fix: use base64 encoding for GITHUB_TOKEN to prevent injection (#2840)

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 11:59:29 +00:00

* fix: use base64 encoding for GITHUB_TOKEN to prevent injection

Aligns GITHUB_TOKEN handling with the existing base64 pattern used for
OPENROUTER_API_KEY in orchestrate.ts, eliminating the single-quote
escaping vulnerability.

Fixes #2834

Agent: security-auditor
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: apply shellQuote to base64-encoded GITHUB_TOKEN

Address security review feedback: wrap the base64-encoded token in
shellQuote() for defense-in-depth, preventing any theoretical shell
metacharacter escape from the interpolated value.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

This commit is contained in:

2026-03-20 16:46:49 -07:00

• committed by

GitHub

parent 0c13679dde

commit b9e326d649

No known key found for this signature in database

GPG key ID: B5690EEEBB952194

2 changed files with 3 additions and 2 deletions

									
										2

packages/cli/package.json
									
										View file
										
				@ -1,6 +1,6 @@

				{

				  "name": "@openrouter/spawn",

				  "version": "0.25.5",

				  "version": "0.25.6",

				  "type": "module",

				  "bin": {

				    "spawn": "cli.js"

Rows
Columns

fix: use base64 encoding for GITHUB_TOKEN to prevent injection (#2840)

2 packages/cli/package.json Unescape Escape View file

2

packages/cli/package.json

View file