From 78d95d0399d787b968abfee283efe96f5cff9200 Mon Sep 17 00:00:00 2001 From: A <258483684+la14-1@users.noreply.github.com> Date: Fri, 13 Feb 2026 07:00:26 -0800 Subject: [PATCH] fix: use safe inject_env_vars helpers in 4 missed scripts (#941) Replaces unsafe direct shell interpolation of OPENROUTER_API_KEY with the inject_env_vars_ssh/inject_env_vars_local helpers that use single-quoted values to prevent shell injection. Affected scripts: - codesandbox/codex.sh - codesandbox/interpreter.sh - codesandbox/gptme.sh - atlanticnet/goose.sh This is the same class of fix applied in PR #937 to 3 other scripts, but these 4 were missed. Agent: security-auditor Co-authored-by: A <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) --- atlanticnet/goose.sh | 7 +++---- codesandbox/codex.sh | 7 ++++--- codesandbox/gptme.sh | 3 ++- codesandbox/interpreter.sh | 7 ++++--- 4 files changed, 13 insertions(+), 11 deletions(-) diff --git a/atlanticnet/goose.sh b/atlanticnet/goose.sh index be335fe1..9919333a 100644 --- a/atlanticnet/goose.sh +++ b/atlanticnet/goose.sh @@ -51,10 +51,9 @@ else fi log_step "Setting up environment variables..." -run_server "${ATLANTICNET_SERVER_IP}" "cat >> ~/.bashrc << 'EOF' -export GOOSE_PROVIDER=openrouter -export OPENROUTER_API_KEY=${OPENROUTER_API_KEY} -EOF" +inject_env_vars_ssh "${ATLANTICNET_SERVER_IP}" upload_file run_server \ + "GOOSE_PROVIDER=openrouter" \ + "OPENROUTER_API_KEY=${OPENROUTER_API_KEY}" echo "" log_info "Server setup completed successfully!" diff --git a/codesandbox/codex.sh b/codesandbox/codex.sh index 42ed5cc5..b0bb3883 100644 --- a/codesandbox/codex.sh +++ b/codesandbox/codex.sh @@ -29,9 +29,10 @@ else fi log_step "Setting up environment variables..." -run_server 'echo "export OPENROUTER_API_KEY=\"'"${OPENROUTER_API_KEY}"'\"" >> ~/.bashrc' -run_server 'echo "export OPENAI_API_KEY=\"'"${OPENROUTER_API_KEY}"'\"" >> ~/.bashrc' -run_server 'echo "export OPENAI_BASE_URL=\"https://openrouter.ai/api/v1\"" >> ~/.bashrc' +inject_env_vars_local upload_file run_server \ + "OPENROUTER_API_KEY=${OPENROUTER_API_KEY}" \ + "OPENAI_API_KEY=${OPENROUTER_API_KEY}" \ + "OPENAI_BASE_URL=https://openrouter.ai/api/v1" echo "" log_info "CodeSandbox setup completed successfully!" diff --git a/codesandbox/gptme.sh b/codesandbox/gptme.sh index f21c8f96..5bd15acd 100644 --- a/codesandbox/gptme.sh +++ b/codesandbox/gptme.sh @@ -47,7 +47,8 @@ MODEL_ID=$(get_model_id_interactive "openrouter/auto" "gptme") || exit 1 # Inject environment variables log_step "Setting up environment variables..." -run_server 'echo "export OPENROUTER_API_KEY=\"'"${OPENROUTER_API_KEY}"'\"" >> ~/.bashrc' +inject_env_vars_local upload_file run_server \ + "OPENROUTER_API_KEY=${OPENROUTER_API_KEY}" echo "" log_info "CodeSandbox setup completed successfully!" diff --git a/codesandbox/interpreter.sh b/codesandbox/interpreter.sh index c10cca90..8b3d751f 100644 --- a/codesandbox/interpreter.sh +++ b/codesandbox/interpreter.sh @@ -32,9 +32,10 @@ else fi log_step "Setting up environment variables..." -run_server 'echo "export OPENROUTER_API_KEY=\"'"${OPENROUTER_API_KEY}"'\"" >> ~/.bashrc' -run_server 'echo "export OPENAI_API_KEY=\"'"${OPENROUTER_API_KEY}"'\"" >> ~/.bashrc' -run_server 'echo "export OPENAI_BASE_URL=\"https://openrouter.ai/api/v1\"" >> ~/.bashrc' +inject_env_vars_local upload_file run_server \ + "OPENROUTER_API_KEY=${OPENROUTER_API_KEY}" \ + "OPENAI_API_KEY=${OPENROUTER_API_KEY}" \ + "OPENAI_BASE_URL=https://openrouter.ai/api/v1" echo "" log_info "CodeSandbox setup completed successfully!"