vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-19 16:39:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

fix: harden env var parsing and pkill patterns in provision.sh (#2342)

Browse source 
- Block dangerous system env vars (PATH, LD_PRELOAD, etc.) before export
- Add explicit alphanumeric validation on env var names
- Validate app_name is non-empty and safe before pkill -f
- Tighten pkill regex from "sprite.*exec.*" to "sprite exec.*"

Fixes #2330 #2332

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
A 2026-03-08 07:43:28 -07:00 committed by GitHub
parent 48af1c3459
commit 24e393817f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 19 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

22
sh/e2e/lib/provision.sh
View file

@ -69,7 +69,19 @@ provision_agent() {
if [ -z "${_env_name}" ]; then
continue
fi
# Validate value against a safe character whitelist
# Block dangerous system env vars that could enable privilege escalation
case "${_env_name}" in
PATH|LD_PRELOAD|LD_LIBRARY_PATH|HOME|SHELL|USER|IFS|ENV|BASH_ENV|CDPATH)
log_err "Blocked dangerous env var: ${_env_name}"
continue
;;
esac
# Validate env var name matches strict alphanumeric pattern
if ! printf '%s' "${_env_name}" | grep -qE '^[A-Za-z_][A-Za-z0-9_]*$'; then
log_err "Invalid env var name: ${_env_name}"
continue
fi
# Validate value against a safe character whitelist BEFORE export
if printf '%s' "${_env_val}" | grep -qE '[^A-Za-z0-9@%+=:,./_-]'; then
log_err "Invalid characters in env value for ${_env_name}"
continue
@ -104,8 +116,12 @@ CLOUD_ENV
pkill -P "${pid}" 2>/dev/null || true
kill "${pid}" 2>/dev/null || true
wait "${pid}" 2>/dev/null || true
# Also kill any lingering sprite exec processes for this specific app
pkill -f "sprite.*exec.*${app_name}" 2>/dev/null || true
# Also kill any lingering sprite exec processes for this specific app.
# Validate app_name is non-empty and contains only safe characters to
# prevent overly broad pkill -f patterns from killing unrelated processes.
if [ -n "${app_name}" ] && printf '%s' "${app_name}" | grep -qE '^[A-Za-z0-9._-]+$'; then
pkill -f "sprite exec.*${app_name}" 2>/dev/null || true
fi
sleep 1
fi