Test directory: /root/.pruva/runs/ghsa-97rm-xj73-33jh_20260220-155608/vuln_variant/test_env_variants Started: Fri Feb 20 16:06:57 UTC 2026 === TEST 1: Vulnerable updateEnvFile function (baseline) === Running vulnerable function test... Initial .env: EBAY_APP_ID=test_app EBAY_CERT_ID=test_cert After injection attempt: EBAY_APP_ID=test_app EBAY_CERT_ID=test_cert EBAY_USER_ACCESS_TOKEN="v1.MTIzNDU2Nzg5MA== ATTACK_VAR=malicious_value" [FAIL] Injection successful - ATTACK_VAR was injected! TEST 1 Result: Vulnerable function allowed injection (expected) === TEST 2: Fixed updateEnvFile function (aab0bda) === Running fixed function test... Initial .env: EBAY_APP_ID=test_app EBAY_CERT_ID=test_cert After injection attempt: EBAY_APP_ID=test_app EBAY_CERT_ID=test_cert EBAY_USER_ACCESS_TOKEN="v1.MTIzNDU2Nzg5MA==\nATTACK_VAR=malicious_value" [PASS] Injection blocked - newline was escaped or contained TEST 2 Result: Fixed function blocked injection (expected) === TEST 3: Testing multiple injection payloads === Running multiple payload tests... [PASS] Newline injection: Injection blocked [PASS] CRLF injection: Injection blocked [PASS] Quote escape: Injection blocked [PASS] Comment injection: Injection blocked [PASS] Backslash escape: Injection blocked Results: 5 passed, 0 failed TEST 3 Result: All payloads blocked (expected) === TEST 4: Simulating API-derived token injection === This tests the scenario where eBay API (or MITM) returns malicious tokens Running API token simulation... Content after saving API tokens: EBAY_APP_ID=prod_app EBAY_USER_ACCESS_TOKEN="v1.eBay#i#1#r#1#p#3#k#1...\nNODE_OPTIONS=--require /tmp/evil" EBAY_USER_REFRESH_TOKEN="v1.eBayRefresh#...\nLD_PRELOAD=/tmp/evil.so" [PASS] API-derived malicious tokens properly escaped TEST 4 Result: API token injection blocked (expected) === TEST SUMMARY === Test 1 (Vulnerable baseline): VULNERABLE (expected) Test 2 (Fixed version): PASS (blocked) Test 3 (Multiple payloads): PASS (all blocked) Test 4 (API token simulation): PASS (blocked) Completed: Fri Feb 20 16:06:58 UTC 2026 === RESULT: No bypass found. Fix is effective. === Variants tested: Multiple payload types, API token simulation - all blocked by fix. Alternate entry points identified: 1. ebay_set_user_tokens (direct user input) - FIXED 2. ebay_set_user_tokens_with_expiry (direct user input) - FIXED 3. refreshUserToken (API-derived tokens) - FIXED via same updateEnvFile 4. getOrRefreshAppAccessToken (API-derived tokens) - FIXED via same updateEnvFile