vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-19 08:01:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

fix(security): restrict OAuth auth code regex to alphanumeric only (#2116)

Browse source 
Removes underscore and hyphen from the OAuth authorization code
validation regex, restricting it to alphanumeric characters only.
Defense in depth: if the code is ever used in logging or other
contexts, special characters won't create injection opportunities.

Fixes #2114

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
A 2026-03-02 13:49:12 -08:00 committed by GitHub
parent 7cc21e4111
commit 2a23ebcaf2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
packages/cli/package.json
View file

@ -1,6 +1,6 @@
{
"name": "@openrouter/spawn",
"version": "0.12.3",
"version": "0.12.4",
"type": "module",
"bin": {
"spawn": "cli.js"

2
packages/cli/src/shared/oauth.ts
View file

@ -115,7 +115,7 @@ async function tryOauthFlow(callbackPort = 5180, agentSlug?: string, cloudSlug?:
});
}
// Validate code format
if (!/^[a-zA-Z0-9_-]{16,128}$/.test(code)) {
if (!/^[a-zA-Z0-9]{16,128}$/.test(code)) {
return new Response("<html><body><h1>Invalid OAuth Code</h1></body></html>", {
status: 400,
headers: {