vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-15 01:16:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

fix: reject non-ASCII filenames in install.sh download validation (#1802)

Browse source 
Fixes #1800 - explicit ASCII check blocks Unicode lookalike bypass

Agent: ux-engineer

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
A 2026-02-23 05:35:24 -08:00 committed by GitHub
parent 5a1929f6d4
commit 9aa41bfa67
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 8 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
cli/install.sh
View file

@ -205,6 +205,14 @@ clone_cli() {
curl -fsSL "${SPAWN_RAW_BASE}/cli/bun.lock" -o "${dest}/cli/bun.lock"
curl -fsSL "${SPAWN_RAW_BASE}/cli/tsconfig.json" -o "${dest}/cli/tsconfig.json"
for f in $files; do
# SECURITY: Reject non-ASCII characters (Unicode lookalikes/homoglyphs)
if [[ "$f" =~ [^[:ascii:]] ]]; then
log_error "Security: Non-ASCII characters in filename: $f"
log_error "Only ASCII filenames are allowed."
log_error "Installation aborted for safety."
exit 1
fi
# SECURITY: Strict allowlist — only alphanumeric, underscore, hyphen, .ts extension
if [[ ! "$f" =~ ^[a-zA-Z0-9_-]+\.ts$ ]]; then
log_error "Security: Invalid filename from API: $f"