From 355c3305070b740cd296c56c4724505cf8ac5255 Mon Sep 17 00:00:00 2001 From: Sprite Date: Sat, 7 Feb 2026 19:48:09 +0000 Subject: [PATCH] security: Fix command injection in openclaw.sh files Fixed command injection vulnerability in sprite/openclaw.sh where OPENCLAW_CONFIG was echoed directly into remote shell command with user-controlled MODEL_ID variable. Changed to use temp file + secure upload instead of inline echo. Also added chmod 600 to all OPENCLAW_CONFIG_TEMP files across all cloud providers (linode, vultr, digitalocean, hetzner, sprite) to prevent race condition where credentials could be exposed in temp files before being written. Changes: - sprite/openclaw.sh: Replaced echo with temp file + sprite exec -file - All openclaw.sh: Added chmod 600 after mktemp for credentials Co-Authored-By: Claude Sonnet 4.5 --- digitalocean/openclaw.sh | 1 + hetzner/openclaw.sh | 1 + linode/openclaw.sh | 1 + sprite/openclaw.sh | 19 +++++++++++++------ vultr/openclaw.sh | 1 + 5 files changed, 17 insertions(+), 6 deletions(-) diff --git a/digitalocean/openclaw.sh b/digitalocean/openclaw.sh index 69cef79f..7df509b9 100755 --- a/digitalocean/openclaw.sh +++ b/digitalocean/openclaw.sh @@ -70,6 +70,7 @@ run_server "$DO_SERVER_IP" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw" GATEWAY_TOKEN=$(openssl rand -hex 16) OPENCLAW_CONFIG_TEMP=$(mktemp) +chmod 600 "$OPENCLAW_CONFIG_TEMP" cat > "$OPENCLAW_CONFIG_TEMP" << EOF { "env": { diff --git a/hetzner/openclaw.sh b/hetzner/openclaw.sh index 0749443b..7b7d0027 100755 --- a/hetzner/openclaw.sh +++ b/hetzner/openclaw.sh @@ -71,6 +71,7 @@ run_server "$HETZNER_SERVER_IP" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw" GATEWAY_TOKEN=$(openssl rand -hex 16) OPENCLAW_CONFIG_TEMP=$(mktemp) +chmod 600 "$OPENCLAW_CONFIG_TEMP" cat > "$OPENCLAW_CONFIG_TEMP" << EOF { "env": { diff --git a/linode/openclaw.sh b/linode/openclaw.sh index 9f1b36bf..31cf7888 100755 --- a/linode/openclaw.sh +++ b/linode/openclaw.sh @@ -37,6 +37,7 @@ log_warn "Configuring openclaw..." run_server "$LINODE_SERVER_IP" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw" GATEWAY_TOKEN=$(openssl rand -hex 16) OPENCLAW_CONFIG_TEMP=$(mktemp) +chmod 600 "$OPENCLAW_CONFIG_TEMP" cat > "$OPENCLAW_CONFIG_TEMP" << EOF { "env": { "OPENROUTER_API_KEY": "${OPENROUTER_API_KEY}" }, diff --git a/sprite/openclaw.sh b/sprite/openclaw.sh index 3aba373a..60820b1c 100755 --- a/sprite/openclaw.sh +++ b/sprite/openclaw.sh @@ -65,26 +65,33 @@ run_sprite "$SPRITE_NAME" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw" # Generate a random gateway token GATEWAY_TOKEN=$(openssl rand -hex 16) -OPENCLAW_CONFIG='{ +# Create config file locally first, then upload +OPENCLAW_CONFIG_TEMP=$(mktemp) +chmod 600 "$OPENCLAW_CONFIG_TEMP" +cat > "$OPENCLAW_CONFIG_TEMP" << EOF +{ "env": { - "OPENROUTER_API_KEY": "'"$OPENROUTER_API_KEY"'" + "OPENROUTER_API_KEY": "${OPENROUTER_API_KEY}" }, "gateway": { "mode": "local", "auth": { - "token": "'"$GATEWAY_TOKEN"'" + "token": "${GATEWAY_TOKEN}" } }, "agents": { "defaults": { "model": { - "primary": "openrouter/'"$MODEL_ID"'" + "primary": "openrouter/${MODEL_ID}" } } } -}' +} +EOF -run_sprite "$SPRITE_NAME" "echo '$OPENCLAW_CONFIG' > ~/.openclaw/openclaw.json" +# Upload config file securely +sprite exec -s "$SPRITE_NAME" -file "$OPENCLAW_CONFIG_TEMP:/tmp/openclaw_config.json" -- bash -c "mv /tmp/openclaw_config.json ~/.openclaw/openclaw.json" +rm "$OPENCLAW_CONFIG_TEMP" echo "" log_info "✅ Sprite setup completed successfully!" diff --git a/vultr/openclaw.sh b/vultr/openclaw.sh index 720eb4b4..1c103d7c 100755 --- a/vultr/openclaw.sh +++ b/vultr/openclaw.sh @@ -53,6 +53,7 @@ run_server "$VULTR_SERVER_IP" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw" GATEWAY_TOKEN=$(openssl rand -hex 16) OPENCLAW_CONFIG_TEMP=$(mktemp) +chmod 600 "$OPENCLAW_CONFIG_TEMP" cat > "$OPENCLAW_CONFIG_TEMP" << EOF { "env": { "OPENROUTER_API_KEY": "${OPENROUTER_API_KEY}" },