vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-19 16:39:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

fix(security): quote timeout var and validate numeric in sprite.sh (#2120)

Browse source 
Fixes unquoted ${timeout} in _sprite_exec_long that could allow
command injection if timeout contained shell metacharacters.
Adds numeric validation before use.

Fixes #2117

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
A 2026-03-02 13:47:39 -08:00 committed by GitHub
parent 97a92f3d4f
commit 7cc21e4111
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 8 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
sh/e2e/lib/clouds/sprite.sh
View file

@ -205,6 +205,13 @@ _sprite_exec_long() {
local app="$1"
local cmd="$2"
local timeout="${3:-120}"
# Validate timeout is numeric to prevent command injection
if ! printf '%s' "${timeout}" | grep -qE '^[0-9]+$'; then
printf 'ERROR: timeout must be numeric, got: %s\n' "${timeout}" >&2
return 1
fi
local _attempt=0
local _max=3
local _stderr_tmp="/tmp/sprite-execl-err.$$"
@ -216,7 +223,7 @@ _sprite_exec_long() {
while [ "${_attempt}" -lt "${_max}" ]; do
_sprite_fix_config
# shellcheck disable=SC2046
sprite $(_sprite_org_flags) exec -s "${app}" -- bash -c "timeout ${timeout} bash -c \"\$(printf '%s' '${encoded_cmd}' | base64 -d)\"" 2>"${_stderr_tmp}"
sprite $(_sprite_org_flags) exec -s "${app}" -- bash -c "timeout '${timeout}' bash -c \"\$(printf '%s' '${encoded_cmd}' | base64 -d)\"" 2>"${_stderr_tmp}"
local _rc=$?
if [ "${_rc}" -eq 0 ]; then
rm -f "${_stderr_tmp}"