fix(security): escape single quotes in standard SSH enter-agent path (#1902)

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-04 23:00:20 +00:00

The standard SSH path in cmdEnterAgent() interpolated remoteCmd into a
single-quoted bash -lc wrapper without escaping embedded single quotes.
If launch_cmd (from history.json) or the manifest's launch/pre_launch
fields contained a single quote, the shell quoting would break, allowing
unintended command execution on the remote server.

The Fly.io path already had this escaping (PR #1880, #1893) but the
generic SSH fallback did not. This adds the same replace(/'/g, "'\\''")
pattern used everywhere else in the codebase.

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

This commit is contained in:

2026-02-24 22:06:13 -08:00

• committed by

GitHub

parent c55b78235c

commit 9e309f1ff5

No known key found for this signature in database

GPG key ID: B5690EEEBB952194

2 changed files with 4 additions and 3 deletions

									
										2

packages/cli/package.json
									
										View file
										
				@ -1,6 +1,6 @@

				{

				  "name": "@openrouter/spawn",

				  "version": "0.10.8",

				  "version": "0.10.9",

				  "type": "module",

				  "bin": {

				    "spawn": "cli.js"

Rows
Columns

fix(security): escape single quotes in standard SSH enter-agent path (#1902)

2 packages/cli/package.json Unescape Escape View file

2

packages/cli/package.json

View file