vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 03:49:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix(security): add --proto '=https' to all curl executable downloads (#2160)

Browse source 
42 curl calls downloading JS bundles, CLI binaries, and gh CLI tarballs
were missing --proto '=https', allowing protocol downgrade attacks on
hostile networks. PR #2138 fixed bun installer calls; this closes the
remaining gap for executable downloads.

Fixes applied:
- sh/{sprite,aws,gcp,hetzner,daytona,local}/{claude,codex,openclaw,opencode,kilocode,hermes,zeroclaw}.sh (42 files)
- sh/cli/install.sh (cli.js download)
- sh/shared/github-auth.sh (keyring, API, tarball downloads)

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
A 2026-03-03 20:38:03 -08:00 committed by GitHub
parent 251ddf2967
commit 1097f055c3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
45 changed files with 47 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

2
sh/aws/opencode.sh
View file

@ -28,6 +28,6 @@ fi
# Remote — download and run compiled TypeScript bundle
AWS_JS=$(mktemp)
trap 'rm -f "$AWS_JS"' EXIT
curl -fsSL "https://github.com/OpenRouterTeam/spawn/releases/download/aws-latest/aws.js" -o "$AWS_JS" \
curl -fsSL --proto '=https' "https://github.com/OpenRouterTeam/spawn/releases/download/aws-latest/aws.js" -o "$AWS_JS" \
|| { printf '\033[0;31mFailed to download aws.js\033[0m\n' >&2; exit 1; }
exec bun run "$AWS_JS" opencode "$@"