vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 03:49:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix(e2e): fix manual .spawnrc creation on Sprite (stdin piping broken) (#2872)

Browse source 
The manual .spawnrc fallback in provision.sh was using `printf '%s' "${env_b64}" | cloud_exec ...`,
which works for SSH-based clouds (Hetzner, GCP, AWS) where stdin is passed through the SSH
connection. However, Sprite's exec driver replaces stdin with the command pipe:
  `printf '%s' "${cmd}" | sprite exec -s NAME -- bash`
This causes the outer env_b64 pipe to be lost — `base64 -d` receives no input and writes an
empty .spawnrc, which then fails the OPENROUTER_API_KEY and openrouter.ai verification checks.

Fix: embed the base64 data directly in the command string using `printf '%s' '${env_b64}'`.
This is safe because env_b64 is validated to contain only [A-Za-z0-9+/=] — the standard
base64 alphabet — which cannot break out of single quotes or cause shell injection.

Confirmed by E2E run where sprite/claude and sprite/openclaw both failed with:
  [FAIL] OPENROUTER_API_KEY not found in .spawnrc
  [FAIL] Failed to create manual .spawnrc

Co-authored-by: spawn-qa-bot <qa@openrouter.ai>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
A 2026-03-22 02:46:05 -07:00 committed by GitHub
parent cc8b6601ec
commit 57e06bab4a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 6 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

10
sh/e2e/lib/provision.sh
View file

@ -292,11 +292,13 @@ CLOUD_ENV
return 1
fi
# SECURITY: env_b64 is piped via stdin — it is NOT interpolated into the
# remote command string. The command argument to cloud_exec is a fixed
# string with no variable substitution from user-controlled data.
# SECURITY: env_b64 is embedded directly in the command string. This is safe
# because env_b64 is validated above to contain only [A-Za-z0-9+/=] — the
# standard base64 alphabet — which cannot break out of single quotes or
# cause shell injection. Piping via stdin is NOT used because Sprite's exec
# driver replaces stdin with the command pipe, causing piped data to be lost.
# The \$ escapes below are for remote shell variables, not local ones.
if printf '%s' "${env_b64}" | cloud_exec "${app_name}" "base64 -d > ~/.spawnrc && chmod 600 ~/.spawnrc && \
if cloud_exec "${app_name}" "printf '%s' '${env_b64}' | base64 -d > ~/.spawnrc && chmod 600 ~/.spawnrc && \
for _rc in ~/.bashrc ~/.profile ~/.bash_profile; do \
grep -q 'source ~/.spawnrc' \"\$_rc\" 2>/dev/null || printf '%s\n' '[ -f ~/.spawnrc ] && source ~/.spawnrc' >> \"\$_rc\"; done" >/dev/null 2>&1; then
log_ok "Manual .spawnrc created successfully"