vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-10 04:09:40 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix: add remote path validation to GCP uploadFile (missing vs all other providers) (#1760)

Browse source 
All 6 other cloud providers (Fly, Hetzner, DigitalOcean, AWS, Sprite, Daytona)
validate remotePath with an allowlist regex before passing it to scp. GCP's
uploadFile had no validation at all, breaking the defense-in-depth pattern.

Adds the same allowlist check (^[a-zA-Z0-9/_.~$-]+$) plus dotdot check.
The regex includes $ to allow $HOME prefix paths used by agent-setup.ts.

Agent: code-health

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
A 2026-02-22 15:10:28 -08:00 committed by GitHub
parent 545ddafe4a
commit 986a6ff371
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
cli/src/gcp/gcp.ts
View file

@ -920,6 +920,10 @@ export async function runServerCapture(cmd: string, timeoutSecs?: number): Promi
}
export async function uploadFile(localPath: string, remotePath: string): Promise<void> {
if (!/^[a-zA-Z0-9/_.~$-]+$/.test(remotePath) || remotePath.includes("..")) {
logError(`Invalid remote path: ${remotePath}`);
throw new Error("Invalid remote path");
}
const username = resolveUsername();
// Expand $HOME on remote side
const expandedPath = remotePath.replace(/^\$HOME/, "~");