vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-22 03:14:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix: apply validateLaunchCmd to manifest fallback path in connect.ts (#2455)

Browse source 
Security: the manifest-derived fallback path in connect.ts bypassed the
validateLaunchCmd() allowlist that guards history-derived commands. A
malicious or modified manifest.json cache could inject arbitrary commands
executed on the remote VM via SSH.

Fixes #2453

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
A 2026-03-10 12:28:00 -07:00 committed by GitHub
parent 5db9cc2a80
commit 3978ff6d4d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 1 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
packages/cli/src/commands/connect.ts
View file

@ -138,6 +138,7 @@ export async function cmdEnterAgent(
const sep = acc.trimEnd().endsWith("&") ? " " : "; ";
return acc + sep + part;
}, "");
validateLaunchCmd(remoteCmd);
}
const agentName = agentDef?.name || agentKey;