BrowserStack provide a virtual browser service which lets you test websites with multiple different browsers.

BrowserStack provide far more browsers on more platforms than even large organisations could justify on their test budgets, so the service is valuable to companies like Surevine that require the ability to test that websites work correctly on a broad range of web browsers.

Most organisations like to keep their new website under wraps, so they develop it locally, or on a private network, or may wish to test sites which are for internal use only. BrowserStack provide software and instructions to test such sites. Here a “LocalBrowserStack” component creates a tunnel from the virtual browser back to your machine.

During our process of accepting BrowserStack we noticed that the arguments passed to LocalBrowserStack:

./BrowserStackLocal ACCESS_KEY staging.example.com,80,0,staging.example.com,443,1

have no effect on restricting access to the BrowserStackLocal process. For example a process told it could access “http://localhost:3000/” was able to access images from “http://localhost:3001/” and also content from private (RFC1918 addresses) on the local network. Thus potentially exposing any network services that you have privileged access for to the virtual browser at BrowserStack.

A quick check with BrowserStack support and they report that the documentation is out of date and that the command should have a “-only” appended.

./BrowserStackLocal ACCESS_KEY -only staging.example.com,80,0,staging.example.com,443,1

Which we have tested, and confirmed restricts the access as intended.

Whilst I can understand the desire to make access easier, and that changing the command line arguments is difficult for a tool which is embedded in so many test suites, this is one of those cases where the documentation must not lag as it risks undermining trust in the product offering.

BrowserStack have promised to update their documentation.