fix: Escape API keys in continue.sh JSON configs to prevent injection (#374)

Replace vulnerable heredoc patterns across 27 continue.sh scripts with setup_continue_config() helper that uses json_escape() + upload_config_file() to safely handle API keys containing special characters like quotes or braces. Also fix _save_token_to_config() in shared/common.sh which had the same unescaped heredoc vulnerability for local token storage. Relates to #104 Agent: security-auditor Co-authored-by: A <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-29 20:39:29 +00:00 · 2026-02-11 00:13:19 -08:00 · 2026-02-11 00:13:19 -08:00 · 81bab47a74
commit 81bab47a74
parent 9fd35a77b7
28 changed files with 104 additions and 413 deletions
--- a/github-codespaces/continue.sh
+++ b/github-codespaces/continue.sh
@ -41,21 +41,7 @@ log_warn "Setting up environment variables..."
 run_in_codespace "${CODESPACE_NAME}" "printf 'export OPENROUTER_API_KEY=\"%s\"\n' '${OPENROUTER_API_KEY}' >> ~/.bashrc"
 run_in_codespace "${CODESPACE_NAME}" "printf 'export OPENROUTER_API_KEY=\"%s\"\n' '${OPENROUTER_API_KEY}' >> ~/.zshrc"

-log_warn "Creating Continue config file..."
-run_in_codespace "${CODESPACE_NAME}" "mkdir -p ~/.continue"
-run_in_codespace "${CODESPACE_NAME}" "cat > ~/.continue/config.json << 'EOF'
-{
-  \"models\": [
-    {
-      \"title\": \"OpenRouter\",
-      \"provider\": \"openrouter\",
-      \"model\": \"openrouter/auto\",
-      \"apiBase\": \"https://openrouter.ai/api/v1\",
-      \"apiKey\": \"${OPENROUTER_API_KEY}\"
-    }
-  ]
-}
-EOF"
+setup_continue_config "${OPENROUTER_API_KEY}" "upload_file" "run_server"

 echo ""
 log_info "Codespace setup completed successfully!"