Preserve self-update with SHA-256 integrity verification

sunny-se · claude · sunny-se · commit e098f6e2ac4e · 2026-05-27T15:55:53.000+05:30
Instead of removing script_self_update() entirely, restore it with hardening: HTTPS-only fetch (pairs with PR #13) + SHA-256 checksum verification against a .sha256 sidecar file. Silently skips update if checksum fetch fails or hash mismatch — never overwrites with unverified content. Requires publishing .sha256 sidecar files alongside each script. DEVA11Y-475 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/scripts/bash/cli.sh b/scripts/bash/cli.sh
@@ -78,11 +78,29 @@ a11y_scan() {
       $BINARY_PATH a11y $EXTRA_ARGS
 }
 
+script_self_update() {
+  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/bash/cli.sh"
+  local checksum_url="${remote_url}.sha256"
+
+  local updated_script
+  updated_script=$(curl -sfSL "$remote_url") || return 0
+  local expected_hash
+  expected_hash=$(curl -sfSL "$checksum_url" | awk '{print $1}') || return 0
+
+  local actual_hash
+  actual_hash=$(printf '%s' "$updated_script" | shasum -a 256 | awk '{print $1}')
+
+  if [[ -n "$expected_hash" ]] && [[ "$actual_hash" == "$expected_hash" ]] && [[ $updated_script =~ ^#! ]]; then
+    echo "$updated_script" > "$SCRIPT_PATH"
+  fi
+}
+
 download_binary() {
   curl -R -z "$BINARY_ZIP_PATH" -L "http://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
   bsdtar -xvf "$BINARY_ZIP_PATH" -O > "$BINARY_PATH" && chmod 0775 "$BINARY_PATH"
 }
 
+script_self_update
 if [[ $SUBCOMMAND == "register-pre-commit-hook" ]]; then
   register_git_hook
   exit 0
diff --git a/scripts/fish/cli.sh b/scripts/fish/cli.sh
@@ -90,11 +90,29 @@ a11y_scan() {
       $BINARY_PATH a11y $EXTRA_ARGS
 }
 
+script_self_update() {
+  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/fish/cli.sh"
+  local checksum_url="${remote_url}.sha256"
+
+  local updated_script
+  updated_script=$(curl -sfSL "$remote_url") || return 0
+  local expected_hash
+  expected_hash=$(curl -sfSL "$checksum_url" | awk '{print $1}') || return 0
+
+  local actual_hash
+  actual_hash=$(printf '%s' "$updated_script" | shasum -a 256 | awk '{print $1}')
+
+  if [[ -n "$expected_hash" ]] && [[ "$actual_hash" == "$expected_hash" ]] && [[ $updated_script =~ ^#! ]]; then
+    echo "$updated_script" > "$SCRIPT_PATH"
+  fi
+}
+
 download_binary() {
   curl -R -z "$BINARY_ZIP_PATH" -L "http://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
   bsdtar -xvf "$BINARY_ZIP_PATH" -O > "$BINARY_PATH" && chmod 0775 "$BINARY_PATH"
 }
 
+script_self_update
 if [[ $SUBCOMMAND == "register-pre-commit-hook" ]]; then
   register_git_hook
   exit 0
diff --git a/scripts/zsh/cli.sh b/scripts/zsh/cli.sh
@@ -89,11 +89,29 @@ a11y_scan() {
       $BINARY_PATH a11y $EXTRA_ARGS
 }
 
+script_self_update() {
+  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/zsh/cli.sh"
+  local checksum_url="${remote_url}.sha256"
+
+  local updated_script
+  updated_script=$(curl -sfSL "$remote_url") || return 0
+  local expected_hash
+  expected_hash=$(curl -sfSL "$checksum_url" | awk '{print $1}') || return 0
+
+  local actual_hash
+  actual_hash=$(printf '%s' "$updated_script" | shasum -a 256 | awk '{print $1}')
+
+  if [[ -n "$expected_hash" ]] && [[ "$actual_hash" == "$expected_hash" ]] && [[ $updated_script =~ ^#! ]]; then
+    echo "$updated_script" > "$SCRIPT_PATH"
+  fi
+}
+
 download_binary() {
   curl -R -z "$BINARY_ZIP_PATH" -L "http://api.browserstack.com/sdk/v1/download_cli?os=${OS}&os_arch=${ARCH}" -o "$BINARY_ZIP_PATH"
   bsdtar -xvf "$BINARY_ZIP_PATH" -O > "$BINARY_PATH" && chmod 0775 "$BINARY_PATH"
 }
 
+script_self_update
 if [[ $SUBCOMMAND == "register-pre-commit-hook" ]]; then
   register_git_hook
   exit 0
