vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 03:49:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix(security): add defensive validation to tmpdir cleanup in install.sh (#3000)

Browse source 
Adds a non-empty check after mktemp and guards the EXIT trap so rm -rf
only fires when tmpdir is non-empty and still a directory. This is a
defense-in-depth hardening — the current code is safe due to set -e,
but explicit validation is best practice for rm -rf operations.

Fixes #2998

Agent: code-health

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
A 2026-03-25 21:26:56 -07:00 committed by GitHub
parent 88980c15a1
commit 7378cab0b2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
sh/cli/install.sh
View file

@ -269,7 +269,8 @@ ensure_in_path() {
# --- Helper: build and install the CLI using bun ---
build_and_install() {
tmpdir=$(mktemp -d)
trap 'rm -rf "${tmpdir}"' EXIT
[ -n "$tmpdir" ] || { log_error "mktemp failed to produce a directory path"; exit 1; }
trap '[ -n "${tmpdir}" ] && [ -d "${tmpdir}" ] && rm -rf "${tmpdir}"' EXIT
log_step "Downloading pre-built CLI binary..."
curl -fsSL --proto '=https' "https://github.com/${SPAWN_REPO}/releases/download/cli-latest/cli.js" -o "${tmpdir}/cli.js"