vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-18 23:51:40 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

fix(security): validate realpath result before LOG_DIR deletion in e2e.sh (#3225)
Some checks are pending
CLI Release / Build and release CLI (push) Waiting to run
Details
Lint / ShellCheck (push) Waiting to run
Details
Lint / Biome Lint (push) Waiting to run
Details
Lint / macOS Compatibility (push) Waiting to run
Details

Browse source 
Fixes #3222

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
A 2026-04-07 17:43:34 -07:00 committed by GitHub
parent ad9da53210
commit 05fbb2ebdc
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
sh/e2e/e2e.sh
View file

@ -702,7 +702,11 @@ final_cleanup() {
SAFE_TMP_ROOT="${SAFE_TMP_ROOT%/}"
# Resolve symlinks to prevent symlink-following attacks (#3194)
local resolved_log_dir
resolved_log_dir=$(realpath "${LOG_DIR}" 2>/dev/null || printf '%s' "${LOG_DIR}")
resolved_log_dir=$(realpath "${LOG_DIR}" 2>/dev/null)
if [ -z "${resolved_log_dir}" ]; then
log_warn "Failed to resolve LOG_DIR path, skipping cleanup"
return
fi
# Verify ownership before deletion
if [ ! -O "${resolved_log_dir}" ]; then
log_warn "LOG_DIR not owned by current user, refusing deletion: ${resolved_log_dir}"