Summary

Second focused percy-cli security PR — three contained runtime findings (deadline 2026-06-16) in @percy/core.

Changes

percy.js (PER-8609): sendBuildLogs() sent clilogs raw while cilogs were already passed through redactSecrets(). Wrap clilogs in the same redactSecrets() so tokens / credential-bearing URLs are stripped before egress.

snapshot.js (PER-8615): snapshotMatches() runs user-controllable regex/glob patterns against snapshot.name. A crafted long name reaching the matcher (e.g. via the local API — chain PER-8627) plus a backtracking-prone pattern could hang the process. Added MAX_MATCH_INPUT_LENGTH = 2048: glob/RegExp matching is skipped for over-long names (exact-string matching is unaffected, and real snapshot names are short).

install.js (PER-8616): Added resolveChromiumBaseUrl() — PERCY_CHROMIUM_BASE_URL must be a well-formed HTTPS URL, otherwise it warns and falls back to the trusted default host. Private HTTPS mirrors remain supported (the doctor check documents them), so no host allowlist.

Verification (against real source)

• resolveChromiumBaseUrl: https mirror kept; http://, ftp://, and malformed values rejected → default. ✅
• redactSecrets on the clilogs array shape: GitHub token + bearer redacted to [REDACTED]. ✅
• ReDoS guard: catastrophic (a+)+$ against a 50k-char input returns in 0 ms (would otherwise hang); normal patterns still match. ✅
• Existing sendBuildLogs tests use secret-free messages (redaction is a no-op → content matches); the Chromium with custom URL test uses an HTTPS URL (compatible).

PER-8605 (Chromium binary integrity) is partially addressed here — HTTPS is now enforced, giving transport integrity from the trusted host. Full checksum pinning of the downloaded binary (per platform/revision) is a separate follow-up since it needs canonical hashes for all 5 platform builds.

Closes PER-8609, PER-8615, PER-8616. Partially addresses PER-8605; mitigates the ReDoS leg of PER-8627.

🤖 Generated with Claude Code