fix(security): validate JVM-property base URL and canonicalize uploadApp path [APS-19024]

INJ-002 (CWE-918 SSRF): both AutomateClient and AppAutomateClient
constructors read the API base URL from a JVM system property
(browserstack.automate.api / browserstack.app-automate.api) without
validation. An attacker who can set the property redirects every signed
request to their host and harvests Basic Auth credentials. Each client
now wraps the System.getProperty call with validateApiBaseUrl, which
parses the URL via java.net.URI and rejects anything that is not https
or whose host does not end in .browserstack.com (IllegalArgumentException
on failure).

INJ-003 (CWE-22 path traversal): AppAutomateClient.uploadApp validated
the file extension with a suffix-only check on the supplied filePath.
A symlink legit.apk -> /etc/passwd would pass that check and stream the
target's bytes to the upload endpoint. uploadApp now resolves the file
via File.getCanonicalFile() (IOException is wrapped as
AppAutomateException), checks the extension on the canonical file name,
and uses the canonical File for the upload.

New unit tests in
src/test/java/com/browserstack/automate/ApiBaseUrlAndUploadSecurityTest.java
cover both fixes, including a real symlink case for INJ-003 (Assume-skipped
on platforms that disallow symlink creation).

Resolves: APS-19024

Author: Jimesh-browserstack

CHANGELOG.md

@@ -27,6 +27,25 @@ All notable changes to this project will be documented in this file.
   produce a malformed `Authorization: Basic` header. The condition is now
   `username == null || accessKey == null`. (APS-19019)
 
+
+- **SSRF guard on JVM-property base URL override** — both `AutomateClient` and
+  `AppAutomateClient` constructors now validate the result of
+  `System.getProperty("browserstack.automate.api", ...)` /
+  `System.getProperty("browserstack.app-automate.api", ...)` before passing it
+  to the parent constructor. Only `https` URLs whose host (parsed via
+  `java.net.URI`) ends in `.browserstack.com` are accepted; all other values
+  throw `IllegalArgumentException`. This prevents an attacker who can set JVM
+  properties from redirecting every signed API request — and the Basic Auth
+  credentials those requests carry — to an attacker-controlled host. (APS-19024)
+
+- **Path canonicalization in `AppAutomateClient.uploadApp`** — the file path is
+  now resolved via `File.getCanonicalFile()` before applying the `.apk` /
+  `.ipa` extension check, and the canonical name (not the original input) is
+  what the extension check sees. This prevents a symlink such as
+  `/tmp/legit.apk -> /etc/passwd` from passing the suffix-only check and
+  causing an arbitrary local file to be streamed to the upload endpoint.
+  (APS-19024)
+
 ### CI / Release
 
 - **GitHub Actions hardening** — `.github/workflows/ci.yml` actions are now

src/main/java/com/browserstack/appautomate/AppAutomateClient.java

@@ -2,6 +2,8 @@
 
 import java.io.File;
 import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.net.URI;
 import java.util.List;
 import com.browserstack.automate.Automate.BuildStatus;
 import com.browserstack.automate.exception.AppAutomateException;
@@ -32,7 +34,8 @@ public class AppAutomateClient extends BrowserStackClient implements AppAutomate
    * @param accessKey Browserstack accessKey
    */
   public AppAutomateClient(String username, String accessKey) {
-    super(System.getProperty("browserstack.app-automate.api", BASE_URL), username, accessKey);
+    super(validateApiBaseUrl(System.getProperty("browserstack.app-automate.api", BASE_URL)),
+        username, accessKey);
   }
 
   /**
@@ -71,9 +74,22 @@ public AppUploadResponse uploadApp(String filePath)
         throw new FileNotFoundException("File not found at " + filePath);
       }
 
-      if (!filePath.endsWith(".apk") && !filePath.endsWith(".ipa")) {
+      // APS-19024 / INJ-003: canonicalize before validating extension. Without this,
+      // a symlink such as /tmp/legit.apk -> /etc/passwd would pass a suffix-only
+      // check on the supplied path and result in an arbitrary local file being
+      // streamed to the upload endpoint. getCanonicalFile() resolves symlinks
+      // and ".." segments; we then check the extension on the canonical name.
+      final File canonical;
+      try {
+        canonical = file.getCanonicalFile();
+      } catch (IOException e) {
+        throw new AppAutomateException("Unable to canonicalize file path: " + e.getMessage(), 0);
+      }
+      final String canonicalName = canonical.getName().toLowerCase();
+      if (!canonicalName.endsWith(".apk") && !canonicalName.endsWith(".ipa")) {
         throw new InvalidFileExtensionException("File extension should be only .apk or .ipa.");
       }
+      file = canonical;
 
       MultipartContent content = new MultipartContent().setMediaType(
           new HttpMediaType("multipart/form-data").setParameter("boundary", "__END_OF_PART__"));
@@ -282,5 +298,46 @@ public List<Session> getSessions(final String buildId, final BuildStatus status)
     return getSessions(buildId, status, 0);
   }
 
-}
 
+  /**
+   * Validates the App Automate API base URL read from the JVM system property
+   * {@code browserstack.app-automate.api} (or the built-in default).
+   * <p>
+   * Defends against SSRF (APS-19024 / INJ-002): an attacker who can set the
+   * JVM property could otherwise redirect every signed API request — and the
+   * Basic Auth credentials those requests carry — to an attacker-controlled
+   * host. Only {@code https} URLs whose host (parsed via
+   * {@link java.net.URI#getHost()}) ends in {@code .browserstack.com} are
+   * accepted.
+   *
+   * @param url URL to validate. Must be a syntactically-valid absolute URL.
+   * @return the same URL, unchanged, when validation passes.
+   * @throws IllegalArgumentException if the URL is null, malformed, uses a
+   *                                  non-https scheme, or has a host outside
+   *                                  {@code *.browserstack.com}.
+   */
+  private static String validateApiBaseUrl(String url) {
+    if (url == null) {
+      throw new IllegalArgumentException("App Automate API base URL is null");
+    }
+
+    final URI uri;
+    try {
+      uri = URI.create(url);
+    } catch (IllegalArgumentException e) {
+      throw new IllegalArgumentException("Malformed App Automate API base URL", e);
+    }
+
+    final String scheme = uri.getScheme();
+    if (!"https".equalsIgnoreCase(scheme)) {
+      throw new IllegalArgumentException("Insecure App Automate API base URL scheme: " + scheme);
+    }
+
+    final String host = uri.getHost();
+    if (host == null || !host.toLowerCase().endsWith(".browserstack.com")) {
+      throw new IllegalArgumentException("Untrusted App Automate API base URL host: " + host);
+    }
+
+    return url;
+  }
+}

src/main/java/com/browserstack/automate/AutomateClient.java

@@ -36,7 +36,8 @@ public final class AutomateClient extends BrowserStackClient implements Automate
    * @param accessKey Access Key for your BrowserStack Automate account.
    */
   public AutomateClient(String username, String accessKey) {
-    super(System.getProperty("browserstack.automate.api", BASE_URL), username, accessKey);
+    super(validateApiBaseUrl(System.getProperty("browserstack.automate.api", BASE_URL)),
+        username, accessKey);
   }
 
   /**
@@ -532,6 +533,48 @@ public String recycleKey() throws AutomateException {
     return newAccessKey;
   }
 
+  /**
+   * Validates the API base URL read from the JVM system property
+   * {@code browserstack.automate.api} (or the built-in default).
+   * <p>
+   * Defends against SSRF (APS-19024 / INJ-002): an attacker who can set the
+   * JVM property could otherwise redirect every signed API request — and the
+   * Basic Auth credentials those requests carry — to an attacker-controlled
+   * host. Only {@code https} URLs whose host (parsed via
+   * {@link java.net.URI#getHost()}) ends in {@code .browserstack.com} are
+   * accepted.
+   *
+   * @param url URL to validate. Must be a syntactically-valid absolute URL.
+   * @return the same URL, unchanged, when validation passes.
+   * @throws IllegalArgumentException if the URL is null, malformed, uses a
+   *                                  non-https scheme, or has a host outside
+   *                                  {@code *.browserstack.com}.
+   */
+  private static String validateApiBaseUrl(String url) {
+    if (url == null) {
+      throw new IllegalArgumentException("API base URL is null");
+    }
+
+    final URI uri;
+    try {
+      uri = URI.create(url);
+    } catch (IllegalArgumentException e) {
+      throw new IllegalArgumentException("Malformed API base URL", e);
+    }
+
+    final String scheme = uri.getScheme();
+    if (!"https".equalsIgnoreCase(scheme)) {
+      throw new IllegalArgumentException("Insecure API base URL scheme: " + scheme);
+    }
+
+    final String host = uri.getHost();
+    if (host == null || !host.toLowerCase().endsWith(".browserstack.com")) {
+      throw new IllegalArgumentException("Untrusted API base URL host: " + host);
+    }
+
+    return url;
+  }
+
   /**
    * Validates that a URL is safe to fetch as a BrowserStack-issued logs URL.
    * <p>