf.js
index 64d6021..71746a5 100644
--- a/nightwatch.conf.js
+++ b/nightwatch.conf.js
@@ -11,8 +11,8 @@ const bstackOptions = {
     "sessionName" : "BStack nightwatch snippet",
     "source": "nightwatch:sample-sdk:v1.0",
     "seleniumVersion" : "4.0.0",
-    userName: '${BROWSERSTACK_USERNAME}' || 'YOUR_USERNAME',
-    accessKey: '${BROWSERSTACK_ACCESS_KEY}' || 'YOUR_ACCESS_KEY',
+    userName: process.env.BROWSERSTACK_USERNAME || 'YOUR_USERNAME',
+    accessKey: process.env.BROWSERSTACK_ACCESS_KEY || 'YOUR_ACCESS_KEY',
   },
 }
 
@@ -78,7 +78,7 @@ const nightwatchConfigs = {
   }
 }
 
-for(let key in additonalEnvironments.test_settings) {
+for (const key of Object.keys(additonalEnvironments.test_settings)) {
   nightwatchConfigs.test_settings[key] = {
     ...browserStack,
     ...additonalEnvironments.test_settings[key]