fix: Validate issue param and fix Render JSON injection + Hyperstack API bug (#234)

- Validate SPAWN_ISSUE is a positive integer in both trigger-server.ts and refactor.sh to prevent command injection via crafted issue params - Use Python json.dumps for Render _render_create_service JSON body instead of string interpolation (prevents JSON injection) - Remove erroneous "api_key" 6th argument in Hyperstack generic_cloud_api call that was being interpreted as max_retries, breaking all API calls Agent: security-auditor Co-authored-by: A <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-05 23:50:48 +00:00 · 2026-02-10 12:52:23 -08:00 · 2026-02-10 12:52:23 -08:00 · cbba92c3c0
commit cbba92c3c0
parent f559af0152
4 changed files with 39 additions and 16 deletions
--- a/render/lib/common.sh
+++ b/render/lib/common.sh
@ -133,26 +133,35 @@ _render_create_service() {
    local service_name="$1"
    log_warn "Creating Render web service: $service_name"

+    # Build JSON body safely via Python to prevent injection
+    local body
+    body=$(printf '%s' "$service_name" | python3 -c "
+import json, sys
+name = sys.stdin.read()
+body = {
+    'type': 'web_service',
+    'name': name,
+    'runtime': 'docker',
+    'dockerfilePath': './Dockerfile',
+    'repo': 'https://github.com/render-examples/docker-hello-world',
+    'autoDeploy': 'yes',
+    'serviceDetails': {
+        'plan': 'starter',
+        'region': 'oregon',
+        'healthCheckPath': '/',
+        'env': 'docker',
+        'disk': None
+    }
+}
+print(json.dumps(body))
+")
+
    # Create service via API
    local create_response
    create_response=$(curl -s -X POST "https://api.render.com/v1/services" \
        -H "Authorization: Bearer ${RENDER_API_KEY}" \
        -H "Content-Type: application/json" \
-        -d "{
-            \"type\": \"web_service\",
-            \"name\": \"${service_name}\",
-            \"runtime\": \"docker\",
-            \"dockerfilePath\": \"./Dockerfile\",
-            \"repo\": \"https://github.com/render-examples/docker-hello-world\",
-            \"autoDeploy\": \"yes\",
-            \"serviceDetails\": {
-                \"plan\": \"starter\",
-                \"region\": \"oregon\",
-                \"healthCheckPath\": \"/\",
-                \"env\": \"docker\",
-                \"disk\": null
-            }
-        }" 2>&1)
+        -d "$body" 2>&1)

    if echo "$create_response" | grep -q "error"; then
        log_error "Failed to create Render service"