vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 03:49:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix: address medium security findings from #753 (#755)

Browse source 
- Replace `echo -e` with `printf` in cli/install.sh for macOS bash 3.x compat
- Remove `-u` (nounset) from test/run.sh — use `${VAR:-}` pattern instead
- Replace `source <(curl ...)` with `eval "$(curl ...)"` in test/run.sh for curl|bash compat
- Add .gitignore patterns for sensitive files (.env, *.pem, *.key, credentials)

Refs #753

Agent: security-auditor

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
A 2026-02-12 15:48:52 -08:00 committed by GitHub
parent 4bd5f2205f
commit 4e33cc39cd
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 17 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

12
.gitignore vendored
View file

@ -3,3 +3,15 @@ node_modules/
__pycache__/
.claude/skills/*/start-*.sh
cli/cli.js
# Sensitive files — never commit secrets or private keys
.env
.env.*
*.pem
*.key
*.p12
*.pfx
id_rsa
id_ed25519
credentials.json
service-account.json

6
cli/install.sh
View file

@ -21,9 +21,9 @@ YELLOW='\033[1;33m'
BOLD='\033[1m'
NC='\033[0m'
log_info() { echo -e "${GREEN}[spawn]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[spawn]${NC} $1"; }
log_error() { echo -e "${RED}[spawn]${NC} $1"; }
log_info() { printf "${GREEN}[spawn]${NC} %s\n" "$1"; }
log_warn() { printf "${YELLOW}[spawn]${NC} %s\n" "$1"; }
log_error() { printf "${RED}[spawn]${NC} %s\n" "$1"; }
# --- Helper: compare semver strings ---
# Returns 0 (true) if $1 >= $2

4
test/run.sh
View file

@ -15,7 +15,7 @@
# bash test/run.sh claude # test one script
# bash test/run.sh --remote # test remote source (from GitHub)
set -uo pipefail
set -eo pipefail
REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
TEST_DIR=$(mktemp -d)
@ -310,7 +310,7 @@ _test_sprite_remote_source() {
fi
local remote_fns
remote_fns=$(bash -c '
source <(curl -fsSL https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/sprite/lib/common.sh)
eval "$(curl -fsSL https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/sprite/lib/common.sh)"
type log_info &>/dev/null && echo "OK" || echo "FAIL"
' 2>/dev/null)
assert_equals "${remote_fns}" "OK" "Remote source from GitHub works"