From ac227207af60af6b2286661b8d97c668ddc13314 Mon Sep 17 00:00:00 2001
From: Sunny Sethi <sunny.se@browserstack.com>
Date: Tue, 26 May 2026 14:28:11 +0530
Subject: [PATCH] fix(security): use HTTPS for binary download in shell scripts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

F-002 / DEVA11Y-474 — All three cli.sh variants (bash, zsh, fish)
downloaded the CLI binary over plaintext HTTP (CWE-319), enabling
MitM binary substitution. Switch to HTTPS.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 scripts/bash/cli.sh | 2 +-
 scripts/fish/cli.sh | 2 +-
 scripts/zsh/cli.sh  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/bash/cli.sh b/scripts/bash/cli.sh
index d39f524..818d993 100644
--- a/scripts/bash/cli.sh
+++ b/scripts/bash/cli.sh
@@ -88,7 +88,7 @@ script_self_update() {
 }
 
 download_binary() {
-  curl -R -z "$BINARY_ZIP_PATH" -L "http://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
+  curl -R -z "$BINARY_ZIP_PATH" -L "https://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
   bsdtar -xvf "$BINARY_ZIP_PATH" -O > "$BINARY_PATH" && chmod 0775 "$BINARY_PATH"
 }
 
diff --git a/scripts/fish/cli.sh b/scripts/fish/cli.sh
index 6bf3d8b..e509be7 100644
--- a/scripts/fish/cli.sh
+++ b/scripts/fish/cli.sh
@@ -100,7 +100,7 @@ script_self_update() {
 }
 
 download_binary() {
-  curl -R -z "$BINARY_ZIP_PATH" -L "http://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
+  curl -R -z "$BINARY_ZIP_PATH" -L "https://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
   bsdtar -xvf "$BINARY_ZIP_PATH" -O > "$BINARY_PATH" && chmod 0775 "$BINARY_PATH"
 }
 
diff --git a/scripts/zsh/cli.sh b/scripts/zsh/cli.sh
index 697ad4e..a7e6e4c 100644
--- a/scripts/zsh/cli.sh
+++ b/scripts/zsh/cli.sh
@@ -99,7 +99,7 @@ script_self_update() {
 }
 
 download_binary() {
-  curl -R -z "$BINARY_ZIP_PATH" -L "http://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
+  curl -R -z "$BINARY_ZIP_PATH" -L "https://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
   bsdtar -xvf "$BINARY_ZIP_PATH" -O > "$BINARY_PATH" && chmod 0775 "$BINARY_PATH"
 }