vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-18 15:01:29 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

fix(security): remove space from token validation charset in key-request.sh (#2074)

Browse source 
API tokens never contain spaces; allowing them risks word splitting
in downstream unquoted uses of these env vars. Updated both the shell
regex in key-request.sh and the corresponding TypeScript regexes in
digitalocean.ts to stay in sync.

Fixes #2072

Agent: code-health

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
A 2026-03-01 14:10:22 -08:00 committed by GitHub
parent bb4deaf24c
commit 69d1971abf
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 4 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

4
packages/cli/src/digitalocean/digitalocean.ts
View file

@ -202,7 +202,7 @@ function loadTokenFromConfig(): string | null {
if (!token) {
return null;
}
if (!/^[a-zA-Z0-9._/@:+=, -]+$/.test(token)) {
if (!/^[a-zA-Z0-9._/@:+=-]+$/.test(token)) {
return null;
}
return token;
@ -217,7 +217,7 @@ function loadRefreshToken(): string | null {
if (!refreshToken) {
return null;
}
if (!/^[a-zA-Z0-9._/@:+=, -]+$/.test(refreshToken)) {
if (!/^[a-zA-Z0-9._/@:+=-]+$/.test(refreshToken)) {
return null;
}
return refreshToken;

5
sh/shared/key-request.sh
View file

@ -89,13 +89,12 @@ process.stdout.write(d[process.env._VAR] || d.api_key || d.token || '');
# Allow alphanumeric plus safe chars needed by real tokens:
# - _ . / @ (standard API key chars)
# : + = (base64 segments, URL-safe and base64 formats)
# space (prefixed token formats, e.g., "Bearer <token>")
# Keep in sync with loadTokenFromConfig regex in packages/cli/src/digitalocean/digitalocean.ts
if [[ ! "${val}" =~ ^[a-zA-Z0-9._/@:+=\ -]+$ ]]; then
if [[ ! "${val}" =~ ^[a-zA-Z0-9._/@:+=-]+$ ]]; then
log "SECURITY: Invalid characters in config value for ${var_name}"
return 1
fi
# SECURITY: val is already validated against ^[a-zA-Z0-9._/@:+=\ -]+$ above,
# SECURITY: val is already validated against ^[a-zA-Z0-9._/@:+=-]+$ above,
# and var_name is validated against ^[A-Z_][A-Z0-9_]*$ by the caller.
# Use export NAME=VALUE (bash 3.2 compatible; printf -v requires bash 4.0+).
export "${var_name}=${val}"