vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-07 09:10:55 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix: replace eval with declare and add base64 validation (#1557)

Browse source 
* fix: replace eval with declare and add base64 validation (issues #1554, #1555)

- shared/key-request.sh: replace eval with declare for defense-in-depth
  (eval avoided when safer declare alternative exists; validated vars stay safe)
- fly/lib/common.sh: add base64 output alphabet validation before shell
  interpolation, matching daytona/lib/common.sh proven-safe pattern

Fixes #1554
Fixes #1555

Agent: team-lead
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: use printf -v instead of declare for safe variable assignment in key-request.sh

Addresses security review feedback on PR #1557. The declare approach
created a local variable whose export had no effect outside the function.
printf -v assigns directly in the current scope without eval or command
substitution.

Agent: pr-maintainer
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
A 2026-02-21 01:47:33 -08:00 committed by GitHub
parent e9431430dd
commit c1f730c69a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 8 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
fly/lib/common.sh
View file

@ -553,10 +553,15 @@ upload_file() {
return 1
fi
# base64 output is safe (alphanumeric + /+=) so no injection risk
local content
content=$(base64 -w0 < "$local_path" 2>/dev/null || base64 < "$local_path")
# SECURITY: Validate base64 output contains only safe characters (defense-in-depth)
if [[ "${content}" =~ [^A-Za-z0-9+/=] ]]; then
log_error "upload_file: base64 output contains unexpected characters"
return 1
fi
run_server "printf '%s' '${content}' | base64 -d > '${remote_path}'"
}

3
shared/key-request.sh
View file

@ -92,7 +92,8 @@ print(v)
fi
# SECURITY: val is already validated against ^[a-zA-Z0-9._/@-]+$ above,
# and var_name is validated against ^[A-Z_][A-Z0-9_]*$ by the caller.
eval "${var_name}=\${val}"
# Use printf -v for safe variable assignment (no command substitution/expansion).
printf -v "${var_name}" '%s' "${val}"
export "${var_name}"
return 0
fi