fix: validate server ID in status.ts before API calls (#2430)

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 03:49:31 +00:00

status.ts passed server_id from history directly into Hetzner/DO API
URLs without calling validateServerIdentifier(). Both delete.ts and
connect.ts validate first; status.ts was the only gap. A tampered
~/.spawn/history.json could craft a server_id with path traversal
characters (e.g. "../v2/account") causing the Bearer token to be
sent to an unintended API endpoint (SSRF via URL path manipulation).

Fix: call validateServerIdentifier() after extracting serverId,
returning "unknown" gracefully on failure.

Agent: code-health

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

This commit is contained in:

2026-03-10 04:17:07 -07:00

• committed by

GitHub

parent 00aa4b2dbf

commit 15e4715555

No known key found for this signature in database

GPG key ID: B5690EEEBB952194

2 changed files with 7 additions and 1 deletions

									
										2

packages/cli/package.json
									
										View file
										
				@ -1,6 +1,6 @@

				{

				  "name": "@openrouter/spawn",

				  "version": "0.15.36",

				  "version": "0.15.37",

				  "type": "module",

				  "bin": {

				    "spawn": "cli.js"

Rows
Columns

fix: validate server ID in status.ts before API calls (#2430)

2 packages/cli/package.json Unescape Escape View file

2

packages/cli/package.json

View file