Bau 28336 codeception vulnerabilities 400 part 1

[remus-iesan-natterbox]

This PR addresses security vulnerabilities in the Codeception repository, focusing on improvements and hardening related to file handling, input validation, and error management.

Changes

• Added strict validation for configuration file names and paths received via HTTP headers to prevent directory traversal and unsafe file access.
• Improved error handling and validation for file operations in bootstrap and testing scripts, ensuring exceptions are raised when file operations fail.
• Restricted file deletion and reading to safe, whitelisted directories and file names within unit tests.
• Enhanced unit tests to cover edge cases and error scenarios for file operations and configuration loading.

Testing Notes

• Config File Handling

  • Test valid and invalid config file names/paths via HTTP headers.
  • Confirm only .yml files with safe characters are accepted; attempts with directory traversal or other unsafe patterns must trigger errors.
  • Ensure correct error messages are returned for invalid config requests.
  • Run code coverage reporting using both valid and invalid configurations; confirm the correct config file is loaded and errors are handled gracefully.

• File Creation, Deletion, and Writing

  • Verify that files (such as order.txt and screenshots) are created, deleted, and written to only when they reside in approved locations and have safe filenames.
  • Simulate file system errors (cannot delete, cannot open, cannot write) and ensure exceptions are raised and handled properly.
  • Confirm file handles are closed and file contents are accurate.

• Screenshot Logic

  • Check that screenshots are only deleted if their names and paths are validated as safe.
  • Attempt to create or delete screenshots with unsafe names or outside expected directories and confirm proper error handling.
  • Validate normal screenshot operations continue to function.

• Test File Reading

  • Make sure files are only read from a predefined whitelist in the parser tests.
  • Attempt to read files not on the whitelist and verify exceptions are thrown.
  • Confirm normal parsing and file reading still work for allowed files.

• General Regression

  • Run the full test suite and targeted edge-case tests to ensure all changes work as expected.
  • Inspect logs and output for clear, actionable error messages.
  • Confirm that functional and security improvements do not regress existing features.

Motivation

These improvements mitigate potential security risks from unvalidated user input and unsafe file access, increasing the robustness and reliability of the Codeception testing framework.

[orca-security-eu]

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Infrastructure as Code	0   0   0   0	View in Orca
Passed	SAST	0   0   0   0	View in Orca
Passed	Secrets	0   0   0   0	View in Orca
Passed	Vulnerabilities	0   0   0   0	View in Orca