vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-20 01:11:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

security: validate RAW_BASE immediately before curl|bash invocation (#1822)

Browse source 
Fixes #1819

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
A 2026-02-23 16:31:53 -08:00 committed by GitHub
parent fccb73d147
commit 0bca426980
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
cli/package.json
View file

@ -1,6 +1,6 @@
{
"name": "@openrouter/spawn",
"version": "0.8.2",
"version": "0.8.3",
"type": "module",
"bin": {
"spawn": "cli.js"

5
cli/src/update-check.ts
View file

@ -196,6 +196,11 @@ function reExecWithArgs(): void {
function performAutoUpdate(latestVersion: string): void {
printUpdateBanner(latestVersion);
// Validate RAW_BASE immediately before use to prevent command injection (CWE-78, #1819)
if (!GITHUB_RAW_URL_PATTERN.test(RAW_BASE)) {
throw new Error(`Security: RAW_BASE failed pre-execution validation: ${RAW_BASE}`);
}
try {
executor.execSync(`curl -fsSL ${RAW_BASE}/cli/install.sh | bash`, {
stdio: "inherit",