vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 03:49:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix(security): wrap runServer SSH commands with shellQuote in DO and Hetzner (#2843)

Browse source 
DigitalOcean and Hetzner runServer() passed the command string directly
to SSH without shell-quoting, allowing metacharacters (;, |, $(), etc.)
to be interpreted by the remote shell. AWS and GCP already used
`bash -c ${shellQuote(fullCmd)}` — this applies the same pattern to the
two affected modules.

Fixes #2836

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
A 2026-03-20 17:34:43 -07:00 committed by GitHub
parent ffb4cbeb11
commit 62e5918078
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 22 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
packages/cli/src/hetzner/hetzner.ts
View file

@ -753,7 +753,7 @@ export async function runServer(cmd: string, timeoutSecs?: number, ip?: string):
...SSH_BASE_OPTS,
...keyOpts,
`root@${serverIp}`,
fullCmd,
`bash -c ${shellQuote(fullCmd)}`,
],
{
stdio: [