vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 11:59:29 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix(security): add AWS secret key validation and harden path traversal (#2690)

Browse source 
- Add validateAwsSecretKey() function checking 40-char format
- Validate secret key in loadCredsFromConfig() and lightsailRest()
- Add normalize() to canonicalize paths before traversal check
- Harden both uploadFile() and downloadFile() path validation
- Update test fixtures with properly-formatted mock secret keys
- Add test for invalid secret key format rejection

Fixes #2686
Fixes #2687

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
A 2026-03-16 01:29:01 -07:00 committed by GitHub
parent 8fe6450485
commit 085759aeaf
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 42 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

2
packages/cli/package.json
View file

@ -1,6 +1,6 @@
{
"name": "@openrouter/spawn",
"version": "0.20.2",
"version": "0.20.3",
"type": "module",
"bin": {
"spawn": "cli.js"